diff --git a/clients/cascades-tucson/session-logs/2026-06-05-session.md b/clients/cascades-tucson/session-logs/2026-06-05-session.md
index 6b6a72c..35c6159 100644
--- a/clients/cascades-tucson/session-logs/2026-06-05-session.md
+++ b/clients/cascades-tucson/session-logs/2026-06-05-session.md
@@ -75,3 +75,56 @@ Third, added a code-delivery path for Howard on the same GA account. Reading the
 - Scoped Voice group: `304f941e-3594-4705-b8e6-ee676297df11` ("MFA - Voice Call Scoped (sysadmin)").
 - Graph: `/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Voice`.
 - Remediation skill: `.claude/skills/remediation-tool/`; RMM skill: `.claude/commands/rmm` / `/rmm`.
+
+---
+
+## Update: 11:16 MST — Caregiver restricted-access test setup (pilot.test + NURSESTATION + Intune)
+
+### Session Summary
+Built the controlled test rig to validate the caregiver/medtech restricted-access design before promoting it to all caregivers, and began on-machine testing on NURSESTATION-PC. Goal: a test account with the exact caregiver rule set to prove "onsite + correct device = ALIS via SSO; offsite or wrong device = blocked" works on a desktop, then move real users in.
+
+Created a user test group `SG-Caregivers-DeviceTest` and made it carry the FULL caregiver rule set (added it to the off-network block + sign-in-frequency policies, set the allow-list policy to enabled+scoped to it, and excluded it from the compliance block). Created cloud test account `pilot.test@cascadestucson.com` (Business Premium, in the test group); had to purge the old soft-deleted pilot.test from the recycle bin first to free the UPN. Created a STATIC device group `Cascades - Caregiver Devices` for Intune policy targeting (NURSESTATION only, added by hand, not dynamic — so it won't sweep in the laptops).
+
+Howard un-joined NURSESTATION-PC from the domain and Entra-joined it (now Win11 25H2). Tagged its Entra device object `CSCCaregiverDevice`, added it to the device group, and deleted its stale 2020 Workplace device record. NURSESTATION is Entra-joined but NOT Intune-enrolled (MDM auto-enroll never fired; MDM user scope not set).
+
+Test attempts: pilot.test authenticated fine but ALIS was blocked by Conditional Access (AADSTS53003) — the `CSC - Caregivers: allow-listed devices only` policy. Diagnosis: the device claim flowed correctly (deviceId e16c4af5, Azure AD joined, trusted IP 184.191.143.62) and the device IS tagged — so the block is device-tag propagation lag into CA's filter cache (15-60 min). Also resolved two first-sign-in prompts: Windows Hello (local registry workaround + Intune disable-Hello profile) and an "Authenticator" registration nudge (excluded the test group from the Authentication Methods registration campaign; confirmed risk-based MFA is inert because the tenant has no Identity Protection P2 license).
+
+### Key Decisions
+- Test group `SG-Caregivers-DeviceTest` carries the full rule set (not just the allow-list) so a member gets the exact caregiver experience; pilot.test couldn't be added to the synced `SG-Caregivers` (Graph 400 on cloud member into on-prem-synced group), so the test group is the vehicle.
+- Device group `Cascades - Caregiver Devices` is STATIC (manual membership) per Howard — add machines one at a time as verified, no auto-sweep.
+- Intune enrollment is OPTIONAL for the core test (allow-list runs off the device tag; Hello/Authenticator handled locally). Enrollment only needed for managed polish (Shared PC Mode, managed lock).
+- Scoped MDM auto-enroll to `devices@` (group `SG-Intune-Enrollment`) rather than All, per the "only caregiver devices" requirement.
+
+### Problems Encountered
+- Adding the cloud test account to `SG-Caregivers` failed (HTTP 400 — group is on-prem synced). Worked around by putting the full rule set on the cloud test group instead.
+- Intune Shared PC Mode (`windows10SharedPCConfiguration`) POST rejected twice (BadRequest "Invalid OData type") via Graph — deferred to the Intune portal (Shared multi-user device template).
+- WHfB-disable as a deviceEnrollmentConfiguration returned 403 (intune-manager app lacks enrollment-config write) — used a device-scoped OMA-URI (`PassportForWork/.../UsePassportForWork=false`) instead, which succeeded.
+- ALIS blocked (53003) on test sign-ins -> device-tag propagation lag into CA (not MFA, not managed-state). Deleted stale 2020 NURSESTATION Workplace record to remove device-resolution ambiguity.
+- "Set up Authenticator" nag -> registration campaign excluded SG-Caregivers but not the test group; excluded the test group. Risk-based MFA confirmed non-functional (no P2 license).
+- `UID` is a read-only bash variable (caused an earlier 404); use a different var name for GUIDs.
+
+### Configuration Changes (Entra/Intune — live, no repo files)
+- New group `SG-Caregivers-DeviceTest` (`db5849ec-242d-4b05-9d1b-940a830e7a60`, users) — added to off-network block (`e35614e1`) + sign-in-freq (`7d491c7a`) include; allow-list (`1b7fd025`) enabled + scoped to it (renamed "...(TEST GROUP)"); excluded from compliance-block (`ede985e2`).
+- New group `Cascades - Caregiver Devices` (`02c6f698-f9f5-452f-8996-4ea43d976d0a`, static devices) — member: NURSESTATION-PC.
+- New group `SG-Intune-Enrollment` (`13d94f6e-a255-4e4d-b275-5c73f2bc421c`, users) — member: devices@ (scoped MDM auto-enroll).
+- New user `pilot.test@cascadestucson.com` (`d26e0e5a-2f99-4ea9-8d4e-40dc02016d05`), Business Premium, usageLocation US, in SG-Caregivers-DeviceTest. (Old soft-deleted pilot.test purged from recycle bin.)
+- NURSESTATION-PC Entra device (`dd941398-7202-4280-8614-87e40b9a0442`, deviceId `e16c4af5-cb0e-49e1-90be-674a216f5e9c`) tagged `extensionAttribute1=CSCCaregiverDevice`; stale 2020 Workplace record (`cb70bcab-efb8-4a60-859b-f35ab041f808`) deleted.
+- Intune device configs (assigned to Cascades - Caregiver Devices): `CSC - Caregiver Idle Lock 5min` (id `7ef2d5da-6b50-477c-accd-7dda3a34ba25`, OMA-URI MaxInactivityTimeDeviceLock=5); `CSC - Caregiver Devices - Disable Windows Hello` (OMA-URI PassportForWork UsePassportForWork=false). Shared PC Mode NOT created (portal pending).
+- Registration campaign (`/policies/authenticationMethodsPolicy`) excludeTargets += `db5849ec` (test group), alongside existing `8b8d9222` (SG-Caregivers).
+- NURSESTATION local registry (on-device, by Howard): `HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\Enabled=0` to disable WHfB until Intune-managed.
+
+### Credentials
+- `pilot.test@cascadestucson.com` / `CareTest2026!` — TEST account, DELETE after testing. No force-change. Not vaulted (ephemeral).
+
+### Pending / Incomplete Tasks
+- [ ] Retry ALIS as pilot.test once device tag propagates (53003 should clear) — proves the core desktop test.
+- [ ] Howard: set ALIS staff Email = `pilot.test@cascadestucson.com` so ALIS resolves it after CA passes.
+- [ ] Portal: MDM user scope = Some -> `SG-Intune-Enrollment`; reboot NURSESTATION to auto-enroll into Intune.
+- [ ] After enrollment: Intune profiles (disable-Hello, idle-lock) apply automatically; build Shared PC Mode in portal (assign to Cascades - Caregiver Devices); drop the local WHfB reg workaround.
+- [ ] After validation: promote rule set to `SG-Caregivers` (all 38 + Feller/Nyanzunda) — point allow-list at SG-Caregivers, disable compliance-block, then clean up test artifacts (pilot.test, test group).
+- [ ] Optional: hard-block Windows desktop logon offsite (disable cached logon) — not needed since caregiver devices stay onsite.
+
+### Reference
+- Allow-list policy `1b7fd025-1aad-47c8-9274-c32c3e0b163c`; off-network block `e35614e1-...`; compliance-block `ede985e2-...`; sign-in-freq `7d491c7a-...`.
+- ALIS app `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`; admin-consent grant `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`.
+- devices@ `aaca80c6-861b-4294-8068-1033c68d7667`. Threat model confirmed with Howard: remote credential abuse (hacker / bad employee from home) — fully blocked by the off-network + device allow-list CA (stolen caregiver creds unusable off-site/off-device).
diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md
index 7d618a0..3c697f9 100644
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -226,6 +226,8 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
   - **User<->computer map source:** Syncro `kabuto_information.last_user` (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.
   - **Caregiver desktop app shortcuts:** ALIS (`https://cascadestucson.alisonline.com`), LinkRx (`https://pharmcare.linkrxnow.com/`), HelpAny (`https://app.safe-living.com/login`) — deploy via a Public-Desktop PowerShell script launching Edge `--app` mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.
   - **Login UX:** Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).
+  - **Caregiver test rig (2026-06-05, in progress):** Phased-test infra before promoting to all caregivers. `SG-Caregivers-DeviceTest` (`db5849ec`, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); `Cascades - Caregiver Devices` (`02c6f698`, STATIC devices) targets Intune profiles (NURSESTATION only for now); `SG-Intune-Enrollment` (`13d94f6e`, holds devices@) scopes MDM auto-enroll. Test acct `pilot.test@cascadestucson.com` (`d26e0e5a`, Business Premium, ephemeral). Intune profiles on the device group: idle-lock 5min + disable-WHfB (OMA-URI); Shared PC Mode deferred to portal. NURSESTATION-PC un-joined domain + Entra-joined (Win11 25H2) + tagged, NOT yet Intune-enrolled (MDM scope is a portal toggle). **Open:** test ALIS sign-ins blocked CA 53003 = device-tag propagation lag (device claim flowed, trusted IP) — retry after propagation. Windows shared-device UX differs from phone SDM and is NOT yet proven. Promotion: point allow-list at SG-Caregivers + disable compliance-block once validated.
+  - **Threat model (confirmed 2026-06-05):** off-network + device allow-list specifically defeats remote credential abuse (hacker / bad employee from home) — stolen caregiver creds unusable off-site/off-device because CA blocks the cloud sign-in before ALIS/email. Risk-based MFA policies are inert (tenant has no Identity Protection P2 license).
 - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover.
 - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`.