@echo off
setlocal EnableExtensions EnableDelayedExpansion

REM --------------------------------------------------------------------
REM MDT / Standalone wrapper for Install_Security_Updates_OSD.ps1
REM - Copies PS1 locally
REM - Orchestrates passes with flags & exit codes
REM - Safe for MDT and standalone execution
REM --------------------------------------------------------------------

set "ROOT=C:\Temp\Windows_Update"
set "PS1=%ROOT%\Install_Security_Updates_OSD.ps1"
set "LOG=%ROOT%\Wrapper.log"

if not exist "%ROOT%" (
    md "%ROOT%" >nul 2>&1
)

REM ----Reset stale state i.e. delete any flags if present from previous runs. Remark it if you are running it manually
del /f /q "C:\Temp\Windows_Update\compliant.flag" "C:\Temp\Windows_Update\pending.flag" "C:\Temp\Windows_Update\failure.flag" 2>nul

call :Log "============================================================"
call :Log "Wrapper start"
call :Log "Root: %ROOT%"

REM ---- Copy the PowerShell script next to the logs/flags ----
xcopy "%~dp0Install_Security_Updates_OSD.ps1" "%ROOT%\" /f /c /i /y >nul 2>&1
if errorlevel 1 (
    call :Log "ERROR: Failed to copy PowerShell script from %~dp0"
    exit /b 1
)

if not exist "%PS1%" (
    call :Log "ERROR: PowerShell script not found after copy: %PS1%"
    exit /b 1
)

REM ---- Fast exit if already compliant (from prior pass) ----
if exist "%ROOT%\compliant.flag" (
    call :Log "compliant.flag present; nothing to do."
    exit /b 0
)

REM ---- Informational: if we just came back from a reboot ----
if exist "%ROOT%\pending.flag" (
    call :Log "pending.flag present; continuing after reboot..."
) else (
    call :Log "First pass or no reboot pending; proceeding..."
)

REM ---- Invoke the installer ----
call :Log "Running PowerShell: %PS1%"
powershell.exe -NoProfile -ExecutionPolicy Bypass -File "%PS1%"
set "RC=%ERRORLEVEL%"
call :Log "Installer exit code: %RC%"

REM ---- MDT contract: 3010 = success + reboot required ----
if "%RC%"=="3010" (
    call :Log "Reboot requested by installer. Exiting 3010 so MDT can reboot/resume."
    exit /b 3010
)

REM ---- Success is only valid when compliant.flag exists ----
if "%RC%"=="0" (
    if exist "%ROOT%\compliant.flag" (
        call :Log "Compliance confirmed. Exiting 0."
        exit /b 0
    ) else (
        call :Log "ERROR: Installer returned 0 but compliant.flag is missing. Treating as failure."
        exit /b 1
    )
)

REM ---- Any other exit code bubbles up as failure ----
call :Log "Non-success exit code received: %RC%"
exit /b %RC%

:Log
set "TS=%DATE% %TIME%"
echo [%TS%] %~1
>>"%LOG%" echo [%TS%] %~1
exit /b 0