@echo off title Intune Policy Sync :: Self-elevate to administrator net session >nul 2>&1 if %errorlevel% neq 0 ( powershell -Command "Start-Process '%~f0' -Verb RunAs" exit /b ) echo. echo ======================================== echo Intune Policy Sync - %COMPUTERNAME% echo ======================================== echo. :: Show Intune Device ID and QR code powershell -ExecutionPolicy Bypass -Command ^ "$dsreg = dsregcmd /status 2>&1; "^ "$line = $dsreg | Select-String 'DeviceId'; "^ "if ($line) { "^ " $deviceId = $line.ToString().Split(':')[1].Trim(); "^ " Write-Host \"Intune Device ID: $deviceId\" -ForegroundColor Cyan; "^ " Write-Host ''; "^ " $dllPath = 'C:\Enrollment\shopfloor-setup\Shopfloor\QRCoder.dll'; "^ " if (Test-Path $dllPath) { "^ " Add-Type -Path $dllPath; "^ " $gen = New-Object QRCoder.QRCodeGenerator; "^ " $data = $gen.CreateQrCode($deviceId, [QRCoder.QRCodeGenerator+ECCLevel]::L); "^ " $ascii = New-Object QRCoder.AsciiQRCode($data); "^ " $qr = $ascii.GetGraphic(1, [char]0x2588 + [char]0x2588, ' '); "^ " Write-Host $qr; "^ " } else { "^ " Write-Host 'QRCoder.dll not found - skipping QR code' -ForegroundColor Yellow; "^ " } "^ "} else { "^ " Write-Host 'Device not yet Azure AD joined.' -ForegroundColor Yellow; "^ "}" echo. :: Check current state reg query "HKLM\Software\GE\SFLD" >nul 2>&1 if %errorlevel% equ 0 ( echo SFLD policies already applied. echo. echo Run sync anyway? (Y/N) choice /c YN /n if errorlevel 2 exit /b ) :: Trigger sync via the MDM enrollment scheduled task echo Triggering Intune sync... powershell -ExecutionPolicy Bypass -Command ^ "$enrollPath = 'HKLM:\SOFTWARE\Microsoft\Enrollments'; "^ "$found = $false; "^ "Get-ChildItem $enrollPath -ErrorAction SilentlyContinue | ForEach-Object { "^ " $id = $_.PSChildName; "^ " $provider = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).ProviderID; "^ " if ($provider -eq 'MS DM Server') { "^ " $found = $true; "^ " Write-Host \"Enrollment ID: $id\"; "^ " $taskPath = \"\Microsoft\Windows\EnterpriseMgmt\$id\\\"; "^ " Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue | "^ " Where-Object { $_.TaskName -match 'Schedule #3' } | "^ " ForEach-Object { "^ " Start-ScheduledTask -InputObject $_; "^ " Write-Host \"Sync triggered: $($_.TaskName)\"; "^ " }; "^ " } "^ "}; "^ "if (-not $found) { Write-Host 'ERROR: No Intune enrollment found.' -ForegroundColor Red }" echo. echo Waiting for SFLD group policies (HKLM\Software\GE\SFLD)... echo Press Ctrl+C to stop waiting. echo. :: Poll every 15 seconds for up to 10 minutes set /a attempts=0 set /a max=40 :poll reg query "HKLM\Software\GE\SFLD" >nul 2>&1 if %errorlevel% equ 0 ( echo. echo ======================================== echo SFLD group policies applied! echo ======================================== echo. pause exit /b ) set /a attempts+=1 if %attempts% geq %max% ( echo. echo Timed out after 10 minutes. SFLD policies not yet applied. echo The device category may not be assigned yet in Intune. echo Assign the category in the portal, then run this again. echo. pause exit /b ) echo [%attempts%/%max%] Waiting... checking again in 15s timeout /t 15 /nobreak >nul goto poll