ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ce604adcda9392232fc96250f5b66dcbe0a63fab
pxe-server/playbook/shopfloor-setup/Shopfloor/lib/Disable-WiredNics.ps1
cproudlock ce604adcda Renumber PXE LAN from 10.9.100.0/24 to 172.16.9.0/24 
Single-site bay-stuck issue at WJ: GE Intune Report IP script filters
Get-NetIPAddress on StartsWith("10.") and posts everything matching
to the GE Tines webhook. Bays at WJ get the PXE LAN 10.9.100.x IP
captured and reported -> GE backend tags bays as on a non-corp 10.x
subnet -> dynamic group eligibility for SFLD policy never matches.
Other GE sites work because their PXE LANs aren't on 10.x at all.

Renumber PXE LAN to RFC1918 172.16.9.0/24 so the GE filter naturally
skips wired PXE addresses without any disable-NIC dance.

Server-side already in flight (netplan dual-bound, dnsmasq scope +
boot URL repointed, blancco preferences + grub.cfg + iPXE GetPxeScript
all sed'd to 172.16.9.1). This commit is the playbook / scripts /
docs side: 109 hits across 35 files sed'd in one shot.

After this lands + boot.wim is rebuilt + bays renumber off DHCP,
the 10.9.100.1 binding will be dropped from netplan as the final
cleanup step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 16:30:32 -04:00

46 lines
2.0 KiB
PowerShell
Raw Blame History

# Disable-WiredNics.ps1
# Disables every Up wired (MediaType 802.3) NIC and records their names to
# C:\Enrollment\disabled-wired-nics.txt so Monitor-IntuneProgress can
# re-enable them once Report IP has run on WiFi-only.
#
# Reason: GE's Intune Proactive-Remediation "Report IP" script enumerates
# Get-NetIPAddress and POSTs every IP it finds to a GE webhook. When a
# shopfloor bay is still cabled to the air-gapped PXE LAN (172.16.9.0/24),
# the webhook sees 10.9.100.x as one of the device's IPs and tags the bay
# "not on corp net". A dynamic group / assignment-filter at GE then excludes
# the bay from receiving the SFLD ConfigurationProfile (Function + SasToken
# OMA-URI) -> Phase 2 "Device Configuration" never closes.
#
# Killing the wired NIC after stage 2 reports + before AAD-join makes the
# bay's first Report IP fire see corp-WiFi IP only. The bay is tagged
# clean, dynamic group eligibility flips, SFLD policy delivers normally.
# Monitor-IntuneProgress re-enables the NIC once Report IP's log file
# appears at C:\Logs\GE_Report_IP_Address*.txt.
$ErrorActionPreference = 'Continue'
$stateFile = 'C:\Enrollment\disabled-wired-nics.txt'
try {
$wired = Get-NetAdapter -ErrorAction Stop |
Where-Object {
$_.Status -eq 'Up' -and
$_.MediaType -eq '802.3' -and
$_.HardwareInterface -eq $true
}
if (-not $wired) {
Write-Host "Disable-WiredNics: no Up wired NICs found - nothing to disable."
return
}
$names = $wired | ForEach-Object { $_.Name }
$names | Out-File -FilePath $stateFile -Encoding ASCII -Force
Write-Host ("Disable-WiredNics: persisted {0} NIC name(s) -> {1}" -f $names.Count, $stateFile)
foreach ($n in $names) { Write-Host " - $n" }
$wired | Disable-NetAdapter -Confirm:$false -ErrorAction Continue
Write-Host "Disable-WiredNics: NICs disabled. Re-enable triggered by Monitor when GE_Report_IP_Address log appears."
} catch {
Write-Warning "Disable-WiredNics: failed: $_"
}
Reference in New Issue View Git Blame Copy Permalink