sync: auto-sync from HOWARD-HOME at 2026-06-05 17:35:42

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 17:35:42

wiki/clients/cascades-tucson.md

@@ -87,11 +87,12 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingInput`; no Windows device ever Intune-enrolled — MS case open), Windows caregiver devices are managed via **Hybrid Entra Join + on-prem Group Policy** instead. This needs no Intune. The CA access model is unchanged (hybrid join just gives the device an Entra object so the allow-list/deviceId still applies).
 - **Hybrid join proven on NURSESTATION-PC** (2026-06-05): SCP written (`ConfigureSCP.ps1`), `OU=Caregiver Devices,OU=Staff PCs,OU=Workstations` added to Entra Connect sync scope → device synced to Entra as `trustType: ServerAd`, `dsregcmd` shows AzureAdJoined+DomainJoined YES, pilot.test gets `AzureAdPrt: YES`. On hybrid-joined machines `Ngc PreReqResult: WillNotProvision` (PolicyEnabled NO) → **Windows Hello does not auto-provision** (no Hello popup) — exactly what shared caregiver devices need, so no separate Hello-disable step.
 - **Device control is one-at-a-time:** caregiver machine computer objects are moved into `OU=Caregiver Devices` (only that OU is in sync scope) and into a location group `SG-PC-MainTower` or `SG-PC-MemoryCare`. Add a device = move it into the OU + correct location group.
-- **App + printer delivery GPO `CSC - Caregiver Workstation`** (User-config GPP), linked at `OU=Caregivers,OU=Departments`, security-filtered to the SG so only caregivers/medtechs apply it. **Built/tested against `SG-Caregivers-Test` (pilot.test only)** first — a true mirror of production with zero impact on the 38 real caregivers — then the filter is swapped to `SG-Caregivers` to go live. Contents: 3 desktop shortcuts (ALIS, LinkRx, Safe Living `https://app.safe-living.com/login`) + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for MainTower, MC MedTech for MemoryCare, via item-level targeting on the location group, `userContext="0"`). NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used — reference only.
+- **App + printer delivery GPO `CSC - Caregiver Workstation`** (`{3B5CD9A6-A278-4676-A9FD-9396D21A8261}`, User-config GPP) — **BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05).** Linked at `OU=Caregivers,OU=Departments`; security filter = `SG-Caregivers-Test` (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to `SG-Caregivers`. Contents: 3 desktop shortcuts — ALIS, LinkRx, **Helpany** (`https://app.safe-living.com/login` — named "Helpany," the brand caregivers know) — + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for `SG-PC-MainTower`, MC MedTech for `SG-PC-MemoryCare`, computer-context ILT) + HKCU `LegacyDefaultPrinterMode=1` so the default sticks. Build scripts: `clients/cascades-tucson/scripts/build-caregiver-gpo.ps1` + `link-caregiver-gpo.ps1`. NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used — reference only.
+- **Device lockdown GPO `CSC - Caregiver Device Lockdown`** (computer-side, links to `OU=Caregiver Devices`) — **DESIGNED + SCRIPTED, NOT YET DEPLOYED.** Auto-logoff is a HIPAA requirement (§164.312(a)(2)(iii)) for shared PHI devices. Settings (Howard): screen **lock at 3 min**, **auto sign-out at 15 min** total idle, **90-second warning** before sign-out, **never sleep** (display off 10 min). Delivered via a computer **startup script** (`caregiver-lockdown.ps1`) that sets `InactivityTimeoutSecs=180`, powercfg, and registers a logon-triggered scheduled task running an idle monitor (`GetLastInputInfo` → `msg.exe` warning at 13.5 min → `shutdown /l` at 15 min) in each caregiver's session. Deploy script: `deploy-device-lockdown-gpo.ps1`. **Companion:** ALIS app session timeout being lowered 20→15 min (Howard, in ALIS admin) to match. **Blocked 2026-06-05:** RMM dispatch from HOWARD-HOME failed (curl "Permission denied" — AV blocking curl.exe; then RMM API 500 on the ~13 KB payload via Invoke-RestMethod). Retry: run the deploy script directly on CS-SERVER, or from another workstation. Lock/logoff are **device-level** (affect any user on the device, not just pilot.test).
 
 ### Status (as of 2026-06-05)
 - **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (the old Entra-joined id `e16c4af5` is stale/deleted) and the device is tagged `extensionAttribute1=CSCCaregiverDevice`.
-- **In progress:** building the `CSC - Caregiver Workstation` GPO (shortcuts + printers) against the test group; then promote both the GPO filter and the CA allow-list from the test groups to `SG-Caregivers`, moving real machines in one at a time.
+- **In progress:** `CSC - Caregiver Workstation` GPO (shortcuts + printers + LegacyDefaultPrinterMode) is **built and validated** on the test rig. Still to do: **deploy `CSC - Caregiver Device Lockdown`** (lock/auto-logoff — blocked on an RMM-dispatch issue, retry direct on CS-SERVER); lower ALIS timeout to 15 min; then promote both the GPO filter and the CA allow-list from the test groups to `SG-Caregivers`, moving real machines in one at a time.
 - **Independent open item:** Microsoft case for `INTUNE_A PendingInput` — does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency).
 
 ---