@echo off
title Shopfloor Backup Lockdown

:: Self-elevate to administrator
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo Requesting administrator privileges...
    powershell -Command "Start-Process '%~f0' -Verb RunAs"
    exit /b
)

echo.
echo ========================================
echo   Shopfloor Backup Lockdown
echo ========================================
echo.

:: Run SFLD autologon script first
echo Running SFLD autologon script...
"C:\Program Files\PowerShell\7\pwsh.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\Sysinternals\sfld_autologon.ps1"

echo.
echo Waiting 10 seconds...
ping -n 11 127.0.0.1 >nul

:: Discover the EnterpriseMgmt enrollment GUID
for /f "delims=" %%G in ('powershell -NoProfile -Command "$t = Get-ScheduledTask | Where-Object { $_.TaskPath -match '\\Microsoft\\EnterpriseMgmt\\' -and $_.TaskName -match 'Schedule #1' }; if ($t) { $t.TaskPath -replace '.*EnterpriseMgmt\\([^\\]+)\\.*','$1' | Select-Object -First 1 } else { '' }"') do set GUID=%%G

if not defined GUID (
    echo ERROR: No EnterpriseMgmt enrollment GUID found.
    echo The device may not be enrolled in MDM yet.
    pause
    exit /b 1
)

echo Enrollment GUID: %GUID%
echo.

echo Running EnterpriseMgmt Schedule #1...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #1 created by enrollment client"
echo Waiting 30 seconds...
ping -n 31 127.0.0.1 >nul

echo Running EnterpriseMgmt Schedule #2...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #2 created by enrollment client"
echo Waiting 90 seconds...
ping -n 91 127.0.0.1 >nul

echo Running EnterpriseMgmt Schedule #3...
schtasks /run /tn "\Microsoft\EnterpriseMgmt\%GUID%\Schedule #3 created by enrollment client"

echo.
echo Lockdown complete.
pause