sync: auto-sync from GURU-5070 at 2026-07-01 09:32:17

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-07-01 09:32:17
This commit is contained in:
2026-07-01 09:33:09 -07:00
parent e583bf43a5
commit 6f7f939a62
6 changed files with 175 additions and 1 deletions

View File

@@ -200,3 +200,4 @@
- [GuruScan verification IN TEST / paused](project_guruscan_in_test_paused.md) — multi-engine scanner verify on DESKTOP-MS42HNC paused 2026-06-22 (VM rebooted mid-Emsisoft run); HitmanPro done (36 removed), Emsisoft full-scan unverified; resume `guruscan-agent-test.sh DESKTOP-MS42HNC scan-one Emsisoft`; Defender RTP/Tamper still off on VM
- [GuruRMM fleet dispatch-hang fix](project_gururmm_dispatch_hang_fix.md) — blocking send_to on a full bounded channel to one black-holed agent wedged ALL command dispatch; fixed with try_send (9dae20c, deployed); proper black-hole eviction still missing (was reverted in 80df458) — finish it if it recurs
- [Windows won't-boot / offline DISM repair playbook](windows-offline-dism-repair-gotchas.md) — Automatic Repair loop = boot-critical fault (disk/registry/wedged update), NOT shell/appx store corruption (that's a symptom); `FaultyPackageInProgress` + 100s of Install/Uninstall-Pending packages = wedged CU -> RevertPendingActions or clean install. Offline DISM rejects `wim:` source (0x800f082e) -> MOUNT the wim, source `\Windows`. Ventoy breaks WIM mount (0xc1420134) -> use Rufus. 25H2(26200)=24H2(26100)+enablement, so match 26100 media. First hit: Four Paws AvImark #32447.
- [Remediation-tool has full M365 access (incl. SharePoint)](reference_remediation_tool_365_access.md) — the app suite covers Graph/EXO/Defender/SharePoint; don't declare "no access" on an accessDenied. SharePoint app-only needs a CERT (secret = "Unsupported app only token"); use get-token.sh `sharepoint`/`sharepoint-admin` tiers + CSOM admin API (Graph /admin/sharepoint/settings scope not held). Full map: skill references/app-permissions-and-sharepoint.md.

View File

@@ -0,0 +1,32 @@
---
name: reference_remediation_tool_365_access
description: The remediation-tool app suite has full M365 access (incl. SharePoint via cert); don't declare "no access" on an accessDenied
metadata:
type: reference
---
The ComputerGuru remediation-tool apps collectively have **broad, working access across ALL of
M365** — Graph, Exchange Online, Defender, AND SharePoint Online. When a call fails it's almost
always wrong-tier / wrong-endpoint / not-consented / the SharePoint cert gotcha — **not** a real
lack of access. Do NOT tell the user "the tool can't do X" without checking the live permission
map first (decode the token `roles` claim).
Key facts:
- **SharePoint app-only requires a CERTIFICATE.** A `client_secret` token is rejected on every
SharePoint endpoint (REST `/_api` and CSOM `/_vti_bin/client.svc/ProcessQuery`) with
`"Unsupported app only token"`. The Tenant Admin app has a cert in the vault and holds
SharePoint-resource `Sites.FullControl.All`.
- `get-token.sh` now has **`sharepoint`** (content) and **`sharepoint-admin`** (tenant admin)
tiers — cert-forced, tenant resource auto-resolved from Graph `/sites/root`
(override `SP_RESOURCE_ENV`). Added 2026-07-01.
- Graph `GET /admin/sharepoint/settings` needs `SharePointTenantSettings.Read.All`, which NO app
holds → that route 403s. Read/write SharePoint tenant settings via the **CSOM admin API**
(`sharepoint-admin` tier) instead. Tenant settings live on the Tenant object
(TypeId `{268004ae-ef6b-4e9b-8425-127220d84719}`) — e.g. `SelfServiceSiteCreationDisabled`.
- Restricting employee SharePoint site creation = `SelfServiceSiteCreationDisabled=true` (CSOM)
AND restrict M365 Group creation (Entra `Group.Unified` directory setting via `user-manager`);
neither affects edit rights on existing sites.
Full detail (live per-tier permission map + CSOM examples):
`.claude/skills/remediation-tool/references/app-permissions-and-sharepoint.md`. Surfaced by
Syncro #32492 (Birth Biologic). See also [[feedback_syncro_billing]].