@echo off REM Force-Lockdown.bat - Manual SFLD lockdown trigger for SupportUser. REM REM Vendor-documented escape hatch: if the Intune-pushed Lockdown REM configuration hasn't actually applied within ~30 minutes after the REM device was added to the Lockdown group, run sfld_autologon.ps1 REM directly as admin to force it. REM REM This wrapper exists so the tech doesn't have to remember the path REM or open an elevated cmd by hand. It self-elevates to admin via UAC. REM ---- Self-elevate --------------------------------------------------- net session >nul 2>&1 if %errorLevel% neq 0 ( echo Requesting admin rights... powershell -Command "Start-Process '%~f0' -Verb RunAs" exit /b ) setlocal set "SCRIPT=C:\Program Files\Sysinternals\sfld_autologon.ps1" echo ============================================================ echo Force SFLD Lockdown echo ============================================================ echo. echo *** WARNING *** echo. echo Do NOT run this script unless an ARTS request has already echo been submitted and approved for this device. echo. echo Forcing lockdown without an ARTS request bypasses the echo normal Intune Lockdown-group push and will be flagged echo in the audit trail. echo. echo ============================================================ echo Target: %SCRIPT% echo. set /p CONFIRM=Type YES (uppercase) to confirm ARTS request is in place: if /i not "%CONFIRM%"=="YES" ( echo. echo Cancelled - no action taken. echo. pause exit /b 2 ) echo. if not exist "%SCRIPT%" ( echo ERROR: %SCRIPT% not found. echo Sysinternals Autologon PPKG step may not have completed yet. echo. pause exit /b 1 ) echo Running sfld_autologon.ps1 ... echo. PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File "%SCRIPT%" set RC=%errorLevel% REM On success, write a marker that Monitor-IntuneProgress.ps1 (Phase 6 / REM Get-LockdownState) recognizes as authoritative. Manual lockdown via REM sfld_autologon.ps1 only flips Winlogon; the Intune Remediation log REM never gets the "Autologon set for ShopFloor" line because Detection REM now passes and Remediation never re-runs. The marker tells the monitor REM to treat (Winlogon registry matches + marker present) as Complete. if "%RC%"=="0" ( if not exist "C:\Enrollment" mkdir "C:\Enrollment" > "C:\Enrollment\force-lockdown-applied.txt" echo %DATE% %TIME% echo Marker written: C:\Enrollment\force-lockdown-applied.txt ) echo. echo ============================================================ echo Lockdown script exit code: %RC% echo ============================================================ echo. pause endlocal