azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-05 16:17:06

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-05 16:17:06
This commit is contained in:
Howard Enos
2026-06-05 16:17:15 -07:00
parent fc36218960
commit f5bdec125a
3 changed files with 174 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
wiki/clients/cascades-tucson.md
View File

@@ -83,9 +83,16 @@ Senior living / assisted living facility in Tucson, AZ. Single 6-floor building
### ALIS SSO
- Entra app registration -> OIDC SSO into ALIS; **tenant-wide admin consent granted** (2026-06-03). Per-user join key = **ALIS staff Email must equal the Entra UPN**. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA.
### Caregiver desktop/laptop management — Hybrid Entra Join + GPO (the chosen path)
Because per-user **Intune** never provisioned tenant-wide (`INTUNE_A = PendingInput`; no Windows device ever Intune-enrolled — MS case open), Windows caregiver devices are managed via **Hybrid Entra Join + on-prem Group Policy** instead. This needs no Intune. The CA access model is unchanged (hybrid join just gives the device an Entra object so the allow-list/deviceId still applies).
- **Hybrid join proven on NURSESTATION-PC** (2026-06-05): SCP written (`ConfigureSCP.ps1`), `OU=Caregiver Devices,OU=Staff PCs,OU=Workstations` added to Entra Connect sync scope → device synced to Entra as `trustType: ServerAd`, `dsregcmd` shows AzureAdJoined+DomainJoined YES, pilot.test gets `AzureAdPrt: YES`. On hybrid-joined machines `Ngc PreReqResult: WillNotProvision` (PolicyEnabled NO) → **Windows Hello does not auto-provision** (no Hello popup) — exactly what shared caregiver devices need, so no separate Hello-disable step.
- **Device control is one-at-a-time:** caregiver machine computer objects are moved into `OU=Caregiver Devices` (only that OU is in sync scope) and into a location group `SG-PC-MainTower` or `SG-PC-MemoryCare`. Add a device = move it into the OU + correct location group.
- **App + printer delivery GPO `CSC - Caregiver Workstation`** (User-config GPP), linked at `OU=Caregivers,OU=Departments`, security-filtered to the SG so only caregivers/medtechs apply it. **Built/tested against `SG-Caregivers-Test` (pilot.test only)** first — a true mirror of production with zero impact on the 38 real caregivers — then the filter is swapped to `SG-Caregivers` to go live. Contents: 3 desktop shortcuts (ALIS, LinkRx, Safe Living `https://app.safe-living.com/login`) + 6 `\\CS-SERVER` shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with **default printer by device location** (Nurses for MainTower, MC MedTech for MemoryCare, via item-level targeting on the location group, `userContext="0"`). NOTE: the domain-wide `CSC - Printer Deployment` GPO is intentionally disabled (empty CSE / version 0) and is **not** to be used — reference only.
### Status (as of 2026-06-05)
- **Proven working:** the access model — caregiver lockdown + ALIS SSO — end-to-end on a desktop (pilot.test).
- **Blocker / pivot:** device-level **Intune** policies (disable Windows Hello, idle-lock, Shared PC Mode profile-cleanup) can't deploy because the tenant's per-user Intune (`INTUNE_A`) won't provision — stuck `PendingInput` tenant-wide; no Windows device has ever Intune-enrolled (Android works via device-token, which needs no per-user Intune). Microsoft case open. **Pivot:** deliver those device settings via **Group Policy** (Hybrid Entra Join / domain join) or local policy — no Intune dependency. Caregiver access itself does NOT depend on Intune.
- **Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test):** caregiver lockdown (CA off-network block + device allow-list) **and** silent ALIS SSO. The allow-list policy `1b7fd025` carries NURSESTATION's current deviceId `d3bf931f-f128-4261-8398-b46c34a4b342` (the old Entra-joined id `e16c4af5` is stale/deleted) and the device is tagged `extensionAttribute1=CSCCaregiverDevice`.
- **In progress:** building the `CSC - Caregiver Workstation` GPO (shortcuts + printers) against the test group; then promote both the GPO filter and the CA allow-list from the test groups to `SG-Caregivers`, moving real machines in one at a time.
- **Independent open item:** Microsoft case for `INTUNE_A PendingInput` — does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency).
---