From f404cd289233259ec65806d729c08b2056fcf628 Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Thu, 14 May 2026 16:22:40 -0400
Subject: [PATCH] Monitor: drop INTERNETACCESS WiFi + connect AESFMA on Phase 1
 complete

When Intune registration lands (AAD-joined + IntuneEnrolled + EnterpriseMgmt
task present + baseline policies >=5), the bay is presumed to have its
SCEP-provisioned machine cert in LocalMachine\My. At that point the
INTERNETACCESS profile (172.16.x guest/internet WiFi) is no longer
useful - it just keeps the bay on a non-corp range so Report IP can't
find a 10.x to POST and the SFLD assignment filter never matches.

Action: in Get-Phase1, once all four registration signals are green,
fire 'netsh wlan delete profile name=INTERNETACCESS' then immediately
'netsh wlan connect name=AESFMA ssid=AESFMA'. Bay drops onto corp WLAN
with EAP-TLS, picks up a 10.x lease, Report IP fires cleanly. One-shot
per Monitor lifetime via $script:cache.InternetAccessDeleted flag.

This is the alternative to pre-staging the AESFMA profile during
imaging (which was reverted). AESFMA profile is assumed to exist
already because Intune's WiFi config profile delivers it during the
same enrollment that just completed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../Shopfloor/lib/Monitor-IntuneProgress.ps1  | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1 b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
index 5926fb3..246566b 100644
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -187,6 +187,7 @@ $script:cache = @{
     DeviceId                 = $null
     DeviceIdReported         = $false
     LockdownCompletePushed   = $false
+    InternetAccessDeleted    = $false
 }
 
 # Load Send-PxeStatus at SCRIPT scope (not inside a function). A dot-source
@@ -356,6 +357,31 @@ function Get-Phase1 {
         $policiesBaselineReady = ($subkeyCount -ge 5)
     } catch {}
 
+    # Once Intune registration is fully landed (AAD-joined + Intune-enrolled
+    # + EnterpriseMgmt task present + baseline policies arrived), delete the
+    # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
+    # reconnects to AESFMA (which Intune SCEP cert provisioning has made
+    # functional by this point). Bay then has a real GE corp 10.x address
+    # and Report IP fires cleanly. Fires once per Monitor lifetime via
+    # cache flag.
+    if (-not $script:cache.InternetAccessDeleted -and
+        $script:cache.AzureAdJoined -and
+        $script:cache.IntuneEnrolled -and
+        $script:cache.EmTaskExists -and
+        $policiesBaselineReady) {
+        try {
+            Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
+            $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
+            Write-Host $delOut
+            Start-Sleep -Seconds 2
+            $conOut = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
+            Write-Host $conOut
+            $script:cache.InternetAccessDeleted = $true
+        } catch {
+            Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
+        }
+    }
+
     return @{
         AzureAdJoined         = $script:cache.AzureAdJoined
         IntuneEnrolled        = $script:cache.IntuneEnrolled