sync: auto-sync from HOWARD-HOME at 2026-06-29 22:26:40
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-29 22:26:40
This commit is contained in:
@@ -115,3 +115,91 @@ Howard provided the Syncro ticket the Carrie-machine work will be billed to once
|
||||
**#32368 (id 111999527)** — Rednour Law. Confirmed read-only that it belongs to customer
|
||||
1224246 and matches the scope (new central-hub/file-share machine for Carrie + reception
|
||||
upgrade). No billing entered yet — billing happens at completion, via `/syncro`.
|
||||
|
||||
## Update: ~22:30 PT — ROOT CAUSE FOUND + UPGRADE SUCCEEDED (live over GuruRMM)
|
||||
|
||||
**Outcome: REDNOURCARRIEVI (rednourcarrievirt) successfully upgraded to Windows 11 25H2
|
||||
(build 26200).** Root cause of the prior failures: a **corrupt Win11 install image**.
|
||||
|
||||
### GuruRMM IS working for Rednour (correcting earlier session note)
|
||||
Contrary to the earlier "RMM doesn't work for Rednour" note, the GuruRMM agent on this box
|
||||
(`8e4e2221-7e2a-4a6f-9eda-864568539961`, hostname `rednourcarrievirt`, agent v0.6.66) is
|
||||
**online and executing commands fine**. All diagnosis below was done live over `/rmm`. The
|
||||
agent record's `is_connected` field returns null, but `status` = "online" and commands
|
||||
complete exit 0. (The earlier "RMM didn't work" likely referred to the Mac enrollment issue,
|
||||
not this Windows box.) The client filter on `/api/agents` uses `client_name == "Rednour Law
|
||||
Offices"` (not "rednour") — search by hostname.
|
||||
|
||||
### Root cause (from setuperr.log, pulled live)
|
||||
The `0x8007000D` SAFE_OS error is only the final rollup. The real, upstream error:
|
||||
```
|
||||
SPWIMCallback: Error in apply of ...\WinSxS\...kernelstreaming...10.0.26100.6584...\ks.sys.
|
||||
GLE [1392] <- ERROR_FILE_CORRUPT
|
||||
CApplyWIM: Failure while applying image 6 for <Install.wim>. Error 0x80070570
|
||||
-> Operation failed -> Failed execution phase Safe OS. Error: 0x8007000D
|
||||
```
|
||||
`ks.sys` (kernel-streaming driver) failed to decompress from the WIM with
|
||||
`ERROR_FILE_CORRUPT` — deterministically, the SAME file every attempt.
|
||||
|
||||
### How it was proven (not guessing)
|
||||
1. First attempt's media was under `C:\Users\Carrie\OneDrive - Rednour Law\Desktop\...` — the
|
||||
`Install.wim` there threw `0x80070780` (ERROR_CANT_ACCESS_FILE) because OneDrive served a
|
||||
cloud placeholder that WinPE/SAFE_OS (OneDrive not running) couldn't read. Howard MOVED the
|
||||
extracted folder to `C:\temp\Win11_25H2_English_x64` — fixed the access error but the
|
||||
`ks.sys` `0x80070570` corruption persisted (same bytes moved along).
|
||||
2. Hashed the extracted `install.wim`: SHA256
|
||||
`9AD2EF7251AED36BCF5E36D4F067B5277C205ED02E3FDFA354069505214C7D54`.
|
||||
3. Mounted the original desktop `.iso` and hashed ITS `install.wim` (`F:\sources\install.wim`)
|
||||
= **identical hash** to the extracted copy. Identical bytes in both = the **download itself
|
||||
was corrupt**, not the extraction. Disk health checked: WD Green SN350 1TB SSD = Healthy/OK,
|
||||
so not a failing-disk read fault. Deterministic same-file CRC failure = bad source image.
|
||||
|
||||
### Fix
|
||||
Re-download via **Media Creation Tool** (validates its own download integrity). New media:
|
||||
`C:\temp\Windows.iso` (6.39 GB, ESD-based, mounted drive labeled `ESD-ISO`, uses
|
||||
`install.esd` not `install.wim`). Ran `setup.exe` from the mounted ISO. Watched live over RMM:
|
||||
down-level apply climbed 28%->36%->46%->50%->68% with NO `ks.sys`/`0x80070570` (all 3 prior
|
||||
attempts died at ~49%), rebooted into SAFE_OS, applied offline, booted into Win11.
|
||||
|
||||
### Post-upgrade verified state (build 26200 / 25H2)
|
||||
- OS: Windows 11 Pro, build 26200, DisplayVersion 25H2. Reboot pending: No. Setup running: No.
|
||||
- `C:\Windows.old` present -> 10-day rollback window (do NOT run Disk Cleanup until apps verified).
|
||||
- Datto AV (`EndpointProtectionService`) auto-restored Running after reboot.
|
||||
- Defender RTP = False -> EXPECTED, Datto AV is the registered primary AV on this box.
|
||||
|
||||
### "endpointprotection.exe" identification (Howard asked)
|
||||
The `endpointprotection` process in Task Manager =
|
||||
`C:\Program Files\infocyte\agent\dattoav\Endpoint Protection SDK\endpointprotection.exe`,
|
||||
service `EndpointProtectionService` ("Endpoint Protection Service", Auto/Running). It is
|
||||
**Datto AV** (the AV engine inside the Datto EDR/Infocyte agent) — ACG-managed, legitimate,
|
||||
not malware. Datto tenant azcomp4587. To pause for an upgrade: `Stop-Service
|
||||
EndpointProtectionService -Force` (Auto-start; returns on reboot).
|
||||
|
||||
## Key Decisions (this update)
|
||||
- Diagnosed entirely over GuruRMM rather than waiting for hands-on log retrieval, after
|
||||
confirming the agent executes commands on this box.
|
||||
- Hash-compared ISO vs extracted `install.wim` to decisively distinguish a corrupt DOWNLOAD
|
||||
from extraction corruption / failing hardware before recommending a 7 GB re-download.
|
||||
- Recommended Media Creation Tool (integrity-validated) over a plain browser ISO re-download to
|
||||
avoid another silently-corrupt image.
|
||||
- Did NOT unilaterally stop Datto AV mid-run — corrupt download was the proven cause, AV was
|
||||
secondary; flagged it instead.
|
||||
|
||||
## Problems Encountered (this update)
|
||||
- Win11 upgrade failed 3x at SAFE_OS/APPLY_IMAGE `0x8007000D`. Root cause = corrupt download
|
||||
(`ks.sys` `0x80070570`). Resolved with fresh Media Creation Tool media.
|
||||
- PowerShell variable-expansion trap: `"C:\$WINDOWS.~BT"` in a DOUBLE-quoted PS string expands
|
||||
`$WINDOWS` to empty -> `C:\.~BT`, so Test-Path falsely returned "folder gone." Fix: escape as
|
||||
`"C:\`$WINDOWS.~BT"` (backtick) or single-quote the path. (logged as friction)
|
||||
- Bash tool default timeout is 120000ms (2 min); long RMM watch loops got cut off twice until
|
||||
the `timeout` param was set to 600000.
|
||||
|
||||
## Update — Pending / Incomplete Tasks (supersedes earlier "tonight" plan)
|
||||
- [DONE] Win11 upgrade on Carrie's machine (build 26200/25H2).
|
||||
- Verify post-upgrade that the firm's SMB shares (`Documents`, Time Matters, Timeslips) and
|
||||
local accounts (`carrie`, `nick`, `emma`) survived the feature upgrade (sharing/firewall can
|
||||
reset). Nick's Mac mounts `smb://192.168.10.194/Documents`.
|
||||
- Confirm with Carrie that Time Matters / Timeslips / WordPerfect work on Win11 before the
|
||||
10-day `Windows.old` rollback window lapses (don't Disk-Cleanup it until then).
|
||||
- BILLING: enter labor on Syncro #32368 (id 111999527) via `/syncro` now that work is complete.
|
||||
- Optional: pause Datto AV (`EndpointProtectionService`) for any future feature upgrades.
|
||||
|
||||
Reference in New Issue
Block a user