sync: auto-sync from HOWARD-HOME at 2026-06-05 10:26:08

Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-05 10:26:08
2026-06-05 10:26:18 -07:00
parent 21043d42bd
commit e18792ecf7
4 changed files with 186 additions and 6 deletions
--- a/clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md
+++ b/clients/cascades-tucson/reports/2026-06-04-caregiver-buckets-and-credentials.md
@@ -0,0 +1,99 @@
 # Cascades — Restricted vs Non-Restricted buckets + credentials
 **Generated:** 2026-06-04
 **Important on passwords:** Microsoft/Entra NEVER lets you read an existing password. The only known passwords are (a) the documented caregiver bulk-creation password and (b) vaulted individual accounts. Unknowns can only be made known by RESETTING them (User Manager app) — say the word and I'll reset to a known temp.
 Login-password note: the caregiver bulk password was set with `ChangePasswordAtLogon = $false` + `PasswordNeverExpires = $true`, so it is a **working password, NOT a reset-at-login temp.** It is the actual sign-in password (PHS pushes it to M365/Entra, so it works for Windows login, ALIS SSO, and M365).
 ---
 ## A. RESTRICTED bucket (caregivers + medtechs) — SG-Caregivers, inside-network only, devices only
 **All 38 bulk-created caregivers share the working password `Cascades2026!`** (not reset-at-login). UPN = sign-in name = required ALIS Email.
 | Name | UPN / sign-in | Password |
 |---|---|---|
 | Agnes McFerren | a.mcferren@cascadestucson.com | Cascades2026! |
 | Ashli Atwood | a.atwood@cascadestucson.com | Cascades2026! |
 | Barb Johnson | b.johnson@cascadestucson.com | Cascades2026! |
 | Bella Mendoza | b.mendoza@cascadestucson.com | Cascades2026! |
 | Charity/Bariffa Sika | b.sika@cascadestucson.com | Cascades2026! |
 | Cole Johnson | c.johnson@cascadestucson.com | Cascades2026! |
 | Corey Tate | c.tate@cascadestucson.com | Cascades2026! |
 | Diana Fierros | d.fierros@cascadestucson.com | Cascades2026! |
 | Ederick Yuzon | e.yuzon@cascadestucson.com | Cascades2026! |
 | Erica Sanchez | e.sanchez@cascadestucson.com | Cascades2026! |
 | Espe/Niyonsaba Esperance | e.esperance@cascadestucson.com | Cascades2026! |
 | Gina Williams | g.williams@cascadestucson.com | Cascades2026! |
 | Gloria Williford | g.williford@cascadestucson.com | Cascades2026! |
 | Jahmeka Clarke | j.clarke@cascadestucson.com | Cascades2026! |
 | Jen/Jennifer Higdon | j.higdon@cascadestucson.com | Cascades2026! |
 | Jinnelle Dittbenner | j.dittbenner@cascadestucson.com | Cascades2026! |
 | Juan Andrade | j.andrade@cascadestucson.com | Cascades2026! |
 | Karina Aziakpo | k.aziakpo@cascadestucson.com | Cascades2026! |
 | Kasey Flores | k.flores@cascadestucson.com | Cascades2026! |
 | Katrina Wyzykowski | k.wyzykowski@cascadestucson.com | Cascades2026! |
 | Luke Hogan | l.hogan@cascadestucson.com | Cascades2026! |
 | Luriz Fuster | l.fuster@cascadestucson.com | Cascades2026! |
 | Maia Baker | m.baker@cascadestucson.com | Cascades2026! |
 | Marie Kastner | m.kastner@cascadestucson.com | Cascades2026! |
 | Mary Kariuki | m.kariuki@cascadestucson.com | Cascades2026! |
 | Monique Lopez | m.lopez@cascadestucson.com | Cascades2026! |
 | Patricia Camarena Doran | p.doran@cascadestucson.com | Cascades2026! |
 | Richard Flores | r.flores@cascadestucson.com | Cascades2026! |
 | Rosa Morales | r.morales@cascadestucson.com | Cascades2026! |
 | Roseline Cooper | r.cooper@cascadestucson.com | Cascades2026! |
 | Samuel Ramirez | s.ramirez@cascadestucson.com | Cascades2026! |
 | Sandra Padilla | s.padilla@cascadestucson.com | Cascades2026! |
 | Sarah Carroll | s.carroll@cascadestucson.com | Cascades2026! |
 | Shontiel Nunn | s.nunn@cascadestucson.com | Cascades2026! |
 | Tele Lassey-Assiakoley | t.lassey-assiakoley@cascadestucson.com | Cascades2026! |
 | Thelma Abainza | t.abainza@cascadestucson.com | Cascades2026! |
 | Whisper Reed | w.reed@cascadestucson.com | Cascades2026! |
 | Zeke Huerta | e.huerta@cascadestucson.com | Cascades2026! |
 **New adds to restricted (existing accounts — password NOT known, RESET needed):**
 | Name | UPN | Password |
 |---|---|---|
 | Veronica Feller | veronica.feller@cascadestucson.com | UNKNOWN — reset needed (confirm on-site first; inventory shows PA) |
 | Christine Nyanzunda | christine.nyanzunda@cascadestucson.com | UNKNOWN — reset needed; also fix directory surname typo "Nyanzuda" |
 > Caveat: any of the 38 who voluntarily changed their password (unlikely for shared-phone caregivers) would differ from `Cascades2026!`. If a login fails, reset that one.
 ---
 ## B. NON-RESTRICTED bucket (privileged — outside access to ALIS + M365, 2FA offsite)
 NOT in SG-Caregivers. Microsoft offsite access already works (all-users-MFA, trusted-location excluded). For outside ALIS they need ALIS Email = UPN + native 2FA off.
 | Name | Role | UPN | Password |
 |---|---|---|---|
 | Lois Lane | Health Services Dir (RN) | Lois.Lane@cascadestucson.com | Imbirowicz1$ |
 | Megan Hiatt | Sales/Marketing Dir | megan.hiatt@cascadestucson.com | 4PazCas$07 |
 | Ashley Jensen | Asst Exec Dir / CFO | Ashley.Jensen@cascadestucson.com | Fall2025! (local pre-domain: ScarlettSky18*) |
 | Front Desk (shared) | Reception | frontdesk@cascadestucson.com | sccssccs#3 |
 | Karen Rossini | Health Services Mgr (LPN) | karen.rossini@cascadestucson.com | UNKNOWN — reset if needed (ALIS SSO already working for her) |
 | Christina DuPras | Resident Svcs / Admin Asst | christina.dupras@cascadestucson.com | UNKNOWN — reset needed |
 | Meredith Kuhn | Executive Director | meredith.kuhn@cascadestucson.com | UNKNOWN |
 | Lauren Hasselman | Business Office Mgr | lauren.hasselman@cascadestucson.com | UNKNOWN |
 | Crystal Rodriguez | Sales | crystal.rodriguez@cascadestucson.com | UNKNOWN (ALIS SSO already working) |
 | Shelby Trozzi | MemCare Director | (verify UPN) | UNKNOWN |
 | Susan Hicks | Life Enrichment Dir | Susan.Hicks@cascadestucson.com | UNKNOWN |
 | Chris Knight | CFO | chris.knight@cascadestucson.com | UNKNOWN |
 | Lupe Sanchez | Housekeeping Dir | (verify UPN) | UNKNOWN |
 | Alyssa Shestko | Dining Room Mgr | (verify UPN) | UNKNOWN |
 Admin/break-glass (cloud-only, excluded from CA): admin@cascadestucson.com, sysadmin@cascadestucson.com (vaulted).
 ---
 ## C. Phased testing — LIVE mechanism
 - Group `SG-Caregivers-DeviceTest` (`db5849ec-242d-4b05-9d1b-940a830e7a60`) — members are governed by the **allow-list** (phones + tagged devices) instead of the compliance block.
 - Allow-list policy `CSC - Caregivers: allow-listed devices only (TEST GROUP)` (`1b7fd025-...`) = ENABLED, scoped to that group.
 - Compliance-block (`ede985e2-...`) now EXCLUDES that group.
 **To test one caregiver:** (1) match their ALIS Email = UPN; (2) add them to `SG-Caregivers-DeviceTest`; (3) on a tagged laptop, log into Windows/Edge with their UPN + `Cascades2026!`, open ALIS -> verify silent SSO; (4) verify they still work on a phone. Expand one at a time.
 **Full cutover (when confident):** point the allow-list policy back to `SG-Caregivers` (all), disable the compliance block, empty/delete the test group.
 Tagged devices so far: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8. Pending (Win11 25H2): LAPTOP-8P7HDSEI, ASSISTNURSE-PC. Hybrid pending: NURSESTATION-PC.
--- a/clients/cascades-tucson/session-logs/2026-06-05-session.md
+++ b/clients/cascades-tucson/session-logs/2026-06-05-session.md
@@ -0,0 +1,77 @@
 # Cascades of Tucson — Session Log 2026-06-05
 ## User
 - **User:** Howard Enos (howard)
 - **Machine:** Howard-Home
 - **Role:** tech
 ## Session Summary
 Two Cascades tasks handled via the GuruRMM agent fleet and the M365 remediation tool suite.
 First, a request to "enable the localadmin account as a local administrator" on NURSESTATION-PC because it was not appearing on the login screen. Recon via RMM showed the account was already enabled and already a member of the local Administrators group (it had even logged in earlier the same day). The actual cause was a `SpecialAccounts\UserList` registry suppression entry (`localadmin = 0`) under the Winlogon key, which deliberately hides the account from the sign-in screen. Removed that entry; account will now appear in the user picker after the next sign-out/reboot. The enable/admin steps in the fix script were idempotent no-ops since both conditions were already true.
 Second, vault hygiene plus an MFA change on the MSP break-glass Global Admin `sysadmin@cascadestucson.com`. Confirmed the vault entry (`clients/cascades-tucson/m365-sysadmin.sops.yaml`) had not been updated since 2026-04-24 and that the live account's `lastPasswordChangeDateTime` was 2026-06-04 — i.e. Mike rotated the password on 2026-06-04 and never vaulted it. Howard supplied Mike's current password; updated the vault entry's password field and rotation-history notes in place via `sops set` (no plaintext on disk), committed, and pushed (required a rebase — remote had advanced).
 Third, added a code-delivery path for Howard on the same GA account. Reading the account's phone methods showed `mobile` (SMS, Mike's) and `alternateMobile` (voice-only) slots both occupied, and the tenant Authentication Methods policy had **Voice call disabled** — which is why sign-in only ever offered text or authenticator (both Mike's). To avoid a tenant-wide change, created a security group containing only `sysadmin@`, enabled the Voice method scoped to that group, and set the account's `alternateMobile` to Howard's number. A voice-call MFA option now appears at sign-in for that account only. All writes against the GA succeeded (no Privileged Auth Admin 403 materialized).
 ## Key Decisions
 - Diagnosed the NURSESTATION-PC login-screen issue as a registry hide (`SpecialAccounts\UserList`) rather than an account-state problem, because recon proved the account was already enabled + admin. Fixed the actual cause instead of the stated symptom.
 - Did NOT reset the live `sysadmin@` password. Earlier in the session a reset to the vaulted value was prepared, but Howard clarified Mike's 2026-06-04 change was intentional; the correct action was to vault Mike's current password, not revert the account.
 - Scoped the Voice MFA method to a dedicated single-member security group rather than enabling it for `all_users`, keeping blast radius to the one account (Howard asked specifically whether it could be limited to that account).
 - Left `alternateMobile` set to Howard's number (520-585-1310) after Howard confirmed sign-in worked, rather than reverting to the prior 520-331-5551.
 - Used `sops set` for the vault field edits (password + notes) to avoid ever writing the decrypted file to disk.
 ## Problems Encountered
 - RMM registry-recon command returned `interrupted` ("Agent restarted during execution") once on NURSESTATION-PC; re-ran and it completed.
 - First fix-script dispatch returned an empty `command_id` (transient, around the agent restart). Re-dispatched and it succeeded.
 - Group member-add returned 404 immediately after group creation (Entra replication lag); succeeded on retry after a short delay.
 - Phone-method update first attempted with `PUT` (405 — "PUT is not supported in v1.0, use PATCH"); reissued as `PATCH` and it succeeded (204).
 - Vault `git push` was rejected (remote ahead); resolved with `git pull --rebase` then push.
 - `bash` readonly-variable error using `UID` for the user object id; renamed to `OID`.
 ## Configuration Changes
 - **NURSESTATION-PC (Cascades, RMM agent):** removed registry value `localadmin` (was `0`) under `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`. localadmin remains enabled and in Administrators (unchanged).
 - **Vault `clients/cascades-tucson/m365-sysadmin.sops.yaml`:** updated `credentials.password` to Mike's current value; rewrote `notes` with a rotation-history block. Committed + pushed to the vault repo.
 - **M365 tenant cascadestucson.com:**
  - Created security group "MFA - Voice Call Scoped (sysadmin)" (`mfa-voicecall-scoped`), id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`.
  - Authentication Methods policy: Voice method `state` set `disabled` → `enabled`, `includeTargets` scoped to group `304f941e-…` (was `all_users`).
  - `sysadmin@` `alternateMobile` phone method (`b6332ec1-7057-4abe-9331-3d72feddfe41`) changed from +1 520-331-5551 to +1 520-585-1310.
 ## Credentials & Secrets
 - `sysadmin@cascadestucson.com` (Global Admin "Computer Guru Support", object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`): password rotated by Mike 2026-06-04, now vaulted at `clients/cascades-tucson/m365-sysadmin.sops.yaml` (`credentials.password`). Value not reproduced here; retrieve via `vault.sh get-field`.
 - No new credentials created. Vault key auto-discovered by sops at `%APPDATA%\sops\age\keys.txt`.
 ## Infrastructure & Servers
 - GuruRMM API: `http://172.16.3.30:3001`. NURSESTATION-PC agent id `f5a89784-834f-47b1-82e2-7e3e9dd337ff` (Windows, online), client "Cascades of Tucson".
 - M365 tenant `cascadestucson.com` = tenant id `207fa277-e9d8-4eb7-ada1-1064d2221498`.
 - Remediation app tiers used: `user-manager` (`64fac46b-8b44-41ad-93ee-7da03927576c`) for user/group/phone-method writes; `tenant-admin` (`709e6eed-0711-4875-9c44-2d3518c47063`) for the auth-methods policy PATCH.
 - Account phone methods after change — mobile/SMS: +1 520-289-1912 (ready); alternateMobile/voice: +1 520-585-1310.
 ## Commands & Outputs
 - RMM hidden-account discovery: `Get-Item HKLM:\...\Winlogon\SpecialAccounts\UserList` → `localadmin = 0` (the hide flag).
 - RMM fix output: "Removed UserList hide entry for localadmin (was 0)" / "UserList hide entry now: ABSENT (will show on login screen)".
 - Graph read of GA roles: `GET /users/{id}/memberOf/microsoft.graph.directoryRole` → "Global Administrator [62e90394-69f5-4237-9190-012177145e10]".
 - Voice policy before: `{state: disabled, includeTargets:[all_users]}`; after PATCH: `{state: enabled, includeTargets:[group 304f941e-…]}`.
 - Vault edit: `sops set <file> '["credentials"]["password"]' '"<value>"'` then verified round-trip and `grep -c 'ENC[' = 4` (still encrypted).
 ## Pending / Incomplete Tasks
 - NURSESTATION-PC: localadmin will appear in the login picker only after the next sign-out/reboot. If a user is currently signed in, have them sign out to confirm.
 - The previous `alternateMobile` number +1 520-331-5551 was overwritten — confirm with Mike that number did not need to remain on the account.
 - Consider whether `sysadmin@` (shared break-glass GA) should move to per-admin Authenticator/FIDO2 rather than shared SMS/voice long-term (raised but not actioned).
 - Voice MFA is now an available method for the single-member scoped group; if more admins should get voice MFA, add them to group `304f941e-…`.
 ## Reference Information
 - Vault entry: `clients/cascades-tucson/m365-sysadmin.sops.yaml`.
 - GA account object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`; alternateMobile method id `b6332ec1-7057-4abe-9331-3d72feddfe41`.
 - Scoped Voice group: `304f941e-3594-4705-b8e6-ee676297df11` ("MFA - Voice Call Scoped (sysadmin)").
 - Graph: `/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Voice`.
 - Remediation skill: `.claude/skills/remediation-tool/`; RMM skill: `.claude/commands/rmm` / `/rmm`.
--- a/wiki/clients/cascades-tucson.md
+++ b/wiki/clients/cascades-tucson.md
@@ -2,7 +2,7 @@
 type: client
 name: cascades-tucson
 display_name: Cascades of Tucson
-last_compiled: 2026-06-04
+last_compiled: 2026-06-05
 compiled_by: GURU-BEAST-ROG/claude-main
 sources:
  - session-logs/2026-03-24-session.md
@@ -36,6 +36,7 @@ sources:
  - clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md
  - clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md
  - clients/cascades-tucson/session-logs/2026-06-04-session.md
  - clients/cascades-tucson/session-logs/2026-06-05-session.md
  - clients/cascades-tucson/docs/overview.md
  - clients/cascades-tucson/docs/network/topology.md
  - clients/cascades-tucson/docs/network/vlans.md
@@ -108,12 +109,12 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 - **M365 license:** Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — **SUSPENDED**, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
 - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
 - **MX / mail flow:** Exchange Online (M365). SPF: `v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all`. DKIM: both M365 selectors published. DMARC: `p=quarantine;pct=100` — upgraded from p=none. Reports to `info@cascadestucson.com` (unmonitored). No third-party email gateway (EOP direct MX).
- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section.
+- **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. Voice-call MFA is **disabled tenant-wide** (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id `304f941e-3594-4705-b8e6-ee676297df11`, single member `sysadmin@`) has Voice method enabled — created 2026-06-05 so Howard has a code-delivery path on the shared GA without a tenant-wide change. `sysadmin@` phone methods after 2026-06-05: mobile/SMS +1 520-289-1912 (Mike); alternateMobile/voice +1 520-585-1310 (Howard, was +1 520-331-5551).
 - **Entra Connect:** Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
 - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
 - **Admin accounts:**
  - `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design)
-  - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design)
+  - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design). Object id: `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`. Password rotated by Mike 2026-06-04; vaulted by Howard 2026-06-05 at `clients/cascades-tucson/m365-sysadmin.sops.yaml`.
 - **ALIS (clinical SaaS):** https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: `d796539d-356b-4190-9c17-35f0f1129376`. Vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID `d5108493-cba8-4f08-90b6-1bb0bc09eb2a`, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
  - **Admin consent (2026-06-03):** Tenant-wide admin consent (`AllPrincipals` `User.Read`) granted on ALIS Entra service principal (`e1cae4ad-5beb-44ca-82d4-434c9bd835ad`) via Graph API (`oauth2PermissionGrant` id `reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds`). This resolved `AADSTS65001` sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (`Principal`) consent grants existed, so all other users hit 65001. CA policies had `conditionalAccessStatus: success` on all failing sign-ins; both WAN IPs were trusted Named Locations.
  - **How to enable ALIS SSO for one user (procedure — confirmed 2026-06-03):**
@@ -193,6 +194,8 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
 - **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER.
 - **Login-screen hide (SpecialAccounts\UserList):** An enabled local admin that does not appear in the Windows sign-in picker is a `SpecialAccounts\UserList` suppression, not a disabled account. Registry path: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList`, value `<username>=0`. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`) 2026-06-05 — `localadmin=0` removed; account was already enabled and in Administrators (unchanged).
 ### Conditional Access / Caregiver Policies
 - **Phased rollout — never tenant-wide.** CA policies for caregivers now target `SG-Caregivers` (`8b8d9222-5d71-419a-936d-56d895c6c332`) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`.
@@ -319,12 +322,13 @@ Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #
 | 2026-05-26 | Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked). |
 | 2026-06-03 | ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (`AllPrincipals` `User.Read`) on ALIS SP `e1cae4ad`. Caregiver device allow-list CA policy created in report-only (`CSC - Caregivers: allow-listed devices only (REPORT-ONLY)`, id `1b7fd025`). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched. |
 | 2026-06-04 | Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs. |
 | 2026-06-05 | NURSESTATION-PC localadmin login-screen issue: diagnosed as `SpecialAccounts\UserList` hide (`localadmin=0`) — account was already enabled and in Administrators; removed the registry value via RMM (agent `f5a89784-834f-47b1-82e2-7e3e9dd337ff`); account will appear after sign-out/reboot. Vault hygiene: `sysadmin@` GA (object id `471b13dc-3cf8-416b-a132-f5f3bc8d1cc8`) password rotated by Mike 2026-06-04 and vaulted by Howard 2026-06-05 (`clients/cascades-tucson/m365-sysadmin.sops.yaml`). Voice MFA scoped group created: "MFA - Voice Call Scoped (sysadmin)" (`304f941e-3594-4705-b8e6-ee676297df11`), single member `sysadmin@`; Voice method enabled scoped to that group (tenant-wide voice still disabled); `alternateMobile` updated to +1 520-585-1310 (Howard; was +1 520-331-5551). |
 ---
 ## Compilation Notes
-**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-04.
+**Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-05.
 **Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist).
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -1,6 +1,6 @@
 # Wiki Index
-Last updated: 2026-06-04
+Last updated: 2026-06-05
 Compiled by: GURU-BEAST-ROG/claude-main
 This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update.
@@ -18,7 +18,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | Article | Summary | Last Compiled |
 |---|---|---|
-| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending) | 2026-06-04 |
+| [Cascades of Tucson](clients/cascades-tucson.md) | Prepaid block $175/hr, 15.75 hrs remaining; senior living; active domain migration + HIPAA compliance project; single DC on aging R610 hardware; ALIS admin consent granted 2026-06-03 (resolved AADSTS65001); caregiver device allow-list CA policy staged (report-only); open ticket #32370 (eFax + scanner onsite); no Inky in tenant; #32383 bill.com/BOK email delivery — chris.knight issue resolved externally 2026-06-04 (sender-side; bill.com support call still pending); 2026-06-05: NURSESTATION-PC SpecialAccounts\UserList hide fixed (localadmin=0 removed); sysadmin@ GA password vaulted; voice MFA scoped group created (304f941e) | 2026-06-05 |
 | [Dataforth Corporation](clients/dataforth.md) | Prepaid block ~$2,099/mo, 34.5 hrs remaining; signal conditioning manufacturer; 64 DOS test stations; 2025 crypto attack recovery + incomplete restore (files dropped across shares — migration-gap audit in progress); 2026-03-27 phishing incident + MFA rollout; active test datasheet pipeline project; Neptune Exchange colocated at D2; 2026-06-04 SP1366 file recovery (19/20 PDFs restored from HGHAUBNER pre-attack backup); GuruRMM fleet 13→45 agents; 2026-06-02 Syncro asset reconciliation (78→20 keep/21 flag/28 remove/9 verify); fleet-wide Syncro agent break ~2025-10-06; Bitdefender phase-off in progress | 2026-06-04 |
 | [Instrumental Music Center](clients/instrumental-music-center.md) | Prepaid block $175/hr, 12.5 hrs remaining; music retail/repair; AIMsi POS on SQL Server 2019; phantom DC causing slow logons; GuruRMM enrolled (IMC1) | 2026-05-24 |
 | [Valley Wide Plastering](clients/valleywide.md) | Prepaid block, 10 hrs remaining; plastering/stucco contractor; HP DL360 Gen10 + XenServer; VB6 app modernization project; RDWeb brute-force incident; 11 Yealink phones pending | 2026-05-24 |