ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Monitor: drop INTERNETACCESS WiFi + connect AESFMA on Phase 1 complete

Browse Source 
When Intune registration lands (AAD-joined + IntuneEnrolled + EnterpriseMgmt
task present + baseline policies >=5), the bay is presumed to have its
SCEP-provisioned machine cert in LocalMachine\My. At that point the
INTERNETACCESS profile (172.16.x guest/internet WiFi) is no longer
useful - it just keeps the bay on a non-corp range so Report IP can't
find a 10.x to POST and the SFLD assignment filter never matches.

Action: in Get-Phase1, once all four registration signals are green,
fire 'netsh wlan delete profile name=INTERNETACCESS' then immediately
'netsh wlan connect name=AESFMA ssid=AESFMA'. Bay drops onto corp WLAN
with EAP-TLS, picks up a 10.x lease, Report IP fires cleanly. One-shot
per Monitor lifetime via $script:cache.InternetAccessDeleted flag.

This is the alternative to pre-staging the AESFMA profile during
imaging (which was reverted). AESFMA profile is assumed to exist
already because Intune's WiFi config profile delivers it during the
same enrollment that just completed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-05-14 16:22:40 -04:00
parent f8944fbc49
commit f404cd2892
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
playbook/shopfloor-setup/Shopfloor/lib/Monitor-IntuneProgress.ps1
View File

@@ -187,6 +187,7 @@ $script:cache = @{
DeviceId = $null DeviceId = $null
DeviceIdReported = $false DeviceIdReported = $false
LockdownCompletePushed = $false LockdownCompletePushed = $false
InternetAccessDeleted = $false
} }
# Load Send-PxeStatus at SCRIPT scope (not inside a function). A dot-source # Load Send-PxeStatus at SCRIPT scope (not inside a function). A dot-source
@@ -356,6 +357,31 @@ function Get-Phase1 {
$policiesBaselineReady = ($subkeyCount -ge 5) $policiesBaselineReady = ($subkeyCount -ge 5)
} catch {} } catch {}
# Once Intune registration is fully landed (AAD-joined + Intune-enrolled
# + EnterpriseMgmt task present + baseline policies arrived), delete the
# INTERNETACCESS WiFi profile so the bay falls off 172.16.x and
# reconnects to AESFMA (which Intune SCEP cert provisioning has made
# functional by this point). Bay then has a real GE corp 10.x address
# and Report IP fires cleanly. Fires once per Monitor lifetime via
# cache flag.
if (-not $script:cache.InternetAccessDeleted -and
$script:cache.AzureAdJoined -and
$script:cache.IntuneEnrolled -and
$script:cache.EmTaskExists -and
$policiesBaselineReady) {
try {
Write-Host "Intune registration complete - deleting INTERNETACCESS profile + reconnecting to AESFMA..."
$delOut = netsh wlan delete profile name="INTERNETACCESS" 2>&1 | Out-String
Write-Host $delOut
Start-Sleep -Seconds 2
$conOut = netsh wlan connect name="AESFMA" ssid="AESFMA" 2>&1 | Out-String
Write-Host $conOut
$script:cache.InternetAccessDeleted = $true
} catch {
Write-Warning "WiFi swap (INTERNETACCESS -> AESFMA) failed: $_"
}
}
return @{ return @{
AzureAdJoined = $script:cache.AzureAdJoined AzureAdJoined = $script:cache.AzureAdJoined
IntuneEnrolled = $script:cache.IntuneEnrolled IntuneEnrolled = $script:cache.IntuneEnrolled