azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-05 21:51:31

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 21:51:31
This commit is contained in:
Howard Enos
2026-06-05 21:51:38 -07:00
parent 81e3d885d0
commit 8885f0086d
3 changed files with 81 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
clients/cascades-tucson/session-logs/2026-06-05-howard-cascades-entra-ticket-billing.md Normal file
View File

@@ -0,0 +1,66 @@
# Cascades of Tucson — Session Log 2026-06-05 — Entra Ticket Billing Reconciliation
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Recovered and completed the billing on Syncro ticket #32303 ("Domain setup-entra sync", Cascades of Tucson, internal id 110680053) after a prior session crashed mid-task while "updating notes and billing." Reconstructed state from the 2026-06-05 Cascades session log and a live read of the ticket rather than assuming what had completed.
Diagnosis from the live ticket: the internal work-summary note (comment 417580711, hidden, posted 6/5 18:24) had landed before the crash, but no labor line item or invoice existed for the 6/4-6/5 caregiver/Entra work. The ticket bills incrementally (each work session = line item -> prepay-drawdown invoice -> "Invoice Emailed"); line items and invoices stopped at 5/29 (last invoice #67677). The six existing line items all dated 5/20-5/29, confirming the 6/4-6/5 work was unbilled. No half-written line item existed, so there was nothing to clean up.
Per Howard's direction: left the existing private note untouched, posted the full 6/4-6/5 work summary as a customer-visible (do-not-email) resolution note so the ticket/invoice shows what was done, then billed 7.0 hours onsite. Cascades is prepaid; the labor drew down the block 15.75 -> 8.75 hrs, producing a $0.00 invoice (#67782). Marked the ticket Invoiced and posted the #bot-alerts notification.
## Key Decisions
- **Read the live ticket before billing** instead of trusting the session log alone — confirmed the note was posted, the last invoice was 5/29, and all existing line items predated the 6/4-6/5 work, so a single new onsite line was correct with no risk of double-billing.
- **Did not toggle the existing internal note to public.** The Syncro API has no documented endpoint to change an existing comment's visibility; probing for one is forbidden by the skill (prior duplicate-comment incidents). Instead posted the work summary as a new customer-visible resolution note. Howard then directed: leave the private note alone, attach the summary to the billing.
- **Resolution note set customer-visible + do-not-email** (back-billed work) — matches the prior Resolution-comment pattern on this ticket and avoids a surprise customer email.
- **Single 7.0h onsite line** (product 26118 @ $175), per Howard, rather than splitting the remote/onsite mix of the actual work.
- **Namespaced the session log** (`-howard-cascades-entra-ticket-billing`) because the day's main Cascades caregiver log (`2026-06-05-session.md`) already exists.
## Problems Encountered
- **Could not flip the existing internal note to public via API** — no comment-visibility update endpoint exists in Syncro's documented surface. Resolved by posting a new customer-visible copy of the summary as the billing resolution note (existing private note left as-is per Howard).
## Configuration Changes
- `clients/cascades-tucson/session-logs/2026-06-05-howard-cascades-entra-ticket-billing.md` — created (this log).
- No repo code/config changes. All changes were Syncro records (below).
## Credentials & Secrets
None discovered or created. Syncro per-user API key for Howard (user_id 1750) read from the baked-in skill key map; vault backup at `msp-tools/syncro-howard.sops.yaml`.
## Infrastructure & Servers
- Syncro PSA API base: `https://computerguru.syncromsp.com/api/v1` (query-param auth)
- Cascades of Tucson customer id: 20149445 (prepaid)
- Discord #bot-alerts via `.claude/scripts/post-bot-alert.sh`
## Commands & Outputs
- `GET /tickets/110680053` — status Resolved; 6 line items dated 5/20-5/29; note 417580711 present (internal).
- `GET /customers/20149445` — prepay_hours 15.75 (before), 8.75 (after).
- `POST /tickets/110680053/comment` — resolution note id 417582473 (hidden:false, do_not_email:true; do_not_email echoes null — known Syncro quirk), body 3122 chars.
- `POST /tickets/110680053/add_line_item` — line id 42750851, product 26118 "Labor - Onsite Business", qty 7.0, price_retail 175.0, taxable false, user_id 1750.
- `POST /invoices` {ticket_id, customer_id} — invoice id 1650592886, number 67782, total 0.0.
- `PUT /tickets/110680053` {status:"Invoiced"} — status Invoiced.
- `post-bot-alert.sh` — posted (message_id 1512639173541105784).
## Pending / Incomplete Tasks
- Billing on #32303 for 6/4-6/5 is complete. No further billing action.
- Field follow-ups (tracked in the main 2026-06-05 Cascades log, not billing): reboot NURSESTATION to verify lock@3min / 90s warning / sign-out@15min / never-sleep; Howard to lower ALIS app timeout 20->15; Monday cutover of real caregiver/medtech users one at a time; Microsoft case for tenant-wide `INTUNE_A PendingInput`.
## Reference Information
- Ticket: #32303 / internal 110680053 — https://computerguru.syncromsp.com/tickets/110680053
- Resolution note (this session): comment 417582473 (customer-visible)
- Existing internal work-summary note: comment 417580711 (hidden, untouched)
- Line item: 42750851 (7.0h onsite @ $175)
- Invoice: #67782 / id 1650592886 ($0.00, prepaid)
- Prepay block: 15.75 -> 8.75 hrs
- Prior ticket invoices: #67633, 67642, 67645, 67647, 67664, 67677 (through 5/29)

24
wiki/clients/cascades-tucson.md
View File

@@ -3,7 +3,7 @@ type: client
name: cascades-tucson
display_name: Cascades of Tucson
last_compiled: 2026-06-05
compiled_by: GURU-BEAST-ROG/claude-main
compiled_by: HOWARD-HOME/claude-main
sources:
- session-logs/2026-03-24-session.md
- session-logs/2026-03-31-session.md
@@ -37,6 +37,7 @@ sources:
- clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
- clients/cascades-tucson/session-logs/2026-06-04-session.md
- clients/cascades-tucson/session-logs/2026-06-05-session.md
- clients/cascades-tucson/session-logs/2026-06-05-howard-cascades-entra-ticket-billing.md
- clients/cascades-tucson/docs/overview.md
- clients/cascades-tucson/docs/network/topology.md
- clients/cascades-tucson/docs/network/vlans.md
@@ -88,11 +89,11 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **Hybrid join proven on NURSESTATION-PC** (2026-06-05): SCP written (`ConfigureSCP.ps1`), `OU=Caregiver Devices,OU=Staff PCs,OU=Workstations` added to Entra Connect sync scope → device synced to Entra as `trustType: ServerAd`, `dsregcmd` shows AzureAdJoined+DomainJoined YES, pilot.test gets `AzureAdPrt: YES`. On hybrid-joined machines `Ngc PreReqResult: WillNotProvision` (PolicyEnabled NO) → **Windows Hello does not auto-provision** (no Hello popup) — exactly what shared caregiver devices need, so no separate Hello-disable step.
- **Device control is one-at-a-time:** caregiver machine computer objects are moved into `OU=Caregiver Devices` (only that OU is in sync scope) and into a location group `SG-PC-MainTower` or `SG-PC-MemoryCare`. Add a device = move it into the OU + correct location group.
- **App + printer delivery GPO `CSC - Caregiver Workstation`** (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User-config GPP) — **BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05).** Linked at `OU=Caregivers,OU=Departments`; security filter = `SG-Caregivers-Test` (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to `SG-Caregivers`. Contents: 3 desktop shortcuts — ALIS, LinkRx, **Helpany** (`https://app.safe-living.com/login` — named "Helpany," the brand caregivers know) — + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for `SG-PC-MainTower`, MC MedTech for `SG-PC-MemoryCare`, computer-context ILT) + HKCU `LegacyDefaultPrinterMode=1` so the default sticks. Build scripts: `clients/cascades-tucson/scripts/build-caregiver-gpo.ps1` + `link-caregiver-gpo.ps1`. NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used — reference only.
- **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (computer-side, links to `OU=Caregiver Devices`) — **DESIGNED + SCRIPTED, NOT YET DEPLOYED.** Auto-logoff is a HIPAA requirement (§164.312(a)(2)(iii)) for shared PHI devices. Settings (Howard): screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor (`GetLastInputInfo``msg.exe` warning at 13.5 min → `shutdown /l` at 15 min) in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Companion:** ALIS app session timeout being lowered 20→15 min (Howard, in ALIS admin) to match. **Blocked 2026-06-05:** RMM dispatch from HOWARD-HOME failed (curl "Permission denied" — AV blocking curl.exe; then RMM API 500 on the ~13 KB payload via Invoke-RestMethod). Retry: run the deploy script directly on CS-SERVER, or from another workstation. Lock/logoff are **device-level** (affect any user on the device, not just pilot.test).
- **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only, linked to `OU=Caregiver Devices`) — **DEPLOYED 2026-06-05.** Auto-logoff is a HIPAA requirement (§164.312(a)(2)(iii)) for shared PHI devices. Settings (Howard): screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`, in SYSVOL) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor (`GetLastInputInfo``msg.exe` warning at 13.5 min → `shutdown /l` at 15 min) in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Startup scripts run at boot — NURSESTATION must reboot** to activate lock@3min / 90s warning / sign-out@15min / never-sleep (not yet verified). **Companion:** ALIS app session timeout 20→15 min (Howard, ALIS admin) **PENDING.** Lock/logoff are **device-level** (affect any user on the device in `OU=Caregiver Devices`).
### Status (as of 2026-06-05)
- **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (the old Entra-joined id `e16c4af5` is stale/deleted) and the device is tagged `extensionAttribute1=CSCCaregiverDevice`.
- **In progress:** `CSC - Caregiver Workstation` GPO (shortcuts + printers + LegacyDefaultPrinterMode) is **built and validated** on the test rig. Still to do: **deploy `CSC - Caregiver Device Lockdown`** (lock/auto-logoff — blocked on an RMM-dispatch issue, retry direct on CS-SERVER); lower ALIS timeout to 15 min; then promote both the GPO filter and the CA allow-list from the test groups to `SG-Caregivers`, moving real machines in one at a time.
- **GPOs DEPLOYED:** `CSC - Caregiver Workstation` (shortcuts + printers + LegacyDefaultPrinterMode, `{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`) **built and validated on pilot.test.** `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`) **deployed to `OU=Caregiver Devices` 2026-06-05** — takes effect on next NURSESTATION reboot (verify lock@3min, 90s warning, sign-out@15min). **Monday go-live:** swap GPO filter `SG-Caregivers-Test``SG-Caregivers`; CA allow-list test group `SG-Caregivers`; move real caregiver machines into `OU=Caregiver Devices` + correct `SG-PC-*` location group one at a time; ALIS email-match the 38 caregivers + medtechs. **Still pending:** lower ALIS app timeout 20→15 min (Howard, ALIS admin); reboot NURSESTATION to verify lockdown.
- **Independent open item:** Microsoft case for `INTUNE_A PendingInput` — does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency).
---
@@ -112,10 +113,10 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
- Chris Knight — staff; chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04)
- **Billing rate:** $175/hr all labor (prepaid block customer)
- **Hours remaining:** 15.75 hrs as of 2026-06-04 (after tickets #32381 0.5h onsite, #32382 1.5h onsite, #32383 1.5h remote billed 2026-06-04). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Hours remaining:** 8.75 hrs as of 2026-06-05 (after 7.0h onsite billed 2026-06-05 on ticket #32303, invoice #67782 $0.00 prepaid; prior balance was 15.75 after 2026-06-04 billing). Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions.
- **Syncro customer ID:** 20149445
- **Active tickets:**
- #110680053 — Dept-by-dept domain migration (primary active project; plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`)
- #110680053 / #32303 — Entra / domain migration project ("Domain setup-entra sync"). Status: **Invoiced** as of 2026-06-05. Latest billing: 7.0h onsite 2026-06-05, invoice #67782 ($0.00 prepaid). Monday caregiver cutover will generate further work on this ticket. Plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`
- #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
- #109035475 — John Trozzi desktop WiFi upgrade (billed)
- #32370 — eFax setup on Karen's and Christin's machines + portable scanner setup on both (Howard onsite; no appointment scheduled yet; ticket open/pending 2026-06-02)
@@ -264,7 +265,7 @@ Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingIn
- **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.
- **Caregiver desktop app shortcuts:** ALIS (`https://cascadestucson.alisonline.com`), LinkRx (`https://pharmcare.linkrxnow.com/`), HelpAny (`https://app.safe-living.com/login`) — deploy via a Public-Desktop PowerShell script launching Edge `--app` mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.
- **Login UX:** Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).
- **Caregiver test rig (2026-06-05, in progress):** Phased-test infra before promoting to all caregivers. `SG-Caregivers-DeviceTest` (`db5849ec`, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); `Cascades - Caregiver Devices` (`02c6f698`, STATIC devices) targets Intune profiles (NURSESTATION only for now); `SG-Intune-Enrollment` (`13d94f6e`, holds devices@) scopes MDM auto-enroll. Test acct `pilot.test@cascadestucson.com` (`d26e0e5a`, Business Premium, ephemeral). Intune profiles on the device group: idle-lock 5min + disable-WHfB (OMA-URI); Shared PC Mode deferred to portal. NURSESTATION-PC un-joined domain + Entra-joined (Win11 25H2) + tagged, NOT yet Intune-enrolled (MDM scope is a portal toggle). **PROVEN 2026-06-05:** pilot.test on NURSESTATION-PC -> ALIS opened via SSO with lockdown holding (off-network blocked, only allow-listed device passes). ALIS first threw CA 53003 because the `extensionAttribute1` tag takes >70 min to propagate into CA's device-filter cache; fixed by adding NURSESTATION's **deviceId** directly to the allow-list rule (immediate, lag-free) — for the small caregiver device set, **deviceId matching is the reliable lever**. **Open:** Intune enrollment blocked — `INTUNE_A` service plan is `PendingInput` (not provisioned) on the newly-licensed accounts (devices@, pilot.test); established users fine. A device can't enroll through an account whose Intune plan isn't active. Re-kicked devices@'s Business Premium license to force re-provisioning; re-check for `Success`. Until enrolled, the scoped disable-Hello/Shared-PC profiles can't apply (Hello prompt is dismissible meanwhile; tenant WHfB left `notConfigured` so office users keep PIN+Authenticator). Windows shared-device UX differs from phone SDM. Promotion: once enrolled+validated, point allow-list at SG-Caregivers (prefer deviceId list) + disable compliance-block.
- **Caregiver test rig (2026-06-05, validated):** Phased-test infra before promoting to all caregivers. `SG-Caregivers-DeviceTest` (`db5849ec`, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); `Cascades - Caregiver Devices` (`02c6f698`, STATIC devices) targets Intune profiles (NURSESTATION only for now); `SG-Intune-Enrollment` (`13d94f6e`, holds devices@) scopes MDM auto-enroll. Test acct `pilot.test@cascadestucson.com` (`d26e0e5a`, Business Premium, ephemeral). NURSESTATION-PC is **Hybrid Entra Joined** (re-domain-joined Win11 25H2; new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342`, object id `de199a15-3f5d-4da3-8b17-3faade7f7dad`, trustType `ServerAd`). Intune profiles (idle-lock 5min + disable-WHfB OMA-URI) assigned to device group but **NOT yet applied**`INTUNE_A: PendingInput` tenant-wide blocks enrollment on newly-licensed accounts (devices@, pilot.test); MS case open; does NOT block caregiver access (GPO path used instead). **PROVEN 2026-06-05:** pilot.test on NURSESTATION-PC -> ALIS opened via SSO with lockdown holding (off-network blocked, only allow-listed device passes). ALIS first threw CA 53003 because the `extensionAttribute1` tag takes >70 min to propagate into CA's device-filter cache; fixed by adding NURSESTATION's **deviceId** directly to the allow-list rule (immediate, lag-free) — for the small caregiver device set, **deviceId matching is the reliable lever**. Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). **GPOs deployed 2026-06-05:** `CSC - Caregiver Workstation` validated on pilot.test; `CSC - Caregiver Device Lockdown` deployed to `OU=Caregiver Devices` (activates on reboot). **Monday go-live:** promote allow-list + GPO filter from test group to `SG-Caregivers`; disable compliance-block; move real machines in one at a time.
- **Threat model (confirmed 2026-06-05):** off-network + device allow-list specifically defeats remote credential abuse (hacker / bad employee from home) — stolen caregiver creds unusable off-site/off-device because CA blocks the cloud sign-in before ALIS/email. Risk-based MFA policies are inert (tenant has no Identity Protection P2 license).
- **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
- **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.
@@ -324,7 +325,7 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
- Audit retention infra: not built
- RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
- Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
- NURSESTATION-PC: auto-lock GPO (HIPAA, ~10 min idle) not yet applied
- NURSESTATION-PC: reboot required to activate `CSC - Caregiver Device Lockdown` GPO (deployed 2026-06-05, linked to `OU=Caregiver Devices`; startup script runs at boot — verify lock@3min, 90s warning, sign-out@15min, never-sleep)
- #32370 (open): Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
- #32383 (open — pending customer action): bill.com email delivery for Chris Knight. Cascades must CALL bill.com support to update account email to `chris.knight@cascadestucson.com` AND clear it from the SendGrid suppression list (cannot be done via web UI). BOK side near-resolved (address corrected; Chris to complete registration). Ticket logged 2026-06-04; investigation billed 1.5h remote.
- Caregiver device allow-list: 4 laptops need Entra-join + Intune-enroll + `extensionAttribute1` tagging before cutover (see Patterns section)
@@ -362,18 +363,18 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
| 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
| 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
| 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: diagnosed as `SpecialAccounts\UserList` hide (`localadmin=0`) — account was already enabled and in Administrators; removed the registry value via RMM (agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`); account will appear after sign-out/reboot. Vault hygiene: `sysadmin@` GA (object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`) password rotated by Mike 2026-06-04 and vaulted by Howard 2026-06-05 (`clients/cascades-tucson/m365-sysadmin.sops.yaml`). Voice MFA scoped group created: "MFA - Voice Call Scoped (sysadmin)" (`304f941e-3594-4705-b8e6-ee676297df11`), single member `sysadmin@`; Voice method enabled scoped to that group (tenant-wide voice still disabled); `alternateMobile` updated to +1 520-585-1310 (Howard; was +1 520-331-5551). |
| 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: `SpecialAccounts\UserList` hide (`localadmin=0`) — removed via RMM (agent `f5a89784`); account was already enabled + admin. Vault hygiene: `sysadmin@` GA password vaulted (`clients/cascades-tucson/m365-sysadmin.sops.yaml`); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (`304f941e`) created; `alternateMobile` updated to +1 520-585-1310 (Howard). Caregiver test rig built: `SG-Caregivers-DeviceTest` (`db5849ec`, full rule set), `Cascades - Caregiver Devices` (`02c6f698`, static), `SG-Intune-Enrollment` (`13d94f6e`), `pilot.test@cascadestucson.com` (`d26e0e5a`, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP `ConfigureSCP.ps1`; `OU=Caregiver Devices` added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as `trustType: ServerAd`, new deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (object `de199a15`). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on `extensionAttribute1` tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (`WillNotProvision: PolicyEnabled NO`). GPO `CSC - Caregiver Workstation` (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 `\\CS-SERVER\` printers with location-based default (Nurses for `SG-PC-MainTower`, MCMedTech for `SG-PC-MemoryCare`, computer-context ILT) + `LegacyDefaultPrinterMode=1` — built, linked at `OU=Caregivers`, security-filtered to `SG-Caregivers-Test` (pilot.test only), validated on NURSESTATION. GPO `CSC - Caregiver Device Lockdown` (`{E6174988-2721-4D96-ADF5-F5BB44E92769}`, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at `OU=Caregiver Devices` (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (`INTUNE_A: PendingInput` on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced. |
---
## Compilation Notes
**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.
**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` (through 2026-06-05-howard-cascades-entra-ticket-billing.md) + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.
**Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist).
**Open items flagged as unverified:**
- Hour balance — always live-check; treat cached counts as approximate (15.75 hrs derived from session log; not a live Syncro pull)
- Hour balance — always live-check; treat cached counts as approximate (8.75 hrs derived from billing session log 2026-06-05; not a live Syncro pull)
- Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
- Audit retention infra — approved 2026-04-29, not yet built
- dunedolly21@gmail.com guest invite — confirm with Lauren
@@ -386,6 +387,9 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
- DMARC — confirmed upgraded to p=quarantine;pct=100
- ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
- BOK Financial email delivery for Chris Knight — resolved 2026-06-04 by correcting email in BOK portal (bill.com side still requires support call); no tenant config changes needed
- `CSC - Caregiver Device Lockdown` GPO — deployed 2026-06-05 (was blocked/pending in prior compile)
- Hybrid Entra Join on NURSESTATION-PC — proven 2026-06-05; Intune-to-GPO pivot complete; full caregiver desktop access model validated end-to-end
- Ticket #32303 billing — 7.0h billed 2026-06-05, invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status Invoiced
## Backlinks

2
wiki/index.md
View File

@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Article | Summary | Last Compiled |
|---|---|---|
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending); 2026-06-05: NURSESTATION-PC SpecialAccounts\UserList hide fixed (localadmin=0 removed); sysadmin@ GA password vaulted; voice MFA scoped group created (304f941e) | 2026-06-05 |
| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, **8.75 hrs remaining**; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; caregiver restricted-access model PROVEN 2026-06-05: Hybrid Entra Join + CA allow-list + ALIS SSO validated on NURSESTATION-PC/pilot.test; GPO `CSC - Caregiver Workstation` (shortcuts + printers) built + validated; GPO `CSC - Caregiver Device Lockdown` deployed (HIPAA auto-logoff, activates on reboot); INTUNE_A PendingInput tenant-wide (MS case open; GPO path used instead); ticket #32303 Invoiced (7.0h onsite 2026-06-05, invoice #67782); Monday cutover to real caregivers pending; open ticket #32370 (eFax + scanner); bill.com support call still pending for chris.knight | 2026-06-05 |
| [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 |
| [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
| [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |