# CS-SERVER Pre-flight Verification — POST-REBOOT (2026-04-22)

**Reboot completed:** 2026-04-22 18:29 MST (per Last Boot time in readiness check)
**Verification run:** 2026-04-22 18:54 MST (via GuruRMM agent, exit code 0)
**Result file:** `reports/2026-04-22-cs-server-entra-readiness-post-reboot.md`

## Verdict: Ready for Entra Connect install

All three pre-install items applied successfully and survived the reboot.

### 1. Time sync — FIXED

| Before | After |
|---|---|
| `Source: Free-running System Clock` | `Source: time.nist.gov,0x8` |
| `ReferenceId: 0x4C4F434C (LOCL)` | `ReferenceId: 0x84A36103 (source IP: 132.163.97.3)` |
| Stratum: 1 (local clock) | Stratum: 2 (secondary reference, NTP-synced) |
| Last sync: 21 hours ago | Last sync: 0 minutes ago |
| 0 peers active | 3 peers active (pool.ntp.org, time.windows.com, time.nist.gov) |

### 2. TLS 1.2 enforcement — FIXED

| Setting | Before | After |
|---|---|---|
| `.NET SchUseStrongCrypto (64-bit)` | 1 | 1 |
| `.NET SchUseStrongCrypto (32-bit)` | (unset) | **1** |
| `.NET SystemDefaultTlsVersions (64)` | (unset) | **1** |
| `.NET SystemDefaultTlsVersions (32)` | (unset) | **1** |
| SCHANNEL TLS 1.0 Client | (OS default) | **Enabled=0, DisabledByDefault=1** |
| SCHANNEL TLS 1.1 Client | (OS default) | **Enabled=0, DisabledByDefault=1** |
| SCHANNEL TLS 1.2 Client | (OS default) | **Enabled=1, DisabledByDefault=0** |
| SCHANNEL TLS 1.0 Server | (OS default) | **Enabled=0, DisabledByDefault=1** |
| SCHANNEL TLS 1.1 Server | (OS default) | **Enabled=0, DisabledByDefault=1** |
| SCHANNEL TLS 1.2 Server | (OS default) | **Enabled=1, DisabledByDefault=0** |

### 3. Windows Server Backup — INSTALLED

| Before | After |
|---|---|
| Windows-Server-Backup: Available (not installed) | **Windows-Server-Backup: Installed** |

## Other observations

- **Uptime:** 0 days (fresh reboot at 18:29 MST)
- **PowerShell:** 5.1.17763.8641 (minor patch bump from 5.1.17763.8510 — Windows Updates applied during reboot)
- **RAM usage:** 7.9 GB / 47.9 GB (16%) — down from 12.8 GB before reboot, caches clean
- **CPU:** 22% at moment of check — elevated vs pre-reboot but within normal boot settling range
- **DC health dcdiag:** Connectivity / Advertising / Services / FsmoCheck all **PASS**
- **Microsoft sync endpoints:** all 7 still reach on HTTPS 443
- **QuickBooksDB34 service:** now Running (was Stopped pre-reboot — QB auto-started)

## Event log noise (not blockers)

Post-reboot noise is expected and benign. 19 System errors / 15 Application errors in last 24h, top sources:

| Source | Count | Nature |
|---|---:|---|
| Hyper-V-VmSwitch | 6 | VM startup ordering |
| VSS | 6 | QuickBooks VSS writer reconnecting |
| Service Control Manager | 4 | Service start dependency ordering |
| Schannel | 4 | TLS reconnect post-reboot (consistent with the TLS changes) |
| Security-SPP | 4 | Windows activation checks |
| DistributedCOM | 3 | Normal service-start race |
| .NET Runtime | 2 | App process restart errors |
| TPM-WMI | 2 | Benign on non-TPM hardware |
| Perflib | 2 | Counter registration |
| Firefox agent | 1 | Noise |

None critical, no AD-related errors, no sync-impacting items.

## Next step

Entra Connect install can proceed at your next maintenance window. The build-up state is:

- [x] Wave 0 HIPAA items — most still pending (M365 BAA sign, ALIS BAA, risk analysis, etc.) — see `docs/security/hipaa-review-2026-04-22.md`
- [x] **Wave 0.5 CS-SERVER readiness — DONE**
- [ ] Install Microsoft Entra Connect on CS-SERVER (staging-mode first)
- [ ] Apply Wave 0.5 AD cleanup (renames, UPN suffix add, former-employee deletes) per rollout plan §7
- [ ] Convert M365 role-based accounts to shared mailboxes (frees 11 licenses, clean identity targets)
- [ ] Exit staging + enable sync

The TLS reboot also fulfils an independent HIPAA hygiene fix for the whole tenant (per `docs/security/hipaa.md` gap tracking). Net benefit beyond Entra Connect prep.