@echo off
REM Force-Lockdown.bat - Manual SFLD lockdown trigger for SupportUser.
REM
REM Vendor-documented escape hatch: if the Intune-pushed Lockdown
REM configuration hasn't actually applied within ~30 minutes after the
REM device was added to the Lockdown group, run sfld_autologon.ps1
REM directly as admin to force it.
REM
REM This wrapper exists so the tech doesn't have to remember the path
REM or open an elevated cmd by hand. It self-elevates to admin via UAC.

REM ---- Self-elevate ---------------------------------------------------
net session >nul 2>&1
if %errorLevel% neq 0 (
    echo Requesting admin rights...
    powershell -Command "Start-Process '%~f0' -Verb RunAs"
    exit /b
)

setlocal
set "SCRIPT=C:\Program Files\Sysinternals\sfld_autologon.ps1"

echo ============================================================
echo   Force SFLD Lockdown
echo ============================================================
echo.
echo  *** WARNING ***
echo.
echo  Do NOT run this script unless an ARTS request has already
echo  been submitted and approved for this device.
echo.
echo  Forcing lockdown without an ARTS request bypasses the
echo  normal Intune Lockdown-group push and will be flagged
echo  in the audit trail.
echo.
echo ============================================================
echo Target: %SCRIPT%
echo.

set /p CONFIRM=Type YES (uppercase) to confirm ARTS request is in place:
if /i not "%CONFIRM%"=="YES" (
    echo.
    echo Cancelled - no action taken.
    echo.
    pause
    exit /b 2
)
echo.

if not exist "%SCRIPT%" (
    echo ERROR: %SCRIPT% not found.
    echo Sysinternals Autologon PPKG step may not have completed yet.
    echo.
    pause
    exit /b 1
)

echo Running sfld_autologon.ps1 ...
echo.
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File "%SCRIPT%"
set RC=%errorLevel%

echo.
echo ============================================================
echo Lockdown script exit code: %RC%
echo ============================================================
echo.
pause
endlocal