pxe-server

ge-aerospace/pxe-server

Fork 0

Commit Graph

Author	SHA1	Message	Date
cproudlock	ce604adcda	Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24 Single-site bay-stuck issue at WJ: GE Intune Report IP script filters Get-NetIPAddress on StartsWith("10.") and posts everything matching to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP captured and reported -> GE backend tags bays as on a non-corp 10.x subnet -> dynamic group eligibility for SFLD policy never matches. Other GE sites work because their PXE LANs aren't on 10.x at all. Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally skips wired PXE addresses without any disable-NIC dance. Server-side already in flight (netplan dual-bound, dnsmasq scope + boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript all sed'd to 172.16.9.1). This commit is the playbook / scripts / docs side: 109 hits across 35 files sed'd in one shot. After this lands + boot.wim is rebuilt + bays renumber off DHCP, the 10.9.100.1 binding will be dropped from netplan as the final cleanup step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-14 16:30:32 -04:00
cproudlock	1ae5bdce57	Add three-stage imaging snapshot tool + runbook scripts/diagnostics/Capture-LockdownState.ps1 captures Windows endpoint state at three lifecycle checkpoints so the deltas isolate which phase delivered (or failed to deliver) each component: - pre-category - PPKG-enrolled, no Intune category yet - post-category - category-driven assignments arrived, pre-lockdown - post-lockdown - kiosk + autologon + AppLocker fully landed Bumped from the previous 2-stage (pre/post) version. Legacy 'pre'/'post' aliases preserved. Captures additions driven by the SFLD-DSC v2.0.2 post-mortem: - IMECache file listing (catches missing sastoken.txt) - DSCDeployment.log + version.txt copied from C:\pc\ - SFLD\DSC payload listing - C:\Logs\BPRT\ runtime state (criticalChecks.json, packageInfo.json) - C:\WCDApps\ deploy verification - Windows\Provisioning\Diagnostics copy - Tasks-RunHistory.csv with LastRunTime + LastTaskResult per task - DeviceManagement-Events.csv (MDM 429s, AAD token failures) - Provisioning-Events.csv (PPKG runtime errors) - MDM-Certificates.csv (enrollment cert health) scripts/diagnostics/snapshot-runbook.txt: step-by-step ops guide covering when to fire each stage, where output lands, how to ship it back via image-upload share, and which files to compare first when diffing.	2026-05-01 08:53:52 -04:00

Author

SHA1

Message

Date

cproudlock

ce604adcda

Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-14 16:30:32 -04:00

cproudlock

1ae5bdce57

Add three-stage imaging snapshot tool + runbook

scripts/diagnostics/Capture-LockdownState.ps1 captures Windows endpoint
state at three lifecycle checkpoints so the deltas isolate which phase
delivered (or failed to deliver) each component:
  - pre-category   - PPKG-enrolled, no Intune category yet
  - post-category  - category-driven assignments arrived, pre-lockdown
  - post-lockdown  - kiosk + autologon + AppLocker fully landed

Bumped from the previous 2-stage (pre/post) version. Legacy 'pre'/'post'
aliases preserved.

Captures additions driven by the SFLD-DSC v2.0.2 post-mortem:
  - IMECache file listing (catches missing sastoken.txt)
  - DSCDeployment.log + version.txt copied from C:\pc\
  - SFLD\DSC payload listing
  - C:\Logs\BPRT\ runtime state (criticalChecks.json, packageInfo.json)
  - C:\WCDApps\ deploy verification
  - Windows\Provisioning\Diagnostics copy
  - Tasks-RunHistory.csv with LastRunTime + LastTaskResult per task
  - DeviceManagement-Events.csv (MDM 429s, AAD token failures)
  - Provisioning-Events.csv (PPKG runtime errors)
  - MDM-Certificates.csv (enrollment cert health)

scripts/diagnostics/snapshot-runbook.txt: step-by-step ops guide
covering when to fire each stage, where output lands, how to ship it
back via image-upload share, and which files to compare first when
diffing.

2026-05-01 08:53:52 -04:00

2 Commits