azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-02 17:51:53

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-02 17:51:53
This commit is contained in:
Howard Enos
2026-06-02 17:52:00 -07:00
parent 3d613b58a2
commit 35b227ec8e
4 changed files with 375 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
wiki/clients/lonestar-electrical.md
View File

@@ -3,7 +3,7 @@ type: client
name: lonestar-electrical
display_name: Lone Star Electrical Systems LLC
last_compiled: 2026-06-02
compiled_by: HOWARD-HOME/claude-main
compiled_by: Howard-Home/claude-main
sources:
- clients/lonestar-electrical/session-logs/2026-06-02-session.md
- clients/lonestar-electrical/session-logs/2026-06-01-session.md
@@ -29,7 +29,7 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee
- **Company type:** Electrical contractor (field service)
- **Contract type:** Prepaid hour block
- **Hours remaining:** 17.0 hrs as of 2026-06-01 (Syncro live). Always live-check `GET /customers/33809612` before billing.
- **Hours remaining:** 13.5 hrs as of 2026-06-02 (Syncro live — always re-check `GET /customers/33809612` before billing).
- **Billing rate:** (verify — check recent Syncro invoices; not captured in available sources)
- **Syncro customer ID:** `33809612` (Lone Star Electrical Systems LLC)
- **Address:** 3774 North Warren Avenue, Tucson, AZ
@@ -42,7 +42,7 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee
- James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role]
- Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles]
- Main phone on file (Syncro): 520-730-3642
- **Active ticket:** None open in Syncro as of 2026-06-01 (see Active Work)
- **Active ticket:** None open in Syncro as of 2026-06-02
---
@@ -63,7 +63,10 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee
### Workstations
- **LS-1, LS-2** — Windows workstations at the **Norris site**; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the **previous MSP** with **Sophos Endpoint Protection** (managed via the previous MSP's Sophos Central — no ACG access). Sophos removal is in progress (see Patterns and Active Work). Both enrolled in **GuruRMM** during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (`SafeBoot\Network`).
- **LS-1, LS-2** — Windows workstations at the **Norris site**; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the **previous MSP** with **Sophos Endpoint Protection** (managed via the previous MSP's Sophos Central — no ACG access). **Sophos has been fully removed from both machines as of 2026-06-02** (Syncro #32347; see Patterns for full procedure). Both enrolled in **GuruRMM** during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (`SafeBoot\Network`).
- **LS-1 GuruRMM agent:** `6b9617fa-5c77-40e1-8b64-a1545e730895`
- **LS-2 GuruRMM agent:** `97fe5582-aa3d-4132-94a6-f4c8582bca31`
- **Windows Defender:** active and real-time protection enabled on both as of 2026-06-02.
### Unraid Server
@@ -92,26 +95,51 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee
## Patterns & Known Issues
- **Inherited Sophos with no Central access — kernel-driver tamper-protection removal (execution started 2026-06-02).** LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has **no Central access**, so no remote uninstall and no way to disable tamper protection from the management plane. Tamper protection is enforced by the **`SophosED.sys` kernel boot driver** (`Start=0`, loads before `smss.exe`), which defeats every user-mode removal: `SophosZap` (blocked by TP), `SophosUninstall.exe` (only removes user-mode parts), `PendingFileRenameOperations` delete (driver loads too early), `sc config` (kernel callback), and ACL reset (kernel-level). **Resolution path is offline via WinRE/PE:** delete `D:\Windows\System32\drivers\SophosED.sys`, load the offline SYSTEM hive and set the `Sophos Endpoint Defense` service `Start=4`, reboot, then `SophosZap.exe --confirm` (TP check now passes). Full step list in the 2026-05-29 session log. **Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible.** (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.)
- **Inherited Sophos with no Central access — kernel-driver tamper-protection removal (procedure proven and COMPLETE on LS-1 and LS-2, 2026-06-02).** LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has **no Central access**, so no remote uninstall and no way to disable tamper protection from the management plane. The procedure is now proven end-to-end and reusable. Key findings from the full execution:
- **SophosZap's gate is a registry flag, not just the driver.** SophosZap checks `HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled` — if this is `1`, SophosZap exits with "does not run with tamper protection on" even when the kernel driver is renamed/disabled. The driver disable alone is not sufficient; `SEDEnabled=0` must be set.
- **Two Sophos boot drivers — treat them differently:**
- **`SophosED.sys`** = "Sophos Endpoint Defense" (the TAMPER driver). `Start=0` by default (Boot-start). Safe to rename/remove. Correct procedure: set service `Start=4` in the offline hive AND clear `SEDEnabled=0`. With `SEDEnabled=0`, SophosZap passes the tamper check and removes it cleanly.
- **`SophosEL.sys`** = "Sophos ELAM" (Early Launch Anti-Malware). `Start=0`, **`ErrorControl=3` (CRITICAL)**. **NEVER rename or delete this file manually.** If `SophosEL.sys` is missing on boot, Windows drops to Automatic Repair: `SrtTrail.txt` root cause: "Boot critical file C:\WINDOWS\system32\DRIVERS\SophosEL.sys is corrupt." Recovery requires booting back to PE and restoring the file. SophosZap removes the ELAM driver and its service itself, the boot-safe way, after tamper protection is neutralized.
- **Offline hive editing: always read the active ControlSet first.** `CurrentControlSet` does not exist in an offline hive. Read `HKLM\OFFSYS\Select\Current` to determine which numbered set is active (e.g., `0x1` = `ControlSet001`) before editing service entries. Editing the wrong ControlSet leaves the machine unchanged.
- **Correct offline procedure (PE):**
1. `reg load HKLM\OFFSYS X:\Windows\System32\config\SYSTEM`
2. `reg query HKLM\OFFSYS\Select /v Current` — note the active set number
3. Under `HKLM\OFFSYS\ControlSet00N\Services\Sophos Endpoint Defense`: set `Start=4`; under `...\TamperProtection\Config`: set `SEDEnabled=0`
4. `reg unload HKLM\OFFSYS`
5. Reboot to normal Windows. Do NOT rename or delete `SophosEL.sys`.
6. Verify Defender is active. Run `SophosZap.exe --confirm` via RMM or locally. Reboot as prompted.
7. Run `SophosZap.exe --confirm` a second time. Confirm: services/drivers/folders NONE, Defender RTP True.
- **PE helper script:** `clients/lonestar-electrical/scripts/Remove-Sophos-Offline-PE.ps1` (hardened with top-level try/catch and guaranteed `Read-Host` pause).
- **Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible.** (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.)
- **Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2).** Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity `/pop` startup entry during logon. Removing the Datto startup registry entry addressed the logon contention.
- **ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24).** A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was **two independent triggers**: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a **third-party EMM provider inside Google Workspace** (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. **Fix required both:** disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change.
- **Google Workspace, not M365.** Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client.
- **Field/mobile-first.** Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm.
- **Recurring `bzfirmware` checksum boot error = failing USB flash drive.** Replace the stick (Unraid USB Creator + copy old `config/` + re-register license to new GUID). Do NOT just replace the file — if the error recurs after a file-level fix, the stick itself is failing. Reusable for any Unraid box.
---
## Active Work
No open Syncro tickets as of 2026-06-01.
No open Syncro tickets as of 2026-06-02.
- **Sophos removal on LS-1 / LS-2 (ACTIVELY EXECUTING — LS-1 in progress, LS-2 not yet started).** Offline PE removal procedure is underway on LS-1: BitLocker confirmed OFF (verified from normal Windows before booting PE), `SophosZap.exe` staged in Downloads for post-reboot cleanup. LS-1 is awaiting a drive-letter check from PE (`dir C:\Windows & dir D:\Windows & dir E:\Windows`) before executing the `del /f <drive>\Windows\System32\drivers\SophosED.sys` + offline-hive `Start=4` disable sequence. LS-2 not yet started. Full offline command set in `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md`. Coord handoff: msg `689cfb7c` (2026-06-01).
- **Pending:** Verify or create Syncro ticket "Sophos Endpoint Removal - LS-1 and LS-2" before logging time (prepaid block, live-check `GET /customers/33809612`).
- **Unraid server USB replacement done (2026-06-02); PENDING:**
- Create Syncro ticket documenting the USB failure, replacement (Unraid 7.1.4 via USB Creator), config copy, and license re-registration.
- **Sophos removal on LS-1 / LS-2 — COMPLETE (2026-06-02).** Both machines are fully clean: no Sophos services, drivers, folders, or Add/Remove entries; Windows Defender real-time protection active on both. Billed and closed on Syncro #32347 (2.0h in-shop, prepaid). See Patterns for the full reusable procedure including the critical SophosEL ELAM boot-driver lesson.
- **Unraid server USB replacement — COMPLETE (2026-06-02).** New stick running Unraid 7.1.4, config/ preserved, license re-registered. Documented and billed on Syncro #32372 (1.5h in-shop, prepaid, Closed). **Still open:**
- Vault the Lonestar Unraid root password and document the server (hostname, IP, Unraid 7.1.4, license type) in the wiki.
- Capture and fold in the results of Mike's server health check (array start state, disk assignments, parity validity, registration status).
- Verify array integrity: confirm all disks landed in correct slots from the copied `super.dat`; ensure no unwanted parity rebuild was triggered.
- Vault the Lonestar Unraid root password and document the server in the wiki (hostname, IP, Unraid 7.1.4, license type).
- Retire the old failing USB stick once the new stick is confirmed stable.
---
@@ -129,12 +157,15 @@ No open Syncro tickets as of 2026-06-01.
| 2026-05-28/29 | Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by `SophosED.sys` kernel driver — WinRE offline removal staged (Ventoy USB), completion pending |
| 2026-06-01 | Recovered the (previously unlogged) Sophos removal context, reconstructed it into a session log, and handed the WinRE completion procedure to Howard via coordinator (msg `689cfb7c`) |
| 2026-06-02 | Unraid server USB flash drive failed (recurring bzfirmware checksum error); migrated to new stick (Unraid 7.1.4 via USB Creator), copied old config/, re-registered license to new GUID |
| 2026-06-02 | Began offline (PE) execution of Sophos removal on LS-1 — BitLocker confirmed off, SophosZap staged; SophosED.sys delete + offline-hive disable pending drive-letter check |
| 2026-06-02 | LS-1 Sophos offline-PE prep: BitLocker confirmed off, SophosZap staged, drive-letter check run; SED service Start=4 + SEDEnabled=0 set offline |
| 2026-06-02 | Sophos removal COMPLETED on LS-1 and LS-2 — offline tamper-disable (SED Start=4 + SEDEnabled=0) + SophosZap two-pass via GuruRMM; LS-2 hit Automatic Repair after boot-critical SophosEL.sys was renamed (recovered by restoring the file from PE, then relying on already-correct offline edits + SophosZap to remove it safely); Windows Defender active on both |
| 2026-06-02 | Syncro #32347 (Sophos removal, 2.0h in-shop) and #32372 (Unraid USB replacement, 1.5h in-shop) created, billed, and closed against prepaid block — 17.0 -> 13.5 hrs remaining |
---
## Compilation Notes
- Refreshed 2026-06-02 ~17:45 PT (recompile by Howard-Home/claude-main) to absorb the "17:39 PT — Sophos removal COMPLETE" update section of the 2026-06-02 session log: marked Sophos removal COMPLETE on both LS-1/LS-2 in Active Work and Infrastructure; updated hours remaining to 13.5 (Syncro #32347 2.0h + #32372 1.5h billed/closed); expanded Patterns with the proven full procedure including the critical two-driver distinction (SophosEL ELAM boot-critical — never rename/delete; SophosED tamper driver — disable via Start=4+SEDEnabled=0); added LS-1/LS-2 GuruRMM agent IDs; added two new History Highlights rows (PE+SophosZap completion, billing).
- Refreshed 2026-06-02 22:10 PT (recompile by HOWARD-HOME/claude-main) to absorb the 22:10 PT update section of the 2026-06-02 session log: updated Active Work Sophos bullet to reflect execution-in-progress on LS-1 (BitLocker confirmed off, SophosZap staged, awaiting drive-letter check before PE delete); updated Patterns wording from "in progress 2026-05-28/29" to "execution started 2026-06-02"; added History Highlights row for the LS-1 PE execution start.
- Refreshed 2026-06-02 (recompile by HOWARD-HOME/claude-main) to absorb the 2026-06-02 session log: added Unraid server infrastructure subsection, new `bzfirmware` checksum pattern, history row, and pending Active Work items.
- Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (`.claude/tmp/ollama_prompt.txt`) and coord message `8a5cb25c`. A proper session log was reconstructed at `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md` before this compile.

2
wiki/index.md
View File

@@ -41,7 +41,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 |
| [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 |
| [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 17.0 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); Unraid server (7.1.4, USB migrated 2026-06-02); LS-1/LS-2 inherited-Sophos kernel-driver removal in progress; field/mobile-first | 2026-06-02 |
| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 13.5 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); Unraid server (7.1.4, USB migrated 2026-06-02); LS-1/LS-2 Sophos removal COMPLETE (2026-06-02); Defender active on both; field/mobile-first | 2026-06-02 |
| [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |
| [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 |
| [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |