ce604adcda
Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.
Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.
Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.
After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
31 lines
1.5 KiB
PowerShell
31 lines
1.5 KiB
PowerShell
# migrate-to-wifi.ps1 - No-op as of 2026-04-24.
|
|
#
|
|
# Previously this disabled all wired NICs at first logon to keep PPKG /
|
|
# Intune enrollment routing internet traffic via WiFi. The wired NIC was
|
|
# preferred by Windows because the PXE dnsmasq was handing out a default
|
|
# gateway (dhcp-option=3,172.16.9.1) which Windows installed as a default
|
|
# route, and the lower interface metric of wired beat WiFi. Internet-bound
|
|
# traffic then black-holed at 172.16.9.1 (the PXE server, which doesn't
|
|
# forward).
|
|
#
|
|
# That root cause was fixed by removing the dhcp-option=3 and =6 lines
|
|
# from /etc/dnsmasq.conf on the PXE server. Without an advertised gateway
|
|
# on the PXE side, Windows can't add a default route via wired, so all
|
|
# internet traffic uses WiFi by default and the wired NIC stays harmless
|
|
# for same-subnet PXE/SMB traffic to 172.16.9.1.
|
|
#
|
|
# Side effect of the original behavior was an eDNC race: eDNC autostart
|
|
# would fire while the wired NIC was still disabled and hit WSAEINVAL
|
|
# (Winsock 10022) trying to bind to a non-existent local IP, looping its
|
|
# retry timer until a SYSTEM task re-enabled the NIC after SFLD creds
|
|
# landed (often ~30+ min later). Keeping the NIC up the whole time
|
|
# eliminates that race.
|
|
#
|
|
# Kept as a no-op file (instead of removed) so the unattend XML's Order 5
|
|
# RunSynchronousCommand entry does not need to be re-numbered. If the
|
|
# dhcp-option lines ever come back, this can be reverted to the disable
|
|
# logic by restoring from git.
|
|
|
|
Write-Host 'migrate-to-wifi.ps1: no-op (wired NIC kept enabled).'
|
|
exit 0
|