From e2028fe6f8a0e9e4a95a4a6182d833ed544a430b Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Wed, 22 Apr 2026 05:38:27 -0700 Subject: [PATCH] session log: Intune enrollment check, sync/Howard messages, Cloudflare DNS toggle, profile migration fixes Co-Authored-By: Claude Sonnet 4.6 --- session-logs/2026-04-22-session.md | 138 +++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 session-logs/2026-04-22-session.md diff --git a/session-logs/2026-04-22-session.md b/session-logs/2026-04-22-session.md new file mode 100644 index 0000000..bfaa8ac --- /dev/null +++ b/session-logs/2026-04-22-session.md @@ -0,0 +1,138 @@ +# Session Log: 2026-04-22 + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin + +## Summary + +General session covering Intune enrollment verification (local + 365 side), sync with cross-user messages, Cloudflare DNS toggle for Gitea, git safe.directory fixes from profile migration, and a statusline revert. + +--- + +## Work Done + +### 1. Profile Migration Fallout + +Mike had manually moved his Windows profile. Two immediate issues discovered and resolved: + +- **git safe.directory errors** — Both `D:/claudetools` and `D:/vault` were owned by the old local `guru` account but running as `AzureAD/MikeSwanson`. Fixed: + ```bash + git config --global --add safe.directory D:/claudetools + git config --global --add safe.directory D:/vault + ``` +- **Tailscale was off** — caused 172.16.3.20:3000 to be unreachable during initial sync attempt. Re-enabled mid-session. + +--- + +### 2. Intune Enrollment Check — DESKTOP-0O8A1RL + +#### Local (dsregcmd) +- AzureAdJoined: YES +- DomainJoined: NO +- Tenant: Computer Guru (ce61461e-81a0-4c84-bb4a-7b354a9a356d) +- MDM managed: YES (`DisplayNameUpdated: Managed by MDM`) +- Registry: EnrollmentType 6 (MDM/Intune) + EnrollmentType 26 (Microsoft Device Management), both under `mike@azcomputerguru.com`, state = active + +#### From 365 Side (remediation tool — investigator tier) + +Intune managed device record (`d4dff7c5-4091-480c-93c1-daa3bb0b06b4`): + +| Field | Value | +|---|---| +| managementState | managed | +| complianceState | **noncompliant** | +| enrolledDateTime | 2026-04-22T03:27:05Z (today) | +| lastSyncDateTime | 2026-04-22T03:53:57Z | +| complianceGracePeriodExpiration | 2026-04-22T03:28:14Z (expired) | +| deviceEnrollmentType | windowsAzureADJoin | +| isEncrypted | true | +| userPrincipalName | mike@azcomputerguru.com | +| managedDeviceOwnerType | company | +| model | Lenovo 83F5 | +| serialNumber | PF5JRQ7L | +| azureADDeviceId | e0ac49e1-5d3b-4e6e-8615-c36f19a731aa | +| managementCertExpires | 2027-04-20 | + +Entra device: `isCompliant: false`, `isManaged: true`, `trustType: AzureAd` + +**Noncompliance assessment:** Fresh enrollment (same day as profile migration). Grace period expired 1 min post-enrollment. Likely needs 1-2 more sync cycles to settle — not a policy violation. Compliance policy detail endpoint (`deviceCompliancePolicyStates`) requires `DeviceManagementConfiguration.Read.All` which is not in the Security Investigator manifest. + +**Action item:** Add `DeviceManagementConfiguration.Read.All` to the ComputerGuru Security Investigator app (bfbc12a4-f0dd-4e12-b06d-997e7271e10c) in Entra → API permissions → grant admin consent. + +--- + +### 3. Sync — Howard's Messages + +Pulled 2 commits from remote: +- `a5dfdbc` Howard Enos — sync: auto-sync from HOWARD-HOME at 2026-04-21 21:39:06 +- `e644ca8` Mike Swanson — docs: message Howard about new intune-manager remediation tier + +**Howard's items in for-mike.md:** + +1. **Syncro labor rates** — Howard used $175/hr for `26118 Labor - Onsite Business` on ticket #32179 (High Tech Mortgage, Rich Young, onsite power outlet, 0.5 hr). Asked Mike to confirm rates for remote/onsite/after-hours/travel. + - **Response sent:** "Look in Syncro for rates, I don't know them off hand." + +2. **intune-manager vault file missing** — Howard's vault was at `4226ec6`, missing 2 commits that added the SOPS file: + - `ebdd711` feat: add ComputerGuru Intune Manager app credentials + - `1c837ba` fix: re-encrypt intune-manager vault entry with correct SOPS config + - **Response sent:** Pull the vault repo — file is there, just 2 commits ahead of his copy. + +Replies written to `.claude/messages/for-howard.md`, for-mike.md items cleared. + +--- + +### 4. Cloudflare DNS — git.azcomputerguru.com + +Toggled `git.azcomputerguru.com` from proxied (orange cloud) to DNS-only (grey cloud) so git push over HTTPS works without Cloudflare challenge interception. + +- Record ID: `4dd5d5bb76d1d3bb36e3f987baf57c57` +- Type: A → 72.194.62.10 +- proxied: true → **false** +- API token used: `DRRGkHS33pxAUjQfRDzDeVPtt6wwUU6FwtXqOzNj` (full DNS) +- Zone ID: `1beb9917c22b54be32e5215df2c227ce` + +**Note:** Git pushes now use `https://git.azcomputerguru.com` directly. The sync.sh script uses the internal Gitea URL `http://172.16.3.20:3000` with the API token as credential (password has `#` which breaks URL embedding; use token instead). + +Gitea API token: `9b1da4b79a38ef782268341d25a4b6880572063f` +Gitea user: `azcomputerguru` +Internal Gitea URL: `http://172.16.3.20:3000` + +--- + +### 5. Statusline Revert + +The "toggle git to grey cloud" request was misinterpreted as a Claude Code statusline request. The statusline-setup agent ran and added to `C:/Users/guru/.claude/settings.json`: + +```json +"statusLine": { + "type": "command", + "command": "bash /c/Users/guru/.claude/statusline-command.sh" +} +``` + +This changed the display layout. Removed the `statusLine` block from settings.json. Script file `C:/Users/guru/.claude/statusline-command.sh` remains on disk but is no longer referenced. + +--- + +## Infrastructure References + +| Resource | Value | +|---|---| +| Gitea internal | http://172.16.3.20:3000 | +| Gitea external | https://git.azcomputerguru.com (now DNS-only) | +| Gitea API token | 9b1da4b79a38ef782268341d25a4b6880572063f | +| Cloudflare zone (azcomputerguru.com) | 1beb9917c22b54be32e5215df2c227ce | +| Intune tenant | ce61461e-81a0-4c84-bb4a-7b354a9a356d | +| Intune device ID | d4dff7c5-4091-480c-93c1-daa3bb0b06b4 | + +--- + +## Pending / Follow-Up + +- [ ] Add `DeviceManagementConfiguration.Read.All` to Security Investigator app in Entra (manual, portal only) +- [ ] Monitor DESKTOP-0O8A1RL compliance state — should resolve to `compliant` after a sync cycle or two +- [ ] Howard needs to `git pull` in his vault repo to get the intune-manager SOPS file +- [ ] Consider updating `sync.sh` to use internal Gitea URL + API token by default (avoids Cloudflare push failures) +- [ ] `statusline-command.sh` still sitting in `C:/Users/guru/.claude/` — delete if cleanup desired