diff --git a/.dc16-mkuser.ps1 b/.dc16-mkuser.ps1
new file mode 100644
index 00000000..ed900244
--- /dev/null
+++ b/.dc16-mkuser.ps1
@@ -0,0 +1,9 @@
+$ErrorActionPreference = 'Stop'
+Import-Module ActiveDirectory
+$pw = ConvertTo-SecureString 'Lcyaz0KF5L8IoRh7Pf4K.7QQwJq' -AsPlainText -Force
+New-ADUser -Name 'svc-msp360' -SamAccountName 'svc-msp360' -UserPrincipalName 'svc-msp360@acg.local' -DisplayName 'MSP360 Backup Service' -Description 'Service account for MSP360/Online Backup Exchange backup on NEPTUNE. Created 2026-07-15 by Howard via ClaudeTools.' -AccountPassword $pw -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true
+Add-ADGroupMember -Identity 'Organization Management' -Members 'svc-msp360'
+Start-Sleep -Seconds 2
+$u = Get-ADUser 'svc-msp360' -Properties PasswordNeverExpires, MemberOf
+Write-Output ('created: ' + $u.SamAccountName + ' enabled=' + $u.Enabled + ' pwdNeverExpires=' + $u.PasswordNeverExpires)
+$u.MemberOf | ForEach-Object { Write-Output ('member: ' + $_) }
diff --git a/.neptune-iis-probe.ps1 b/.neptune-iis-probe.ps1
new file mode 100644
index 00000000..841701ca
--- /dev/null
+++ b/.neptune-iis-probe.ps1
@@ -0,0 +1,18 @@
+$ErrorActionPreference = 'Continue'
+Import-Module WebAdministration
+Write-Output '=== App pools (Exchange PowerShell) ==='
+Get-ChildItem IIS:\AppPools | Where-Object Name -match 'PowerShell|MSExchange' | Select-Object Name, State | Format-Table -AutoSize
+Write-Output '=== PowerShell vdirs ==='
+Get-WebApplication -Name PowerShell | Format-List Path, ApplicationPool, PhysicalPath, ItemXPath
+Write-Output '=== Default Web Site + Back End bindings ==='
+Get-Website | Select-Object Name, State, @{n='Bind';e={($_.bindings.Collection | ForEach-Object bindingInformation) -join ' ; '}} | Format-Table -AutoSize
+Write-Output '=== Auth on Default Web Site/PowerShell ==='
+foreach ($a in 'anonymousAuthentication','windowsAuthentication','basicAuthentication') {
+ $v = Get-WebConfigurationProperty -Filter "system.webServer/security/authentication/$a" -PSPath 'IIS:\Sites\Default Web Site\PowerShell' -Name enabled -ErrorAction SilentlyContinue
+ Write-Output "DWS/PowerShell $a = $($v.Value)"
+}
+Write-Output '=== SSL flags on DWS/PowerShell ==='
+(Get-WebConfigurationProperty -Filter 'system.webServer/security/access' -PSPath 'IIS:\Sites\Default Web Site\PowerShell' -Name sslFlags -ErrorAction SilentlyContinue)
+Write-Output '=== recent HTTP 4xx/5xx to /powershell (IIS log tail) ==='
+$log = Get-ChildItem 'C:\inetpub\logs\LogFiles\W3SVC1' -Filter *.log -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1
+if ($log) { Get-Content $log.FullName -Tail 400 | Select-String -SimpleMatch '/powershell' | Select-Object -Last 10 }
diff --git a/.neptune-svc.ps1 b/.neptune-svc.ps1
new file mode 100644
index 00000000..4868b68c
--- /dev/null
+++ b/.neptune-svc.ps1
@@ -0,0 +1,22 @@
+$ErrorActionPreference = 'Stop'
+Add-LocalGroupMember -Group 'Administrators' -Member 'ACG\svc-msp360' -ErrorAction SilentlyContinue
+Write-Output ('local admin: ' + [bool](Get-LocalGroupMember -Group 'Administrators' -Member 'ACG\svc-msp360' -ErrorAction SilentlyContinue))
+$sid = (New-Object System.Security.Principal.NTAccount('ACG','svc-msp360')).Translate([System.Security.Principal.SecurityIdentifier]).Value
+$tmp = 'C:\Windows\Temp\se.inf'
+secedit /export /cfg $tmp /areas USER_RIGHTS | Out-Null
+$c = Get-Content $tmp
+$line = $c | Where-Object { $_ -match '^SeServiceLogonRight' }
+if ($line -notmatch [regex]::Escape($sid)) {
+ $new = $c -replace '^(SeServiceLogonRight *=.*)$', ('$1,*' + $sid)
+ if (-not $line) { $new += 'SeServiceLogonRight = *' + $sid }
+ $new | Set-Content $tmp -Encoding Unicode
+ secedit /configure /db C:\Windows\Temp\se.sdb /cfg $tmp /areas USER_RIGHTS | Out-Null
+ Write-Output 'SeServiceLogonRight granted'
+} else { Write-Output 'SeServiceLogonRight already present' }
+Remove-Item $tmp, C:\Windows\Temp\se.sdb -ErrorAction SilentlyContinue
+$svc = Get-WmiObject Win32_Service -Filter "Name='Online Backup Service'"
+$r = $svc.Change($null,$null,$null,$null,$null,$null,'ACG\svc-msp360','Lcyaz0KF5L8IoRh7Pf4K.7QQwJq')
+Write-Output ('service change rc=' + $r.ReturnValue)
+Restart-Service 'Online Backup Service' -Force
+Start-Sleep -Seconds 5
+Get-WmiObject Win32_Service -Filter "Name='Online Backup Service'" | Select-Object Name, StartName, State | Format-Table -AutoSize
diff --git a/.neptune-winrm-probe.ps1 b/.neptune-winrm-probe.ps1
new file mode 100644
index 00000000..b399b041
--- /dev/null
+++ b/.neptune-winrm-probe.ps1
@@ -0,0 +1,19 @@
+$ErrorActionPreference = 'Continue'
+Write-Output '=== WinRM service ==='
+Get-Service WinRM | Select-Object Name, Status, StartType | Format-Table -AutoSize
+Write-Output '=== Test-WSMan localhost ==='
+try { Test-WSMan -ComputerName neptune -ErrorAction Stop | Out-String } catch { Write-Output "FAIL: $($_.Exception.Message)" }
+Write-Output '=== WinRM listeners ==='
+winrm enumerate winrm/config/listener 2>&1
+Write-Output '=== Exchange PowerShell vdir session test ==='
+try {
+ $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune/PowerShell/ -Authentication Kerberos -ErrorAction Stop
+ Write-Output "SESSION OK: $($s.State)"
+ Remove-PSSession $s
+} catch { Write-Output "FAIL: $($_.Exception.Message)" }
+Write-Output '=== plain PSSession test ==='
+try {
+ $s2 = New-PSSession -ComputerName neptune -ErrorAction Stop
+ Write-Output "SESSION OK: $($s2.State)"
+ Remove-PSSession $s2
+} catch { Write-Output "FAIL: $($_.Exception.Message)" }
diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md
index efb0aa96..19cb7dbf 100644
--- a/clients/cascades-tucson/docs/cloud/m365.md
+++ b/clients/cascades-tucson/docs/cloud/m365.md
@@ -10,19 +10,26 @@
- Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed)
- DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO**
- HIPAA BAA: **Covered by MCA** — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed)
-- MFA: **Not enabled** — Security Defaults not configured
+- MFA: **Enabled for all staff** via Conditional Access (live; caregivers protected by on-network restriction + 8h sign-in frequency instead of MFA prompts). Earlier "not enabled" note was pre-CA-rollout.
-## Licensing
+## Licensing (updated 2026-07-15 — live Graph verification by Mike/GURU-5070)
| License Type | Total | Assigned | Available |
|---|---|---|---|
-| Microsoft 365 Business Standard | 34 | 34 | 0 |
+| Microsoft 365 Business Premium | 45 | 41 | 4 |
+| Microsoft 365 Business Standard | **SUSPENDED** | 30 consumed | — |
| Microsoft Entra ID P2 | 1 | 0 | 1 (unassigned — was Sandra Fish, available for testing) |
| Microsoft Power Automate Free | 10000 | 2 | 9998 |
| Microsoft Stream Trial | 1000000 | 0 | 1000000 |
| Exchange Online Essentials | — | 4 | — |
-**Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses.
+**Note (2026-07-15):** The Business Premium migration is largely done — 45 Premium owned,
+41 assigned (the caregiver rollout). The old Business Standard subscription is **suspended**
+with ~30 office staff still sitting on it; none of them hold Premium. Moving them is
+**net-new spend** (~26 net-new paid seats ≈ $572/mo; best case ~17 net-new ≈ $374/mo after
+converting 8 role/shared mailboxes — accounting@, hr@, frontdesk@, etc. — to free shared
+mailboxes and removing former employee jodi.ramstack). The per-user table below predates
+this and reflects the old Standard assignments.
### Planned expansion — caregiver rollout (not yet purchased)
diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html
index 40c6094e..d7181f52 100644
--- a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html
+++ b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html
@@ -89,6 +89,7 @@
table.todo td.tgt{ font-family:var(--f-mono); font-size:8px; color:var(--accent-ink);
font-weight:500; white-space:nowrap; }
table.todo td.cost{ font-family:var(--f-mono); font-size:8px; color:var(--ink-2); white-space:nowrap; }
+ table.todo td.comp{ font-family:var(--f-mono); font-size:8px; color:var(--ink-3); min-width:46px; }
table.mach{ border-collapse:collapse; width:calc(100% - 29px); margin:3px 0 0 29px; }
table.mach th{ font-family:var(--f-mono); font-size:6.8px; font-weight:500;
@@ -135,18 +136,29 @@
Technology Plan · FY 2026–2027
Cascades of Tucson Technology Plan
A living action document: for each area of the facility's technology, what has
- been done and what is planned, with an owner, cost, and target for every action. Prepared with
+ been done and what is planned, with an owner, cost, target, and completion date for every action. Prepared with
Az Computer Guru. Reviewed and updated at least annually.
-
Plan ownerCascades of Tucson
+
Plan ownerCascades of Tucson — Administrator (Ashley Jensen)
Prepared withAz Computer Guru
Plan periodFY 2026–2027
Adopted by / dateat adoption
Next annual reviewadoption + 12 months
+
Standard referenceCARF Technology and System Plan, Aging Services Standards Manual (Section 1, "CARF Plans") — manual edition confirmed at adoption
+ Basis of this plan
+ This plan is based on the needs of the people Cascades serves and the people who serve them.
+ Persons served: resident safety (Helpany fall/motion sensors with no camera and no microphone), reliable building-wide
+ WiFi for residents and families, and protection of resident health records. Personnel: dependable workstations, one
+ sign-on to the clinical record, and secure access that follows staff roles. Other stakeholders: families (connectivity
+ and privacy), regulators (HIPAA safeguards), and vendors (managed under Business Associate Agreements).
+ Technology priorities align with Cascades' strategic goals: resident safety first (safety sensors, proven power-outage
+ recovery), regulatory standing (HIPAA safeguards, CARF conformance, auditable records), and efficient operations (modern
+ workstations, single sign-on, and a sanctioned analytics path for leadership).
+
The eight areas
@@ -159,11 +171,11 @@
To do
- | Action | Owner | Cost | Target |
- | Install the purchased enterprise SSDs (scheduled window) | ACG | purchased | 30–60 days |
- | Replace workstations marked for replacement (list below, 5 + spare) | ACG | ~$700–950 ea | 60–90 days |
- | Scope and quote a server refresh project | ACG + Cascades | formal quote | 90 days |
- | Bring remaining switch ports up to full gigabit speed | ACG | labor | 90 days |
+ | Action | Owner | Cost | Target | Completed |
+ | Install the purchased enterprise SSDs (scheduled window) | ACG | purchased | 30–60 days | |
+ | Replace workstations marked for replacement (list below, 5 + spare) | ACG | ~$700–950 ea | 60–90 days | |
+ | Scope and quote a server refresh project | ACG + Cascades | formal quote | 90 days | |
+ | Bring remaining switch ports up to full gigabit speed | ACG | labor | 90 days | |
Workstations marked for replacement
@@ -187,11 +199,11 @@
To do
- | Action | Owner | Cost | Target |
- | Right-size Microsoft 365 licensing: move users off the legacy license; full Office licenses only where needed, lighter licenses for everyone else | ACG | reduces monthly cost | 30 days |
- | Complete staff domain migration + department drives | ACG | labor | 60–90 days |
- | Final Windows Pro upgrade (1 deferred device) | ACG | ~$99 | next window |
- | Retire the per-PC Synology sync client as machines migrate | ACG | labor | with migration |
+ | Action | Owner | Cost | Target | Completed |
+ | Move office staff off the suspended legacy Microsoft 365 license onto supported licenses; full Office only where needed, lighter licenses elsewhere | ACG | new licensing, ~$375–575/mo | 30 days | |
+ | Complete staff domain migration + department drives | ACG | labor | 60–90 days | |
+ | Final Windows Pro upgrade (1 deferred device) | ACG | ~$99 | next window | |
+ | Retire the per-PC Synology sync client as machines migrate | ACG | labor | with migration | |
@@ -207,13 +219,13 @@
To do
- | Action | Owner | Cost | Target |
- | Create emergency break-glass admin accounts with hardware security keys | ACG | ~$110 keys | 30 days |
- | Enforce the caregiver device allow-list (final enforcement phase) | ACG | labor | 30–60 days |
- | Limit trusted-network sign-in to approved devices (next enforcement phase) | ACG | labor | 30–60 days |
- | Enable file-access audit logging with 90-day / 6-year retention | ACG | ~$50–120/mo | 60–90 days |
- | Formalize a same-day offboarding checklist | Cascades HR + ACG | none | 30 days, standing |
- | Package the dated security risk assessment | ACG | labor | 60 days |
+ | Action | Owner | Cost | Target | Completed |
+ | Create emergency break-glass admin accounts with hardware security keys | ACG | ~$110 keys | 30 days | |
+ | Enforce the caregiver device allow-list (final enforcement phase) | ACG | labor | 30–60 days | |
+ | Limit trusted-network sign-in to approved devices (next enforcement phase) | ACG | labor | 30–60 days | |
+ | Enable file-access audit logging with 90-day / 6-year retention | ACG | ~$50–120/mo | 60–90 days | |
+ | Formalize a same-day offboarding checklist | Cascades HR + ACG | none | 30 days, standing | |
+ | Package the dated security risk assessment | ACG | labor | 60 days | |
@@ -226,11 +238,11 @@
To do
- | Action | Owner | Cost | Target |
- | Complete the Business Associate Agreement inventory (every vendor touching PHI) | Cascades + ACG | none | 60 days |
- | Move ALIS fully to single sign-on (retire the separate native login) | ACG | labor | 60 days |
- | Enable encryption on the resident-data file share | ACG | labor | 60–90 days |
- | Maintain a one-page contract / renewal / BAA tracker | Cascades + ACG | none | 90 days, standing |
+ | Action | Owner | Cost | Target | Completed |
+ | Complete the Business Associate Agreement inventory (every vendor touching PHI) | Cascades + ACG | none | 60 days | |
+ | Move ALIS fully to single sign-on (retire the separate native login) | ACG | labor | 60 days | |
+ | Enable encryption on the resident-data file share | ACG | labor | 60–90 days | |
+ | Maintain a one-page contract / renewal / BAA tracker | Cascades + ACG | none | 90 days, standing | |
@@ -243,10 +255,10 @@
To do
- | Action | Owner | Cost | Target |
- | Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing) | ACG | labor | 60–90 days |
- | Run and document a test restore | ACG | labor | 90 days |
- | Confirm and document the retention policy | ACG | none | 60 days |
+ | Action | Owner | Cost | Target | Completed |
+ | Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing) | ACG | labor | 60–90 days | |
+ | Run and document a test restore | ACG | labor | 90 days | |
+ | Confirm and document the retention policy | ACG | none | 60 days | |
@@ -259,9 +271,9 @@
To do
- | Action | Owner | Cost | Target |
- | Complete the Helpany rollout; move sensors to their own protected network segment | Helpany + ACG | vendor + labor | 90 days |
- | Inventory all resident-facing technology (nurse-call / pendants, assistive listening, resident WiFi for telehealth) into this plan | Cascades + ACG | none | next review |
+ | Action | Owner | Cost | Target | Completed |
+ | Complete the Helpany rollout; move sensors to their own protected network segment | Helpany + ACG | vendor + labor | 90 days | |
+ | Inventory all resident-facing technology (nurse-call / pendants, assistive listening, resident WiFi for telehealth) into this plan | Cascades + ACG | none | next review | |
@@ -274,10 +286,10 @@
To do
- | Action | Owner | Cost | Target |
- | Write the formal disaster-recovery / business-continuity plan with recovery-time targets | ACG | labor | 90 days |
- | Documented restore test (with area 5) | ACG | labor | 90 days |
- | Server redundancy (pairs with the server refresh project) | ACG + Cascades | project quote | FY project |
+ | Action | Owner | Cost | Target | Completed |
+ | Write the formal disaster-recovery / business-continuity plan with recovery-time targets | ACG | labor | 90 days | |
+ | Documented restore test (with area 5) | ACG | labor | 90 days | |
+ | Server redundancy (pairs with the server refresh project) | ACG + Cascades | project quote | FY project | |
@@ -285,15 +297,15 @@
08
Virus & threat protection
Done
- - Managed endpoint detection & response (EDR) on every managed device (about 35), including the main server (completed July 2026).
+ - Managed endpoint detection & response (EDR) on every managed, enrolled device (35), including the main server (verified live July 2026).
- Microsoft Defender and Exchange Online Protection on email; managed monitoring and patching on all devices.
- Legacy agents from the previous IT provider removed from the server.
To do
- | Action | Owner | Cost | Target |
- | Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement) and DESKTOP-F94M8UT (powered off; completes on power-on); finish console cleanup | ACG | labor | 30–60 days |
- | Standing coverage audit: every device reporting into managed security | ACG | none | quarterly |
+ | Action | Owner | Cost | Target | Completed |
+ | Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement); finish console cleanup | ACG | labor | 30–60 days | |
+ | Standing coverage audit: every device reporting into managed security | ACG | none | quarterly | |
diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md
index e7b64a75..fd9e4acb 100644
--- a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md
+++ b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md
@@ -5,12 +5,28 @@
| Governance | |
|---|---|
-| Plan owner | Cascades of Tucson |
+| Plan owner | Cascades of Tucson — Administrator (Ashley Jensen) |
| Prepared with | Az Computer Guru (Mike Swanson, Howard Enos) |
+| Standard reference | CARF Technology and System Plan, Aging Services Standards Manual (Section 1, "CARF Plans") — *[manual edition confirmed at adoption]* |
| Plan period | FY 2026–2027 |
| Adopted by / date | *[at adoption]* |
| Next annual review | *[adoption + 12 months]* |
+## Basis of this plan
+
+This plan is based on the needs of the people Cascades serves and the people who serve
+them. **Persons served:** resident safety (Helpany fall/motion sensors with no camera and
+no microphone), reliable building-wide WiFi for residents and families, and protection of
+resident health records. **Personnel:** dependable workstations, one sign-on to the
+clinical record, and secure access that follows staff roles. **Other stakeholders:**
+families (connectivity and privacy), regulators (HIPAA safeguards), and vendors (managed
+under Business Associate Agreements).
+
+Technology priorities align with Cascades' strategic goals: resident safety first (safety
+sensors, proven power-outage recovery), regulatory standing (HIPAA safeguards, CARF
+conformance, auditable records), and efficient operations (modern workstations, single
+sign-on, and a sanctioned analytics path for leadership).
+
---
## 1. Hardware
@@ -22,8 +38,8 @@
- Windows Pro upgrades completed on nearly all workstations for domain readiness.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Install the purchased enterprise SSDs (scheduled window) | ACG | already purchased | 30–60 days |
| Replace workstations marked for replacement (list below, 5 + spare) | ACG | ~$700–950 ea | 60–90 days |
| Scope and quote a server refresh project | ACG + Cascades | formal quote | 90 days |
@@ -48,9 +64,9 @@
department structure and drive mapping built.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
-| Right-size Microsoft 365 licensing: move users off the legacy license; full Office licenses only where needed, lighter licenses for everyone else | ACG | reduces monthly cost | 30 days |
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
+| Move office staff off the suspended legacy Microsoft 365 license onto supported licenses; full Office only where needed, lighter licenses elsewhere | ACG | new licensing, ~$375–575/mo depending on mix | 30 days |
| Complete staff domain migration + department drives | ACG | labor | 60–90 days |
| Final Windows Pro upgrade (1 deferred device) | ACG | ~$99 | next window |
| Retire the per-PC Synology sync client as machines migrate | ACG | labor | with migration |
@@ -66,8 +82,8 @@
- Email authentication (SPF, DKIM, DMARC) enforced.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Create emergency break-glass admin accounts with hardware security keys | ACG | ~$110 keys | 30 days |
| Enforce the caregiver device allow-list (final enforcement phase) | ACG | labor | 30–60 days, after break-glass |
| Limit trusted-network sign-in to approved devices (next enforcement phase) | ACG | labor | 30–60 days |
@@ -82,8 +98,8 @@
- Shared care devices auto-lock; resident and voice traffic isolated on the network.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Complete the Business Associate Agreement inventory (every vendor touching PHI) | Cascades + ACG | none | 60 days |
| Move ALIS fully to single sign-on (retire the separate native login) | ACG | labor | 60 days |
| Enable encryption on the resident-data file share | ACG | labor | 60–90 days |
@@ -97,8 +113,8 @@
- Firewall and network configuration backed up.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing) | ACG | labor | 60–90 days |
| Run and document a test restore | ACG | labor | 90 days |
| Confirm and document the retention policy | ACG | none | 60 days |
@@ -111,8 +127,8 @@
- Building-wide WiFi supporting resident and family connectivity.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Complete the Helpany rollout; move sensors to their own protected network segment | Helpany + ACG | vendor-billed + labor | 90 days |
| Inventory all resident-facing technology (nurse-call/pendants, assistive listening, resident WiFi for telehealth) into this plan | Cascades + ACG | none | next review |
@@ -124,8 +140,8 @@
- UPS battery backup installed on core equipment and all network switches; off-site backup running.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
| Write the formal disaster-recovery / business-continuity plan with recovery-time targets | ACG | labor | 90 days |
| Documented restore test (with area 5) | ACG | labor | 90 days |
| Server redundancy (pairs with the server refresh project) | ACG + Cascades | project quote | FY project |
@@ -133,16 +149,16 @@
## 8. Virus & threat protection
**Done**
-- Managed endpoint detection & response (EDR) on every managed device (about 35),
- **including the main server** (completed July 2026).
+- Managed endpoint detection & response (EDR) on every managed, enrolled device (35),
+ **including the main server** (verified live July 2026).
- Microsoft Defender and Exchange Online Protection on email; managed monitoring and
patching on all devices.
- Legacy agents from the previous IT provider removed from the server.
**To do**
-| Action | Owner | Cost | Target |
-|---|---|---|---|
-| Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement) and DESKTOP-F94M8UT (powered off; completes on power-on); finish console cleanup | ACG | labor | 30–60 days |
+| Action | Owner | Cost | Target | Completed |
+|---|---|---|---|---|
+| Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement); finish console cleanup | ACG | labor | 30–60 days |
| Standing coverage audit: every device reporting into managed security | ACG | none | quarterly |
---
diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf
index 8e14cb4b..803d9be7 100644
Binary files a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf and b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf differ
diff --git a/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md b/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md
index 9f211e8f..06a4553a 100644
--- a/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md
+++ b/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md
@@ -133,3 +133,32 @@ None touched this session.
- Remaining-work plan: `clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md`
- Straggler pass log: `clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-edr-bd-straggler-9am-pass.md`
- Prepaid balance shown in footer: 37.5 hrs as of 2026-07-10
+
+## Update: 12:21 PT — Mike's verification edits applied
+
+Applied all 4 items from Mike's coord message (6c0abc15) per Howard's "fix the cost wording
+and update the docs, and do as mike wants":
+
+1. **Area 2 cost correction** — Mike's live Graph check showed the relicensing claim was wrong
+ (office staff sit on a SUSPENDED Business Standard sub, no Premium seats). Reworded to
+ "new licensing, ~$375–575/mo depending on mix" (net-new spend, not savings).
+2. **Area 8 wording** — "every device" -> "every managed, enrolled device (35), including the
+ main server (verified live July 2026)". Dropped DESKTOP-F94M8UT from the legacy-agent row
+ (already gone from the Datto console); DESKTOP-TRCIEJA remains.
+3. **CARF conformance elements added** — standard reference row (CARF Technology and System
+ Plan, Aging Services manual Section 1, edition placeholder), "Basis of this plan" section
+ (needs of persons served / personnel / stakeholders + strategic alignment), Ashley Jensen
+ restored as named plan owner (governance table ONLY — masthead stays "Attn: Business
+ Office"; Howard approved via "do as mike wants" after the earlier name-removal request),
+ and a Completed column added to all 28 action rows across 8 to-do tables (living-action-
+ document format).
+4. **Stale docs refreshed** — wiki CS-SERVER line superseded (Datto EDR agent reinstalled,
+ agent b41befcf-e418-4d0d-8552-bc7662364d07, verified live; 6/26 removal note no longer
+ current) and docs/cloud/m365.md licensing section rewritten to the live Graph numbers
+ (SPB 45/41/4, Standard SUSPENDED 30 consumed) + stale "MFA: Not enabled" line fixed.
+
+PDF re-rendered: 4 pages, 433,980 bytes, verified visually page-by-page. Coord reply sent to
+Mike (GURU-5070) confirming: id 3c07fd3e-7f93-401d-8d46-339c968552f9.
+
+Files touched this update: proposals .md/.html/.pdf, docs/cloud/m365.md,
+wiki/clients/cascades-tucson.md.
diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md
index 74fd939c..a032b2ca 100644
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -489,7 +489,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of,
### CS-SERVER SMB & Endpoint AV (2026-06-26)
- **The "CS-SERVER SMB error 67 outage" was a TEST-METHOD ARTIFACT, not a real outage.** RMM-dispatched SMB client commands (`net use`/`net view`/`Test-Path`/`Get-SmbConnection`, even in `user_session`) **false-negative** -- they return error 67 (BAD_NETWORK_NAME) / RPC 1702 / "none" even for KNOWN-GOOD targets. **CS-SERVER SMB is healthy** -- `Get-SmbSession` showed 7 live SMB 3.1.1 users / 30 open files / new sessions forming. **VALIDATE SMB server-side (`Get-SmbSession`/`Get-SmbOpenFile`) or with a REAL interactive test -- never from RMM client-side results.** A drive-map `verify` failure is NOT proof of a problem (skill caveat added; errorlog `rmm/smb-testing`).
-- **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. **ALL Datto software was fully removed from CS-SERVER 2026-06-26** (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared). CS-SERVER was already de-enrolled from the EDR tenant, so no uninstall token could be issued -- forced removal once the tamper drivers were gone.
+- **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. The prior-MSP Datto stack was fully removed from CS-SERVER 2026-06-26 (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared; the box was de-enrolled so removal was forced once the tamper drivers were gone). **[SUPERSEDED 2026-07-15]: the ACG-managed Datto EDR agent was subsequently REINSTALLED — CS-SERVER is protected** (agent `b41befcf-e418-4d0d-8552-bc7662364d07`, Datto EDR sensor + Datto AV, live heartbeat, defs current; verified live in the azcomp4587 console by Mike). Do not read the 6/26 removal as "server unprotected."
- **Karen Rossini share access -- RESOLVED.** `CASCADES\karen.rossini` (reset + vaulted `clients/cascades-tucson/karen-rossini.sops.yaml`, member of `SG-IT-RW`) verified able to open `\CS-SERVER\Server` shares **interactively** from another PC. Her ALDocs desktop shortcut + Quick Access pin were set on DESKTOP-LPOPV30 (`\CS-SERVER\Server\ALDocs`) via the `drive-map` skill. Note: her earlier move to CSCNet (WPA3-SAE) broke NAS-by-name resolution (unrelated side effect).
### Datto EDR / Bitdefender Decommission