sync: auto-sync from GURU-5070 at 2026-06-23 12:10:19
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-23 12:10:19
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
# Quick ops — VWP-QBS firewall disabled + Country Club CCroom1New UAC re-enabled
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Two quick remediation ops following the VWP SMB1/Orders work (logged separately in
|
||||
`clients/valleywide/session-logs/2026-06/2026-06-23-mike-vwp-smb1-orders-xp-g-drive.md`),
|
||||
both executed via the GuruRMM agent fleet.
|
||||
|
||||
1. **VWP-QBS — Windows Firewall disabled.** Per Mike's direction (troubleshooting), disabled all
|
||||
three firewall profiles (Domain/Private/Public) on VWP-QBS (172.16.9.169, the QuickBooks +
|
||||
RD Web Access host). Captured the pre-state first (all three enabled) for clean restore. Flagged
|
||||
the security context (this is the box brute-forced in April, now internal/VPN-only) and that it
|
||||
should be re-enabled after the test. **The firewall is still OFF — re-enable is pending.**
|
||||
|
||||
2. **Country Club CCroom1New — UAC re-enabled.** Mike reported the machine "acting weird." The
|
||||
GuruRMM agent had just been installed (it didn't appear at first; Mike confirmed install, then it
|
||||
showed as `CCroom1New`, Win11 26200, site Country Club). Read the UAC registry state and found UAC
|
||||
**fully disabled** (`EnableLUA=0`, `ConsentPromptBehaviorAdmin=0`, `PromptOnSecureDesktop=0`) — the
|
||||
classic cause of Win11 "acting weird" (Store/UWP apps won't launch, Start/search misbehave).
|
||||
Restored standard Win11 UAC (`EnableLUA=1`, `ConsentPromptBehaviorAdmin=5`,
|
||||
`PromptOnSecureDesktop=1`), rebooted (required for EnableLUA to take effect), and verified
|
||||
post-reboot (uptime 1 min, EnableLUA=1 active). Recommended an on-site smoke test.
|
||||
|
||||
## Key Decisions
|
||||
- **Captured firewall pre-state before disabling** VWP-QBS (all profiles enabled) so it restores to
|
||||
the exact prior posture; documented the re-enable command.
|
||||
- **Restored full UAC defaults, not just EnableLUA** on CCroom1New — set ConsentPromptBehaviorAdmin
|
||||
and PromptOnSecureDesktop back to Win11 defaults too, since all three had been zeroed.
|
||||
- **Rebooted CCroom1New to apply** — EnableLUA only takes effect after a restart; verified active
|
||||
after the box came back.
|
||||
|
||||
## Problems Encountered
|
||||
- **CCROOM1NEW not in RMM initially** — the GuruRMM agent wasn't installed yet (0 hostname matches;
|
||||
only Country Club's CC1-NEW22 / CC2-NEW22 existed). Mike installed the agent; it then enrolled as
|
||||
`CCroom1New` and the work proceeded.
|
||||
- **First post-reboot verify was a false read** — it completed in ~10s showing uptime 108.5 min,
|
||||
i.e. it ran in the Restart-Computer grace window before the box actually went down. Re-verified
|
||||
after a short wait: uptime 1 min + EnableLUA=1 confirmed the reboot completed and UAC is active.
|
||||
|
||||
## Configuration Changes
|
||||
- **VWP-QBS (172.16.9.169):** `Set-NetFirewallProfile -All -Enabled False` (Domain/Private/Public
|
||||
all OFF). Pre-state: all enabled. **Reversal pending:** `Set-NetFirewallProfile -All -Enabled True`.
|
||||
- **CCroom1New (Country Club, Win11):** `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
|
||||
— `EnableLUA` 0->1, `ConsentPromptBehaviorAdmin` 0->5, `PromptOnSecureDesktop` 0->1; rebooted.
|
||||
|
||||
## Credentials & Secrets
|
||||
- None created or discovered. All actions via GuruRMM agents (SYSTEM context). No interactive creds.
|
||||
|
||||
## Infrastructure & Servers
|
||||
- **VWP-QBS** 172.16.9.169 — Windows Server 2022, QuickBooks + RD Web Access host (physical Dell),
|
||||
GuruRMM agent `f3386f0a-b3ee-417e-ace9-995cc1d0662b`. Firewall currently DISABLED.
|
||||
- **CCroom1New** — Windows 11 (build 26200), site Country Club, GuruRMM agent
|
||||
`aaa4b694-a464-4961-a8ff-096a5698afee`. UAC re-enabled + active post-reboot.
|
||||
- Country Club site also has CC1-NEW22, CC2-NEW22 (online).
|
||||
|
||||
## Commands & Outputs
|
||||
- Firewall: `Get-NetFirewallProfile | Select Name,Enabled` (before: all True) -> `Set-NetFirewallProfile
|
||||
-All -Enabled False` -> verify all False.
|
||||
- UAC: `Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name
|
||||
EnableLUA -Value 1 -Type DWord` (+ ConsentPromptBehaviorAdmin=5, PromptOnSecureDesktop=1) ->
|
||||
`Restart-Computer -Force` -> post-reboot verify uptime_min 1, EnableLUA 1.
|
||||
- Dispatched via `/rmm` (RMM API http://172.16.3.30:3001), all read+write attributed to mike.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
- **RE-ENABLE VWP-QBS firewall** when troubleshooting is done — currently OFF on the QuickBooks/RDWeb
|
||||
host (defense-in-depth gap). `Set-NetFirewallProfile -All -Enabled True` via RMM (agent f3386f0a).
|
||||
- **CCroom1New on-site smoke test** — confirm Start menu / Store apps / search behave now that UAC
|
||||
is active.
|
||||
|
||||
## Reference Information
|
||||
- #dev-alerts posts: VWP-QBS firewall (msg 1519048232435716218), CCroom1New UAC (msg 1519055241763356683).
|
||||
- RMM agents: VWP-QBS f3386f0a-b3ee-417e-ace9-995cc1d0662b ; CCroom1New aaa4b694-a464-4961-a8ff-096a5698afee.
|
||||
- Related same-day work: VWP SMB1/Orders (#32448) — see clients/valleywide/session-logs/2026-06/.
|
||||
Reference in New Issue
Block a user