sync: auto-sync from HOWARD-HOME at 2026-07-03 17:00:12

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-03 17:00:12
This commit is contained in:
2026-07-03 17:00:47 -07:00
parent 78f794a924
commit e0e3dd0d82
9 changed files with 478 additions and 0 deletions

View File

@@ -206,3 +206,5 @@
- [Windows won't-boot / offline DISM repair playbook](windows-offline-dism-repair-gotchas.md) — Automatic Repair loop = boot-critical fault (disk/registry/wedged update), NOT shell/appx store corruption (that's a symptom); `FaultyPackageInProgress` + 100s of Install/Uninstall-Pending packages = wedged CU -> RevertPendingActions or clean install. Offline DISM rejects `wim:` source (0x800f082e) -> MOUNT the wim, source `\Windows`. Ventoy breaks WIM mount (0xc1420134) -> use Rufus. 25H2(26200)=24H2(26100)+enablement, so match 26100 media. First hit: Four Paws AvImark #32447.
- [365 app suite — authoritative map + consent-drift fix](reference_365_app_suite.md) — full map in `.claude/skills/remediation-tool/references/app-suite.md`; per-tenant consent is NOT uniform (VWP had the app but no SharePoint role). Run `consent-audit.sh <tenant|--all>` to detect gaps; fix via adminconsent URL or direct appRoleAssignment grant.
- [Remediation-tool has full M365 access (incl. SharePoint)](reference_remediation_tool_365_access.md) — the app suite covers Graph/EXO/Defender/SharePoint; don't declare "no access" on an accessDenied. SharePoint app-only needs a CERT (secret = "Unsupported app only token"); use get-token.sh `sharepoint`/`sharepoint-admin` tiers + CSOM admin API (Graph /admin/sharepoint/settings scope not held). Full map: skill references/app-permissions-and-sharepoint.md.
- [AV migration: Bitdefender -> Datto EDR](project_av_migration_bitdefender_to_edr.md) — retire Bitdefender fleet-wide except Dataforth; end-state per machine = GuruRMM + Datto EDR
- [RMM deploy via ScreenConnect](reference_rmm_deploy_via_screenconnect.md) — push GuruRMM agent to client workstations via SC send-command (SYSTEM), not DC remote-exec (DCOM/schtasks blocked on Win11 clients)

View File

@@ -0,0 +1,24 @@
---
name: project_av_migration_bitdefender_to_edr
description: AV strategy — migrate all clients from Bitdefender to Datto EDR, except Glaztech and Dataforth
metadata:
type: project
---
Standing AV direction (set by Howard 2026-07-03): ACG is moving endpoint AV/security
from **Bitdefender GravityZone -> Datto EDR** for **all clients EXCEPT Glaztech Industries
and Dataforth Corp** (those two stay on Bitdefender / handled separately).
**Why:** consolidate on Datto EDR as the security plane; Bitdefender is being retired
fleet-wide (Glaztech + Dataforth are the two exceptions — both have large established
Bitdefender footprints: Glaztech ~242 endpoints, Dataforth managed separately).
**How to apply:** whenever setting up or reconciling a client's endpoints (e.g. the
GPS->GuruRMM coverage audit), the target end-state per machine is: GuruRMM agent +
Datto EDR agent, and Bitdefender **removed**. Do NOT deploy new Bitdefender coverage.
Use existing Bitdefender inventory only as a discovery source for which machines exist
(its company names carry the Syncro CID `_NNNNN`, handy for mapping). Deploy Datto EDR
via `[[datto-edr]]` (create-group -> mint-key -> deploy-cmd, pushed through `/rmm`).
Related: GPS->RMM audit tracker `projects/gps-rmm-audit/tracker.md`. Exceptions = Glaztech +
Dataforth (leave their existing AV alone; do not migrate them to EDR in this effort).

View File

@@ -0,0 +1,30 @@
---
name: reference_rmm_deploy_via_screenconnect
description: Best channel to mass-deploy the GuruRMM agent to client workstations = ScreenConnect send-command (not DC remote-exec)
metadata:
type: reference
---
**To push the GuruRMM agent onto a client's existing machines, the reliable channel is
ScreenConnect `send-command` (Backstage), NOT remote-exec from the domain controller.**
Discovered 2026-07-03 deploying to Instrumental Music Center (see
`projects/gps-rmm-audit/tracker.md`). Remote-exec FROM the DC to Win10/11 workstations
fails on default client settings:
- WMI/`Win32_Process` over **DCOM** -> "RPC server unavailable" (DCOM firewalled on clients)
- `schtasks /S` -> connects over SMB but Win11 **rejects the task definition** from an older
(Server 2016) DC ("The request is not supported")
- `New-PSDrive`/`sc.exe` admin-share from SYSTEM context -> access/parse failures
- WinRM is off by default on workstations
**What works cleanly:** ScreenConnect. ACG endpoints already run the SC agent, and
`send-command` runs on the guest **as SYSTEM** — no credentials, no firewall fight, no
DA-password-in-logs concern. Pattern (via the `[[screenconnect]]` skill):
1. `GetSessionsByName` with the EXACT hostname -> sessionID (no list-all method; must query by exact name).
2. Build the site installer one-liner: `irm 'https://rmm.azcomputerguru.com/install/<SITE-CODE>/windows'|iex` (site code from the client's vault `gururmm-site-*.sops.yaml`).
3. Encode it: `powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand <base64-UTF16LE>` (avoids all quoting; no /TR length limit like schtasks).
4. `send-command --session <id> --command "<that>" --confirm`. Online guests install + enroll in ~1-3 min; offline guests QUEUE in SC and install on reconnect.
5. Verify via GuruRMM `/api/agents` (hostname appears under the client, status online).
Note `iconv` is absent in this Git-Bash — compute the base64 with `py -c "import base64; ..."`.
Related: `[[project_av_migration_bitdefender_to_edr]]` (same channel can push the Datto EDR agent + remove Bitdefender once RMM is on).