Monitor: drop INTERNETACCESS WiFi + connect AESFMA on Phase 1 complete

When Intune registration lands (AAD-joined + IntuneEnrolled + EnterpriseMgmt task present + baseline policies >=5), the bay is presumed to have its SCEP-provisioned machine cert in LocalMachine\My. At that point the INTERNETACCESS profile (172.16.x guest/internet WiFi) is no longer useful - it just keeps the bay on a non-corp range so Report IP can't find a 10.x to POST and the SFLD assignment filter never matches. Action: in Get-Phase1, once all four registration signals are green, fire 'netsh wlan delete profile name=INTERNETACCESS' then immediately 'netsh wlan connect name=AESFMA ssid=AESFMA'. Bay drops onto corp WLAN with EAP-TLS, picks up a 10.x lease, Report IP fires cleanly. One-shot per Monitor lifetime via $script:cache.InternetAccessDeleted flag. This is the alternative to pre-staging the AESFMA profile during imaging (which was reverted). AESFMA profile is assumed to exist already because Intune's WiFi config profile delivers it during the same enrollment that just completed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 16:22:40 -04:00
parent f8944fbc49
commit f404cd2892
1 changed files with 26 additions and 0 deletions
--- a/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
+++ b/playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
@@ -187,6 +187,7 @@ $script:cache = @{
    DeviceId                 = $null
    DeviceIdReported         = $false
    LockdownCompletePushed   = $false
+    InternetAccessDeleted    = $false
 }

 # Load Send-PxeStatus at SCRIPT scope (not inside a function). A dot-source
@@ -356,6 +357,31 @@ function Get-Phase1 {
        $policiesBaselineReady = ($subkeyCount -ge 5)
    } catch {}

+    # Once Intune registration is fully landed (AAD-joined + Intune-enrolled
+    # + EnterpriseMgmt task present + baseline policies arrived), delete the
+    # INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
+    # reconnects to AESFMA (which Intune SCEP cert provisioning has made
+    # functional by this point). Bay then has a real GE corp 10.x address
+    # and Report IP fires cleanly. Fires once per Monitor lifetime via
+    # cache flag.
+    if (-not $script:cache.InternetAccessDeleted -and
+        $script:cache.AzureAdJoined -and
+        $script:cache.IntuneEnrolled -and
+        $script:cache.EmTaskExists -and
+        $policiesBaselineReady) {
+        try {
+            Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
+            $delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
+            Write-Host $delOut
+            Start-Sleep -Seconds 2
+            $conOut = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
+            Write-Host $conOut
+            $script:cache.InternetAccessDeleted = $true
+        } catch {
+            Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
+        }
+    }
+
    return @{
        AzureAdJoined         = $script:cache.AzureAdJoined
        IntuneEnrolled        = $script:cache.IntuneEnrolled