pxe-server

ge-aerospace/pxe-server

Fork 0

Commit Graph

Author	SHA1	Message	Date
cproudlock	ce604adcda	Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24 Single-site bay-stuck issue at WJ: GE Intune Report IP script filters Get-NetIPAddress on StartsWith("10.") and posts everything matching to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP captured and reported -> GE backend tags bays as on a non-corp 10.x subnet -> dynamic group eligibility for SFLD policy never matches. Other GE sites work because their PXE LANs aren't on 10.x at all. Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally skips wired PXE addresses without any disable-NIC dance. Server-side already in flight (netplan dual-bound, dnsmasq scope + boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript all sed'd to 172.16.9.1). This commit is the playbook / scripts / docs side: 109 hits across 35 files sed'd in one shot. After this lands + boot.wim is rebuilt + bays renumber off DHCP, the 10.9.100.1 binding will be dropped from netplan as the final cleanup step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-14 16:30:32 -04:00
cproudlock	b8328171eb	Kill wired NICs post-stage-2 until Report IP log appears Recurring Phase 2 "Device Configuration" stuck: GE Intune Proactive Remediation "Report IP" script enumerates Get-NetIPAddress and POSTs all IPs to a GE webhook. Bays cabled to air-gapped PXE LAN have 10.9.100.x leak into that report. GE backend tags bays "not on corp net" -> dynamic-group assignment-filter at GE excludes them from the SFLD ConfigurationProfile (Function + SasToken OMA-URI) -> HKLM:\SOFTWARE\GE\SFLD\DSC never populates -> Monitor Phase 2 gate never closes. Confirmed via mdm-diag-F907T5X3 dump: every Microsoft policy delivered fine, zero SFLD/GE-namespace OMA-URI present. Fix flow: 1. Run-ShopfloorSetup line 43: disable every Up wired NIC right after stage 2 push. NIC names persisted to C:\Enrollment\disabled-wired-nics.txt for later re-enable. 2. Stages 3-6 status pushes fail silently while wired is down (PXE server lives on the air-gapped 10.9.100.0/24 LAN, unreachable from WiFi). Dashboard goes dark in that window. 3. PPKG installs, immediate reboot, AAD/Intune enroll over WiFi only. 4. IME boots, Report IP script fires with corp-WiFi IP only, writes C:\Logs\GE_Report_IP_Address*.txt. Webhook records clean IP. GE dynamic group eligibility flips. SFLD policy delivers next sync. 5. Monitor-IntuneProgress detects the log file, re-enables every NIC in the persisted list, sleeps 1s for link, then pushes idx=7 with DeviceId so the dashboard card flips to QR before the Intune- triggered LAPS-prompt reboot lands. Phase 1 remains "in progress" on the dashboard until Report IP fires - correct, the bay isn't actually registration-clean until then. Files: - Disable-WiredNics.ps1 (new) - persists names + disables - Run-ShopfloorSetup.ps1 - call after stage 2 Report-Stage - Monitor-IntuneProgress.ps1 - gate idx=7 push + re-enable Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-13 17:22:41 -04:00

Author

SHA1

Message

Date

cproudlock

ce604adcda

Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24

Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-14 16:30:32 -04:00

cproudlock

b8328171eb

Kill wired NICs post-stage-2 until Report IP log appears

Recurring Phase 2 "Device Configuration" stuck: GE Intune Proactive
Remediation "Report IP" script enumerates Get-NetIPAddress and POSTs
all IPs to a GE webhook. Bays cabled to air-gapped PXE LAN have
10.9.100.x leak into that report. GE backend tags bays "not on corp
net" -> dynamic-group assignment-filter at GE excludes them from the
SFLD ConfigurationProfile (Function + SasToken OMA-URI) ->
HKLM:\SOFTWARE\GE\SFLD\DSC never populates -> Monitor Phase 2 gate
never closes. Confirmed via mdm-diag-F907T5X3 dump: every Microsoft
policy delivered fine, zero SFLD/GE-namespace OMA-URI present.

Fix flow:
1. Run-ShopfloorSetup line 43: disable every Up wired NIC right after
   stage 2 push. NIC names persisted to
   C:\Enrollment\disabled-wired-nics.txt for later re-enable.
2. Stages 3-6 status pushes fail silently while wired is down (PXE
   server lives on the air-gapped 10.9.100.0/24 LAN, unreachable from
   WiFi). Dashboard goes dark in that window.
3. PPKG installs, immediate reboot, AAD/Intune enroll over WiFi only.
4. IME boots, Report IP script fires with corp-WiFi IP only, writes
   C:\Logs\GE_Report_IP_Address*.txt. Webhook records clean IP. GE
   dynamic group eligibility flips. SFLD policy delivers next sync.
5. Monitor-IntuneProgress detects the log file, re-enables every NIC
   in the persisted list, sleeps 1s for link, then pushes idx=7 with
   DeviceId so the dashboard card flips to QR before the Intune-
   triggered LAPS-prompt reboot lands.

Phase 1 remains "in progress" on the dashboard until Report IP fires
- correct, the bay isn't actually registration-clean until then.

Files:
- Disable-WiredNics.ps1 (new) - persists names + disables
- Run-ShopfloorSetup.ps1 - call after stage 2 Report-Stage
- Monitor-IntuneProgress.ps1 - gate idx=7 push + re-enable

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-13 17:22:41 -04:00

2 Commits