# Disable-WiredNics.ps1
# Disables every Up wired (MediaType 802.3) NIC and records their names to
# C:\Enrollment\disabled-wired-nics.txt so Monitor-IntuneProgress can
# re-enable them once Report IP has run on WiFi-only.
#
# Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
# Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
# shopfloor bay is still cabled to the air-gapped PXE LAN (172.16.9.0/24),
# the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
# "not on corp net". A dynamic group / assignment-filter at GE then excludes
# the bay from receiving the SFLD ConfigurationProfile (Function + SasToken
# OMA-URI) -> Phase 2 "Device Configuration" never closes.
#
# Killing the wired NIC after stage 2 reports + before AAD-join makes the
# bay's first Report IP fire see corp-WiFi IP only. The bay is tagged
# clean, dynamic group eligibility flips, SFLD policy delivers normally.
# Monitor-IntuneProgress re-enables the NIC once Report IP's log file
# appears at C:\Logs\GE_Report_IP_Address*.txt.

$ErrorActionPreference = 'Continue'
$stateFile = 'C:\Enrollment\disabled-wired-nics.txt'

try {
    $wired = Get-NetAdapter -ErrorAction Stop |
             Where-Object {
                 $_.Status -eq 'Up' -and
                 $_.MediaType -eq '802.3' -and
                 $_.HardwareInterface -eq $true
             }

    if (-not $wired) {
        Write-Host "Disable-WiredNics: no Up wired NICs found - nothing to disable."
        return
    }

    $names = $wired | ForEach-Object { $_.Name }
    $names | Out-File -FilePath $stateFile -Encoding ASCII -Force
    Write-Host ("Disable-WiredNics: persisted {0} NIC name(s) -> {1}" -f $names.Count, $stateFile)
    foreach ($n in $names) { Write-Host "  - $n" }

    $wired | Disable-NetAdapter -Confirm:$false -ErrorAction Continue
    Write-Host "Disable-WiredNics: NICs disabled. Re-enable triggered by Monitor when GE_Report_IP_Address log appears."
} catch {
    Write-Warning "Disable-WiredNics: failed: $_"
}