Revert AESFMA preinstall stage from Run-ShopfloorSetup
User call: don't install AESFMA profiles during imaging preinstall. Removed the MA package copy + MA4NetworkConfigv2.bat invocation from Run-ShopfloorSetup line 43 area. .gitignore additions for profile XML patterns are kept - those are harmless safety net. PXE share's /srv/samba/enrollment/MachineAuth/ staging directory is left in place (not deleted) - no consumer references it after this revert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
@@ -41,38 +41,6 @@ function Report-Stage {
|
|||||||
}
|
}
|
||||||
Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
|
Report-Stage -Stage 'Run-ShopfloorSetup: starting' -Index 2
|
||||||
|
|
||||||
# ---- Pre-stage GE Machine Auth (802.1X / AESFMA WiFi) profiles ----
|
|
||||||
# Drops the V02 MA package (8021x.xml + AESFMA.xml + bat) to a known
|
|
||||||
# location and imports profiles to every physical wired/wireless NIC.
|
|
||||||
# Profile XML is GE-internal (Intune-managed PSK + RADIUS root CA
|
|
||||||
# thumbprint) so it lives on the PXE enrollment share, NOT git.
|
|
||||||
#
|
|
||||||
# Effect: bay has the AESFMA WiFi profile ready (connectionMode=auto).
|
|
||||||
# Once Intune SCEP cert provisioning lands (a few minutes after PPKG
|
|
||||||
# enrollment), the WLAN service auto-joins AESFMA and the bay gets a
|
|
||||||
# real GE corp 10.x address. GE Report-IP script then sees that 10.x,
|
|
||||||
# POSTs cleanly to the webhook, dynamic group eligibility flips, SFLD
|
|
||||||
# ConfigurationProfile delivers, Phase 2 completes naturally.
|
|
||||||
$maShare = '\\10.9.100.1\enrollment\MachineAuth'
|
|
||||||
$maLocal = 'C:\Windows\Options\Packages\GEAerospace_MA_4x1_V02'
|
|
||||||
if (Test-Path -LiteralPath $maShare) {
|
|
||||||
try {
|
|
||||||
if (-not (Test-Path $maLocal)) { New-Item -ItemType Directory -Path $maLocal -Force | Out-Null }
|
|
||||||
Copy-Item -Path (Join-Path $maShare '*') -Destination $maLocal -Recurse -Force -ErrorAction Stop
|
|
||||||
$maBat = Join-Path $maLocal 'MA4NetworkConfigv2.bat'
|
|
||||||
if (Test-Path -LiteralPath $maBat) {
|
|
||||||
Write-Host "Running MA4NetworkConfigv2.bat (imports 8021x + AESFMA profiles)..."
|
|
||||||
Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', "`"$maBat`"" -Wait -NoNewWindow -ErrorAction SilentlyContinue
|
|
||||||
} else {
|
|
||||||
Write-Warning "MA bat not at $maBat - profiles NOT imported."
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Warning "MachineAuth stage failed: $_"
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
Write-Warning "MachineAuth share not reachable at $maShare - skipping profile import."
|
|
||||||
}
|
|
||||||
|
|
||||||
# AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
|
# AutoLogonCount is NOT set here. Previously we bumped it to 99/4, but
|
||||||
# Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
|
# Windows decrements it per-logon and at 0 clears AutoAdminLogon -- which
|
||||||
# nukes the lockdown-configured ShopFloor autologon later in the chain.
|
# nukes the lockdown-configured ShopFloor autologon later in the chain.
|
||||||
|
|||||||
Reference in New Issue
Block a user