diff --git a/clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md b/clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md new file mode 100644 index 0000000..7296208 --- /dev/null +++ b/clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md @@ -0,0 +1,84 @@ +# Lone Star Electrical — Sophos Endpoint Removal (LS-1 / LS-2) + +**Date:** 2026-05-28 / 2026-05-29 +**Client:** Lone Star Electrical Systems LLC (Syncro customer `33809612`) +**Machines:** LS-1, LS-2 (Windows 11, Norris site) +**Status:** IN PROGRESS — offline (WinRE) completion step still required on both machines + +> Reconstructed and committed 2026-06-01. The original work (~May 28-29) was never saved +> to a session log; details survived only in a gitignored temp draft +> (`.claude/tmp/ollama_prompt.txt`) and coord message `8a5cb25c`. This log closes that gap. + +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +--- + +## Situation + +Two newly added Win11 machines (LS-1, LS-2) at the Norris site arrived from the **previous MSP** +with **Sophos Endpoint Protection** installed, managed via **Sophos Central in the previous MSP's +account**. We have **no Central access** — so no remote uninstall and no way to disable tamper +protection from the management plane. + +Tamper protection is enforced by the **`SophosED.sys` kernel boot driver** (`Start` type = `0`, +loads before `smss.exe`). This is the root blocker for every standard removal path. + +**LS-2 presenting symptom:** mouse clicks unresponsive on the desktop until Ctrl+Alt+Del, and +Start-menu right-click dead. **Root cause:** Sophos shell extensions + the Datto Cloud Continuity +`/pop` startup entry competing during logon. + +--- + +## Work performed (both machines unless noted) + +- Enrolled LS-1 and LS-2 in **GuruRMM** for remote management +- Removed the **Datto Cloud Continuity** startup registry entry (LS-2) +- Registered **ScreenConnect + GuruRMM agent for Safe Mode** (`SafeBoot\Network` registry keys) on + both, so the agents survive a Safe Mode boot +- Sophos removal attempts — **all blocked by tamper / kernel protection:** + - `SophosZap` — blocked by tamper protection (TP check) + - `SophosUninstall.exe` — partially ran, removed most user-mode components + - `PendingFileRenameOperations` delete — failed (`SophosED.sys` loads before `smss.exe`) + - `sc config` — blocked by kernel callback + - ACL reset — blocked at kernel level +- Disabled MCS Agent/Client; removed SntpService registration +- Booted both machines to **WinRE** in preparation for offline driver removal + +--- + +## Current state + +`SophosED.sys` kernel boot driver is **still present and active** on both machines. Most user-mode +Sophos services are removed from LS-2. Completion requires the offline WinRE step below. + +--- + +## Follow-up: WinRE completion steps (run on EACH machine) + +1. WinRE -> Troubleshoot -> Advanced Options -> Command Prompt +2. Find the real Windows drive (NOT the ~600MB recovery partition): + `dir C:\ & dir D:\ & dir E:\` +3. Substitute the actual Windows drive letter (shown as `D:` below) and run: + - `del /f D:\Windows\System32\drivers\SophosED.sys` + - `reg load HKLM\TEMPSYS D:\Windows\System32\config\SYSTEM` + - `reg add "HKLM\TEMPSYS\CurrentControlSet\services\Sophos Endpoint Defense" /v Start /t REG_DWORD /d 4 /f` + - `reg unload HKLM\TEMPSYS` + - `exit` +4. Reboot normally — `SophosED.sys` gone, SED service `Start=4` (disabled), tamper protection no + longer loads. +5. From Downloads, run `SophosZap.exe --confirm` — the TP check now passes, so it clears the + remaining registry entries. + +**Tooling staged:** Ventoy USB flashed to `E:`, helper scripts at `claudetools-data/scripts/`. + +--- + +## Billing / client notes + +- Prepaid hour block. Live-check remaining hours via `GET /customers/33809612` before logging time. +- A Syncro ticket was drafted ("Sophos Endpoint Removal - LS-1 and LS-2") — **verify it actually + exists** before logging against it. +- Handed off to Howard via coord message `689cfb7c` (2026-06-01). diff --git a/wiki/clients/lonestar-electrical.md b/wiki/clients/lonestar-electrical.md index dd866dd..f6a762a 100644 --- a/wiki/clients/lonestar-electrical.md +++ b/wiki/clients/lonestar-electrical.md @@ -2,9 +2,11 @@ type: client name: lonestar-electrical display_name: Lone Star Electrical Systems LLC -last_compiled: 2026-05-26 +last_compiled: 2026-06-01 compiled_by: GURU-5070/claude-main sources: + - clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md + - clients/lonestar-electrical/docs/apple-mdm-setup-reference.md - session-logs/2026-03-23-session.md - session-logs/2026-03-24-session.md - credentials.md @@ -25,18 +27,20 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee - **Company type:** Electrical contractor (field service) - **Contract type:** Prepaid hour block -- **Hours remaining:** 17.25 hrs as of 2026-05-26 (Syncro live). Always live-check `GET /customers/33809612` before billing. +- **Hours remaining:** 17.0 hrs as of 2026-06-01 (Syncro live). Always live-check `GET /customers/33809612` before billing. - **Billing rate:** (verify — check recent Syncro invoices; not captured in available sources) - **Syncro customer ID:** `33809612` (Lone Star Electrical Systems LLC) - **Address:** 3774 North Warren Avenue, Tucson, AZ - **Managed assets (Syncro):** 1 asset on record +- **Sites:** Norris site (location of the LS-1 / LS-2 Win11 workstations) - **Key contacts:** - Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact) - Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue - sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed) - James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role] - Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles] -- **Active ticket:** None open in Syncro as of 2026-05-26 (see Active Work) + - Main phone on file (Syncro): 520-730-3642 +- **Active ticket:** None open in Syncro as of 2026-06-01 (see Active Work) --- @@ -57,7 +61,7 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee ### Workstations -- **LS-1, LS-2** — Windows workstations; both upgraded to Win11 on 2026-05-04 (Syncro #32244). [Further inventory not documented] +- **LS-1, LS-2** — Windows workstations at the **Norris site**; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the **previous MSP** with **Sophos Endpoint Protection** (managed via the previous MSP's Sophos Central — no ACG access). Sophos removal is in progress (see Patterns and Active Work). Both enrolled in **GuruRMM** during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (`SafeBoot\Network`). --- @@ -72,17 +76,19 @@ Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the flee ## Patterns & Known Issues +- **Inherited Sophos with no Central access — kernel-driver tamper-protection removal (in progress 2026-05-28/29).** LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has **no Central access**, so no remote uninstall and no way to disable tamper protection from the management plane. Tamper protection is enforced by the **`SophosED.sys` kernel boot driver** (`Start=0`, loads before `smss.exe`), which defeats every user-mode removal: `SophosZap` (blocked by TP), `SophosUninstall.exe` (only removes user-mode parts), `PendingFileRenameOperations` delete (driver loads too early), `sc config` (kernel callback), and ACL reset (kernel-level). **Resolution path is offline via WinRE:** delete `D:\Windows\System32\drivers\SophosED.sys`, load the offline SYSTEM hive and set the `Sophos Endpoint Defense` service `Start=4`, reboot, then `SophosZap.exe --confirm` (TP check now passes). Full step list in the 2026-05-29 session log. **Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible.** (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.) +- **Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2).** Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity `/pop` startup entry during logon. Removing the Datto startup registry entry addressed the logon contention. - **ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24).** A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was **two independent triggers**: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a **third-party EMM provider inside Google Workspace** (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. **Fix required both:** disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change. - **Google Workspace, not M365.** Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client. -- **Field/mobile-first.** Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface. +- **Field/mobile-first.** Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm. --- ## Active Work -No open Syncro tickets as of 2026-05-26. Two tickets in "Customer Reply" status (awaiting client): -- #32251 — iPhone: set up cell phone for use in the field (2026-05-05) -- #32215 — QuickBooks issues (2026-04-25) +No open Syncro tickets as of 2026-06-01. + +- **Sophos removal on LS-1 / LS-2 (IN PROGRESS).** `SophosED.sys` kernel boot driver still present and active on both machines; most user-mode Sophos services removed from LS-2. Offline WinRE completion step pending on both (delete driver, disable SED service in offline hive, reboot, `SophosZap --confirm`). Handed off to Howard via coord message `689cfb7c` (2026-06-01). A Syncro ticket "Sophos Endpoint Removal - LS-1 and LS-2" was drafted — verify it exists before logging time. --- @@ -97,14 +103,16 @@ No open Syncro tickets as of 2026-05-26. Two tickets in "Customer Reply" status | 2026-03-24 | MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately | | 2026-05-04 | Win11 upgrades on LS-1 and LS-2 (#32244) | | 2026-05-05 | iPhone field setup (#32251) | +| 2026-05-28/29 | Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by `SophosED.sys` kernel driver — WinRE offline removal staged (Ventoy USB), completion pending | --- ## Compilation Notes +- Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (`.claude/tmp/ollama_prompt.txt`) and coord message `8a5cb25c`. A proper session log was reconstructed at `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md` before this compile. - Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612). - **Vault slug is `lonestar-electrical`** (matches `clients/lonestar-electrical/` in the vault), though session logs and temp scripts use the un-hyphenated `lonestar`. -- **No dedicated project folder** — Lonestar work lives in root session logs and `temp/` scripts; there is no `clients/lonestar*/` working directory or `projects/` entry in the ClaudeTools repo (only the vault folder exists). +- Lonestar work now lives in both `clients/lonestar-electrical/` (docs + session-logs) and root session logs / `temp/` scripts. - Flagged `[verify]`: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory. ## Backlinks diff --git a/wiki/index.md b/wiki/index.md index d55d406..6ec7f32 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -1,7 +1,7 @@ # Wiki Index -Last updated: 2026-05-29 -Compiled by: Mikes-MacBook-Air.local/claude-main +Last updated: 2026-06-01 +Compiled by: GURU-5070/claude-main This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update. Run `/wiki-lint` to check for stale entries and broken backlinks. @@ -41,7 +41,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 | | [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 | | [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 | -| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 17.25 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); 2026-03 dual-EMM self-enrollment trap resolved; field/mobile-first | 2026-05-26 | +| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 17.0 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); 2026-03 dual-EMM self-enrollment trap resolved; LS-1/LS-2 inherited-Sophos kernel-driver removal in progress; field/mobile-first | 2026-06-01 | | [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 | | [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 | | [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |