# Peaceful Spirit — IKEv2 Pre-Login VPN: Machine Cert Enrollment Prep **Date:** 2026-05-11 **Client:** Peaceful Spirit (Country Club site) **Ticket scope:** Pre-login IKEv2 VPN for Mara — machine certificate auth path ## User - **User:** Mike Swanson (mike) - **Machine:** DESKTOP-0O8A1RL - **Role:** admin - **Session span:** Continuation of 2026-05-10 session --- ## Session Summary The session resumed from a prior effort to enable pre-login IKEv2 VPN for Mara on three machines (MaraHomeNew, Maras-HP-Laptop, PST-SURFACE), which had been blocked by error 812. The PST-SERVER CA was confirmed to be trusted and correctly configured, but the Machine certificate template had the AutoEnroll flag set to "Access is denied" due to missing permissions for the Domain Computers group. Multiple attempts to correct this failed due to access restrictions, incorrect credentials, and tool limitations, until a PowerShell script run as sysadmin successfully added the AutoEnroll right. Despite this, certificate enrollment on the client machines failed due to lack of access to the PST-SERVER DCOM endpoint, which is required for enrollment but blocked without the IKEv2 VPN. The NPS policy was confirmed to allow PEAP and MSCHAPv2 for the WseRemoteAccessUsers group, and the OpenVPN configuration on MaraHomeNew was identified as a potential workaround to enable access to PST-SERVER. The user agreed to update the OpenVPN config on MaraHomeNew to connect to the Country Club site (UCG at 98.190.129.150), which would allow access to the internal network for certificate enrollment. The session was interrupted before completing the enrollment process. --- ## Key Decisions - Used a PowerShell script (fix_acl.ps1) run as sysadmin via scheduled task to grant AutoEnroll rights to Domain Computers — direct ADSI from SYSTEM context failed ("Access is denied"), dsacls failed to resolve both name and GUID formats on Server 2016. - Identified domain admin credentials as sysadmin / r3tr0gradE99! (not pst-admin, which is a domain user but not domain admin). - Determined that cert enrollment failure was due to remote machines having no route to PST-SERVER DCOM (192.168.0.2) — not a permissions problem after the ACL fix, but a network path problem. - Chose OpenVPN as the bootstrap path to get MaraHomeNew onto the office LAN for cert enrollment, rather than attempting manual cert generation on PST-SERVER and PFX transfer (which would require non-standard key handling). - NPS confirmed functional: order-1 policy allows PEAP (0x19) and MSCHAPv2 (0x1a), WseRemoteAccessUsers condition, Ignore-User-Dialin-Properties=TRUE, Allow-Dial-In=TRUE — no NPS policy changes needed. --- ## Problems Encountered - **AutoEnroll permission denied on Machine template**: SYSTEM context (PST-SERVER$ machine account, in Domain Controllers group) and ADSI/dsacls all failed to write the ACL. Resolved by writing a PS script to disk via RMM, then registering a scheduled task to run it as sysadmin (domain admin). Script ran successfully and ACL was confirmed via secondary sysadmin-context query. - **dsacls doesn't resolve Certificate-AutoEnrollment name or GUID on Server 2016**: Both `Certificate-AutoEnrollment` string and `{a2a8902a-...}` GUID returned "No GUID Found." Resolved by using PowerShell ActiveDirectoryAccessRule with the GUID directly, run as domain admin. - **certutil -autoenroll not available on Windows 10/11 clients**: Only exists on Server. Switched to certreq/Get-Certificate approaches. - **certreq and Get-Certificate failed on all 3 Mara machines**: `CERTSRV_E_PROPERTY_EMPTY` / "no default enrollment policy server." Root cause: machines are remote and cannot reach PST-SERVER (192.168.0.2) via DCOM — Certificate Enrollment Policy Service not installed on PST-SERVER, enrollment falls back to DCOM which requires LAN access. - **Catch-22**: Need machine cert to establish IKEv2 VPN, but need IKEv2 VPN (or another LAN path) to enroll the machine cert from the domain CA. Resolution path: use OpenVPN to reach the office LAN first. - **pst-admin vs sysadmin**: First several ACL attempts used wrong credentials (pst-admin / 24Hearts$). User corrected — domain admin is sysadmin / r3tr0gradE99!. --- ## Configuration Changes ### PST-SERVER (via RMM — persisted in AD) - Modified certificate template ACL: added AutoEnroll extended right (GUID a2a8902a-4010-11d1-a7b0-0060b0576642) for Domain Computers (SID S-1-5-21-1105246401-3156558273-4088333098-515) on the Machine/Computer template in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local - Method: scheduled task as sysadmin running `C:\ProgramData\fix_acl.ps1` (temp file, can be deleted) - Wrote and left temporary files: `C:\ProgramData\fix_acl.ps1`, `C:\ProgramData\acl_result.txt`, `C:\ProgramData\verify_acl.ps1`, `C:\ProgramData\acl_verify.txt` — safe to delete ### Mara Machines (already deployed in previous session, unchanged this session) - AllUserConnection VPN profile "Peaceful Spirit VPN" on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE - TunnelType: IKEv2, Auth: EAP, AllUserConnection: True, SplitTunneling: True - Server: 98.190.129.150 - EAP XML: needs verification (XML object rendering issue prevented reading type value) ### Not Changed - NPS policies on PST-SERVER: no changes this session; PST-VPN-Test was already deleted - UCG: no changes - VPN profiles on Mara machines: no changes --- ## Credentials & Secrets | Item | Value | |------|-------| | PST-SERVER domain admin | PEACEFULSPIRIT\sysadmin / r3tr0gradE99! | | PST-SERVER SSH | sysadmin / r3tr0gradE99! | | VPN credential | PEACEFULSPIRIT\pst-admin / 24Hearts$ (domain user, in WseRemoteAccessUsers) | | UCG SSH key | ~/.ssh/pst-cc-ucg / password: Gptf*77ttb123!@# | | VPN PSK (L2TP) | z5zkNBds2V9eIkdey09Zm6Khil3DAZs8 | | NPS RADIUS shared secret | PST-RADIUS-UCG-2026!@# | | pst-admin (domain user) | 24Hearts$ | | OpenVPN config user on MaraHomeNew | `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-auth.txt` (creds unknown) | Note: pst-admin is NOT domain admin. sysadmin is domain admin. Vault paths: - `clients/peaceful-spirit/server.sops.yaml` — PST-SERVER, UCG details - `clients/peaceful-spirit/vpn.sops.yaml` — VPN credentials, PSK, network --- ## Infrastructure & Servers | Component | Value | |-----------|-------| | PST-SERVER IP (LAN) | 192.168.0.2 | | PST-SERVER OS | Windows Server 2016 Essentials (build 14393) | | PST-SERVER domain | PEACEFULSPIRIT.local | | PST-SERVER roles | AD DS, DNS, RRAS (VPN server), NPS, Enterprise Root CA | | CA name | PEACEFULSPIRIT-PST-SERVER-CA | | CA thumbprint | 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid 3/8/2061) | | PST-SERVER machine cert | DB71981ABE4CBA1DE96FEEEAF178F6259663B543 (CN=PST-SERVER.PEACEFULSPIRIT.local, valid 5/9/2027) | | UCG-PST-CC WAN IP | 98.190.129.150 | | UCG VPN endpoint | UDP 500/4500 → forwarded to 192.168.0.2 (PST-SERVER RRAS) | | PST network | 192.168.0.0/24 | | GuruRMM client | Peaceful Spirit (00015eae-50e5-4102-93fa-ab0fdb135c08) | | GuruRMM site | Country Club (7b32983d-982a-4a5c-af07-45a23453f589) | | PST-SERVER agent ID | 6b6106a7-8515-4b6b-857d-0dc6ede53f35 | | MaraHomeNew agent ID | c778b6a3-c646-4454-a065-8c8bdcb1578e | | Maras-HP-Laptop agent ID | 13cb3629-5043-4bd6-b977-6968eeccf804 | | PST-SURFACE agent ID | 4a993b61-59b3-42f4-bdb5-d4362941f7d6 | | Domain Computers SID | S-1-5-21-1105246401-3156558273-4088333098-515 | | WseRemoteAccessUsers SID | S-1-5-21-1105246401-3156558273-4088333098-1113 | ### CA / Machine Cert State on Mara Machines | Machine | CA in Trusted Root | Machine Cert in LocalMachine\My | |---------|-------------------|--------------------------------| | MaraHomeNew | YES (56DAF43C) | No | | Maras-HP-Laptop | Not checked | No | | PST-SURFACE | Not checked | No | ### OpenVPN on Mara Machines | Machine | Status | Config Location | |---------|--------|----------------| | MaraHomeNew | Not running | `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn` (remote 64.139.88.249:1194 TCP, NW site) | | Maras-HP-Laptop | OpenVPN Connect running (4 processes) | No config in standard paths | | PST-SURFACE | OpenVPN Connect running (4 processes) | No config in standard paths | --- ## Commands & Outputs ### Grant AutoEnroll to Domain Computers on Machine template (PST-SERVER via sysadmin scheduled task) ```powershell # Script written to C:\ProgramData\fix_acl.ps1, run as PEACEFULSPIRIT\sysadmin $sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1105246401-3156558273-4088333098-515") $guid = [Guid]"a2a8902a-4010-11d1-a7b0-0060b0576642" $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, "ExtendedRight", "Allow", $guid, "None") $t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local" $acl = $t.psbase.ObjectSecurity $acl.AddAccessRule($ace) $t.psbase.CommitChanges() ``` Result: "SUCCESS" — confirmed via ACL query: `PEACEFULSPIRIT\Domain Computers | Allow` on AutoEnroll GUID. ### NPS Order-1 Policy (from netsh nps show np) ``` Name = {502F03DC-1EC9-49A9-811A-99BA53619319} Processing order = 1 Policy source = 2 (Windows Server Solutions) Condition0 = 0x1fb5 "S-1-5-21-1105246401-3156558273-4088333098-1113" (WseRemoteAccessUsers) Ignore-User-Dialin-Properties = TRUE NP-Allow-Dial-in = TRUE NP-Allowed-EAP-Type = "19000000..." (PEAP type 25) + "1a000000..." (MSCHAPv2 type 26) NP-Authentication-Type = 0x3, 0x9, 0x4, 0xa, 0x5 ``` ### OpenVPN config on MaraHomeNew ``` client dev tun proto tcp remote 64.139.88.249 1194 <- NW site, NOT CC auth-user-pass PST-NW-VPN-auth.txt remote-cert-tls server cipher AES-256-CBC auth SHA1 key-direction 1 redirect-gateway def1 ``` Mike will replace with config pointing to CC site (UCG 98.190.129.150:1194) to enable LAN access for cert enrollment. ### Certificate enrollment failures on Mara machines ``` certutil -autoenroll → CertUtil: Unknown arg: -autoenroll (not available on Win10/11) certreq -enroll -machine -q Machine → Template not found + CERTSRV_E_PROPERTY_EMPTY Get-Certificate -Template Machine → CX509PolicyServerUrl::_GetStringProperty: CERTSRV_E_PROPERTY_EMPTY (no enrollment policy server; DCOM unreachable from remote) ``` --- ## Pending / Incomplete Tasks | Task | Status | Notes | |------|--------|-------| | Place CC OpenVPN config on MaraHomeNew | **PENDING (Mike)** | Mike will add config pointing to 98.190.129.150:1194 (UCG at CC). Auth-user-pass with credentials file, or cert-based. Need to replace PST-NW-VPN-auth.txt with CC site credentials. | | Connect MaraHomeNew via OpenVPN to CC | **PENDING** | Once CC config is in place, trigger openvpn --config ... via RMM (or manually). Verify route to 192.168.0.2. | | Enroll machine cert on MaraHomeNew via certreq | **PENDING** | Once on office LAN: `certreq -enroll -machine -q -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" Machine` | | Verify machine cert enrolls correctly | **PENDING** | Check Cert:\LocalMachine\My for CN=MaraHomeNew.PEACEFULSPIRIT.local from PEACEFULSPIRIT-PST-SERVER-CA | | Enroll machine certs on Maras-HP-Laptop and PST-SURFACE | **PENDING** | Same process once MaraHomeNew is confirmed working. HP and Surface also have OpenVPN Connect installed. | | Configure RRAS to accept machine cert auth for IKEv2 | **PENDING** | May need additional RRAS config after certs are enrolled; verify if current config auto-detects machine certs | | Update Mara machines' VPN profiles to MachineCertificate auth | **PENDING** | Change AuthenticationMethod from Eap to MachineCertificate; remove EAP XML | | Test pre-login VPN connection on MaraHomeNew | **PENDING** | After machine cert enrolled and VPN profile updated | | Verify EAP XML type in current "Peaceful Spirit VPN" profile | **PENDING** | Get-VpnConnection returned XmlElement object instead of string; need to verify type 25 vs 26 | | Identify Mara's OpenVPN Connect profile source on HP and Surface | **PENDING** | OpenVPN Connect running but no .ovpn files found in standard paths — check ConnectHandler user data or registry | | Clean up temp files on PST-SERVER | **PENDING** | `C:\ProgramData\fix_acl.ps1`, `acl_result.txt`, `verify_acl.ps1`, `acl_verify.txt` — safe to delete | | Confirm PST-VPN-Test NPS policy is gone | **DONE** | Not listed in netsh nps show np output | | Grant AutoEnroll on Machine template for Domain Computers | **DONE** | ACL write confirmed via sysadmin-context query | --- ## Reference Information - GuruRMM API: `https://rmm.azcomputerguru.com/api/` - PST-SERVER agent: `https://rmm.azcomputerguru.com/api/agents/6b6106a7-8515-4b6b-857d-0dc6ede53f35` - MaraHomeNew agent: `https://rmm.azcomputerguru.com/api/agents/c778b6a3-c646-4454-a065-8c8bdcb1578e` - Maras-HP-Laptop agent: `https://rmm.azcomputerguru.com/api/agents/13cb3629-5043-4bd6-b977-6968eeccf804` - PST-SURFACE agent: `https://rmm.azcomputerguru.com/api/agents/4a993b61-59b3-42f4-bdb5-d4362941f7d6` - Peaceful Spirit client in RMM: ID `00015eae-50e5-4102-93fa-ab0fdb135c08` - Country Club site in RMM: ID `7b32983d-982a-4a5c-af07-45a23453f589` - Certificate AutoEnroll GUID: `a2a8902a-4010-11d1-a7b0-0060b0576642` - Certificate Enroll GUID: `0e10c968-78fb-11d2-90d4-00c04f79dc55` - Vault: `clients/peaceful-spirit/server.sops.yaml`, `clients/peaceful-spirit/vpn.sops.yaml` - Prior session log: `clients/peaceful-spirit/session-logs/2026-05-10-session.md` - MaraHomeNew OpenVPN config: `C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn` --- ## Update: 15:07 PT — Machine cert auth working on MaraHomeNew; HP/Surface PFXs generated ## User - **User:** Mike Swanson (mike) - **Machine:** DESKTOP-0O8A1RL - **Role:** admin - **Session span:** Continuation of 2026-05-11 session (afternoon) ## Session Summary The session began by resuming from a prior troubleshooting effort where MaraHomeNew had "IKE authentication credentials are unacceptable" after switching to MachineCertificate auth. The installed cert (bf2b2482) had correct EKUs but the wrong identity: Subject and SAN both showed CN=PST-SERVER.PEACEFULSPIRIT.local because the Machine template was configured to build the Subject from the submitting machine's AD identity (msPKI-Certificate-Name-Flag=0x18000000), and PST-SERVER had submitted the CSR in the prior session. The template was corrected by setting msPKI-Certificate-Name-Flag to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). The wrong cert was deleted, a new CSR was generated on MaraHomeNew with the correct Subject and SAN, transferred via SCP over OpenVPN to PST-SERVER for local CA submission, and the resulting cert (D067E07B) was accepted on MaraHomeNew. With the correct cert installed, rasdial still returned the same error. Get-VpnAuthProtocol on PST-SERVER revealed that UserAuthProtocolAccepted only contained EAP and MsChapv2 — Certificate was not listed. Set-VpnAuthProtocol was used to add Certificate, RemoteAccess was restarted, and rasdial "Peaceful Spirit VPN" succeeded. Win32-OpenSSH was installed on PST-SERVER during this session, enabling direct SSH access from DESKTOP-0O8A1RL via OpenVPN. SSH key auth was configured using the existing id_ed25519 key; the administrators_authorized_keys file required SYSTEM+Administrators-only permissions — presence of an Authenticated Users ACE caused key auth to fail silently. SSH access is now working and was used for all subsequent PST-SERVER administration. To onboard Maras-HP-Laptop and PST-SURFACE without requiring OpenVPN bootstrap on each machine, a PFX-based cert deployment workflow was designed: generate exportable certs on PST-SERVER centrally, export as password-protected PFX, deploy to each machine with Import-PfxCertificate + Add-VpnConnection. The gen_certs.ps1 script ran successfully after a fix (MachineKeySet=FALSE initially used, caused template context conflict; corrected to MachineKeySet=TRUE). PFXs for both machines were generated and SCP'd to DESKTOP-0O8A1RL. ## Key Decisions - Changed msPKI-Certificate-Name-Flag from 0x18000000 to 0x1 (ENROLLEE_SUPPLIES_SUBJECT): the prior value caused the CA to build Subject/SAN from the submitting machine's AD DNS identity rather than the CSR content. This is a domain-wide template change; acceptable for this environment. - Used SCP over OpenVPN for CSR/cert transfer (MaraHomeNew → PST-SERVER → MaraHomeNew) rather than RMM base64 method — SSH now installed on PST-SERVER made this viable and faster. - "Certificate" is the correct enum value for Set-VpnAuthProtocol, not "MachineCertificate" — confirmed via PowerShell ValidateSet error. Valid values: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey. - PFX-based onboarding for HP and Surface: generates private key on PST-SERVER with Exportable=TRUE. Less ideal from key hygiene standpoint but eliminates the need for each machine to have an OpenVPN bootstrap path before cert enrollment. - MachineKeySet=TRUE required in certreq INF when template is the Machine template: MachineKeySet=FALSE causes "User context template conflicts with machine context" rejection at certreq -submit. ## Problems Encountered - **Wrong cert Subject/SAN (CN=PST-SERVER instead of MaraHomeNew)**: Machine template msPKI-Certificate-Name-Flag=0x18000000 caused CA to use submitting machine identity. Fixed by setting flag to 0x1 and reissuing cert. - **IKE authentication failure persisted after correct cert**: RRAS UserAuthProtocolAccepted did not include Certificate. Fixed via Set-VpnAuthProtocol + Restart-Service RemoteAccess. - **RMM polling was reading wrong field**: Commands completing with output, but code was checking "output" field; actual output is in "stdout". Fixed once full JSON response was inspected. - **Win32-OpenSSH key auth silently failing**: administrators_authorized_keys had Authenticated Users:(RX) ACE which Win32-OpenSSH rejects as insecure. Fixed via icacls /inheritance:r removing user ACEs. - **PFX cert generation — MachineKeySet=FALSE conflicts with Machine template**: certreq -submit returned "User context template conflicts with machine context." Fixed by changing INF to MachineKeySet=TRUE and checking Cert:\LocalMachine\My instead of CurrentUser\My. - **SCP path format with Win32-OpenSSH**: Windows-style paths (C:\\ProgramData\\file) failed; Unix-style (/C:/ProgramData/file) required for Win32-OpenSSH sftp-server. --- ## Configuration Changes ### PST-SERVER - `msPKI-Certificate-Name-Flag` on Machine cert template: `0x18000000` → `0x1` (ENROLLEE_SUPPLIES_SUBJECT) - LDAP path: `CN=Machine,CN=Certificate Templates,...,DC=PEACEFULSPIRIT,DC=local` - Win32-OpenSSH installed at `C:\Program Files\OpenSSH\OpenSSH-Win64\`; sshd service Automatic/Running; firewall TCP 22 inbound allow - `C:\ProgramData\ssh\administrators_authorized_keys`: acg-admin@pst-cc-ucg key (pre-existing) + guru@DESKTOP-0O8A1RL; permissions SYSTEM:(F) BUILTIN\Administrators:(F) only - RRAS UserAuthProtocolAccepted: added Certificate (was EAP, MsChapv2 only); RemoteAccess restarted - Certs issued: Maras-HP-Laptop (RequestId 66, thumbprint 4CADDE8F940FC3EEFC37919B6A4541A913801296) and PST-SURFACE (RequestId 67, thumbprint 197FF22A97F26EF19DECF9E752B1B88C7E7ED42E) - PFX files: `C:\ProgramData\Maras-HP-Laptop.pfx`, `C:\ProgramData\PST-SURFACE.pfx` (password: PstVpn2026!) - Temp files (safe to delete): gen_certs.ps1, diag_out.txt, Maras-HP-Laptop.{inf,req,cer,pfx}, PST-SURFACE.{inf,req,cer,pfx}, machine2.req/cer ### MaraHomeNew - Wrong cert bf2b2482 (CN=PST-SERVER) removed from Cert:\LocalMachine\My - New cert installed: thumbprint D067E07B4A670AF5C6DE27250EB533B06F28FD6A, CN=MaraHomeNew.PEACEFULSPIRIT.local, SAN DNS=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027 - "Peaceful Spirit VPN" AllUserConnection: AuthenticationMethod MachineCertificate, confirmed working via rasdial ### DESKTOP-0O8A1RL - ~/.ssh/known_hosts: stale 192.168.0.2 entries cleared; new ED25519 host key for PST-SERVER accepted --- ## Credentials & Secrets | Item | Value | |------|-------| | PST-SERVER SSH | sysadmin@192.168.0.2, key: ~/.ssh/id_ed25519 (DESKTOP-0O8A1RL) | | PST-SERVER domain admin | PEACEFULSPIRIT\sysadmin / r3tr0gradE99! | | PFX password (HP + Surface) | PstVpn2026! | | VPN credential | PEACEFULSPIRIT\pst-admin / 24Hearts$ | | UCG SSH key | ~/.ssh/pst-cc-ucg / Gptf*77ttb123!@# | --- ## Infrastructure & Servers | Component | Value | |-----------|-------| | PST-SERVER SSH | port 22, key auth from DESKTOP-0O8A1RL (requires OpenVPN to PST-CC active) | | PST-SERVER OpenSSH path | C:\Program Files\OpenSSH\OpenSSH-Win64\ | | Machine template NameFlag | 0x1 (ENROLLEE_SUPPLIES_SUBJECT) — changed this session | | RRAS UserAuthProtocolAccepted | EAP, MsChapv2, Certificate | | MaraHomeNew cert | D067E07B (CN=MaraHomeNew.PEACEFULSPIRIT.local, to 5/10/2027) | | Maras-HP-Laptop cert | 4CADDE8F (CA RequestId 66) — PFX on PST-SERVER + local Temp | | PST-SURFACE cert | 197FF22A (CA RequestId 67) — PFX on PST-SERVER + local Temp | | PFX local copies | C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx, PST-SURFACE.pfx | --- ## Commands & Outputs ### Fix Machine template Subject Name source (PST-SERVER as sysadmin) ```powershell $t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local" $t.Properties["msPKI-Certificate-Name-Flag"].Value = 1 $t.CommitChanges() # Returns 1 — confirmed ``` ### Reissue cert for MaraHomeNew ```powershell # On MaraHomeNew certreq -new C:\Windows\Temp\machine2.inf C:\Windows\Temp\machine2.req scp C:\Windows\Temp\machine2.req sysadmin@192.168.0.2:/C:/ProgramData/machine2.req # On PST-SERVER certreq -submit -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" C:\ProgramData\machine2.req C:\ProgramData\machine2.cer # Back on MaraHomeNew scp sysadmin@192.168.0.2:/C:/ProgramData/machine2.cer C:\Windows\Temp\machine2.cer certreq -accept C:\Windows\Temp\machine2.cer # Result: D067E07B4A670AF5C6DE27250EB533B06F28FD6A ``` ### Add Certificate to RRAS auth (PST-SERVER via SSH) ```powershell Set-VpnAuthProtocol -UserAuthProtocolAccepted EAP, MsChapv2, Certificate Restart-Service RemoteAccess # Valid enum: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey ``` ### VPN test result ``` rasdial "Peaceful Spirit VPN" Connecting to Peaceful Spirit VPN... [SUCCESS] ``` ### Win32-OpenSSH install on PST-SERVER ```powershell & "C:\Program Files\OpenSSH\OpenSSH-Win64\install-sshd.ps1" Start-Service sshd; Set-Service sshd -StartupType Automatic netsh advfirewall firewall add rule name="OpenSSH" dir=in action=allow protocol=TCP localport=22 ``` ### SSH from DESKTOP-0O8A1RL (requires OpenVPN active) ```bash ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2 ``` ### PFX deployment command (target machine, run as admin) ```powershell Import-PfxCertificate -FilePath .\MachineName.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "PstVpn2026!" -AsPlainText -Force) Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -SplitTunneling -Force ``` --- ## Pending / Incomplete Tasks | Task | Status | Notes | |------|--------|-------| | Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx. RMM agent: 13cb3629 | | Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX at C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx. RMM agent: 4a993b61 | | Test pre-login VPN on all 3 machines | **PENDING** | MaraHomeNew rasdial confirmed. HP and Surface pending cert deployment. | | Test VPN at Windows login screen (pre-login) | **PENDING** | rasdial works in user session. Need to verify AllUserConnection triggers at logon screen. | | Clean up temp files on PST-SERVER | **PENDING** | C:\ProgramData\: fix_acl.ps1, acl_result.txt, verify_acl.ps1, gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, diag_out.txt | | Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535) from prior session | | Identify OpenVPN Connect profiles on HP/Surface | **PENDING** | OpenVPN Connect running (4 procs each) but no .ovpn files in standard paths | --- ## Reference Information - PST-SERVER SSH: `ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2` (OpenVPN to PST-CC required) - PFX deploy one-liner: Import-PfxCertificate + Add-VpnConnection (see Commands section) - RMM agents: MaraHomeNew c778b6a3, Maras-HP-Laptop 13cb3629, PST-SURFACE 4a993b61, PST-SERVER 6b6106a7 - SCP to/from PST-SERVER: use `/C:/path/to/file` format (not `C:\`) - gen_certs.ps1 at C:\ProgramData\gen_certs.ps1 on PST-SERVER — reusable for future machines - Machine template NameFlag GUID reference: ENROLLEE_SUPPLIES_SUBJECT = 0x1, prior value 0x18000000 (DNS_AS_CN | ALT_REQUIRE_DNS) --- ## Update: 18:18 PT — OneDrive KFM shell folder deep fix ## User - **User:** Mike Swanson (mike) - **Machine:** DESKTOP-0O8A1RL - **Role:** admin - **Session span:** 2026-05-11 afternoon continuation ## Session Summary Troubleshooting of the OneDrive KFM "Capabilities: 0x101" error for user pst-admin on Maras-HP-Laptop resumed. The user provided a screenshot showing three GUID entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders still pointing to \\PST-SERVER. These GUIDs were not covered by prior fix scripts, which only targeted standard KF GUIDs. A new script, fix_remaining_folders.ps1, was written and deployed to update the three GUIDs to local userprofile paths, clear remaining FolderRedirectionPolicyValue markers, and remove Folder Redirection CSE history from Group Policy\History. The user ran the script, but the error remained. A full registry diagnostic via GuruRMM API was initiated against the HP, accessing pst-admin's hive via HKU\S-1-5-21-1105246401-3156558273-4088333098-1118. The diagnostic revealed two WSE-specific non-standard GUID entries in User Shell Folders still pointing to the server, and a stale Shell Folders resolved cache that still showed all original \\PST-SERVER paths for every redirected folder. The Shell Folders key is what the shell and OneDrive actually read at runtime; it had not been rebuilt because pst-admin had not logged off/on since the prior fix ran. A second script, hp_final_fix.ps1, was deployed via RMM running as SYSTEM against the HKU hive. It corrected the two non-standard WSE GUIDs in User Shell Folders and directly updated all 10 server-pointing Shell Folders entries to local C:\Users\pst-admin\... paths. Verification confirmed zero remaining \\PST-SERVER entries in either key. The fix is complete in the registry; pst-admin must log off and back on for the live session to reflect the corrected state. ## Key Decisions - Targeted WSE non-standard GUIDs after discovering they differ from standard KF GUIDs: WSE wrote its own GUID variants alongside the standard ones; prior scripts only addressed the standard GUIDs. - Deployed the final fix via RMM as SYSTEM against the HKU hive: allows both User Shell Folders and Shell Folders to be corrected in one pass regardless of what pst-admin was doing. - Directly updated Shell Folders (the resolved cache) in addition to User Shell Folders: the cache had not been rebuilt at logon because prior fixes ran while pst-admin was still logged in; direct correction ensures the fix is visible immediately after the next logoff/on. - Used /api/auth/login endpoint instead of raw JWT: raw HS256 JWT generation returned 401 despite correct secret; session token from login endpoint worked. ## Problems Encountered - **fix_remaining_folders.ps1 did not resolve error**: Script ran and cleared markers/CSE history, but error remained. Root cause: stale Shell Folders resolved cache and two additional WSE-specific GUIDs not targeted by the script. - **JWT auth returning 401**: Raw HS256 JWT (manually constructed) rejected by RMM API despite correct secret and algorithm. Resolved by using /api/auth/login with admin credentials to obtain session token. - **Wrong RMM result endpoint**: Initial poll used /api/agents/{id}/command/{cmdId} (404). Correct endpoint: /api/commands/{cmdId}. - **ConvertTo-Json nesting PS script body**: PowerShell hashtable caused ConvertTo-Json to emit nested map; API expected plain string for `command` field. Resolved by using py to JSON-encode the script file. - **WSE non-standard GUIDs**: WSE GPO wrote two non-standard GUID variants in User Shell Folders alongside standard KF GUIDs. Standard: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E} / {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C}. WSE variants: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} / {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}. Both sets had to be fixed. - **Shell Folders not rebuilt at logon**: Cache still contained server paths after User Shell Folders was fixed, because pst-admin had not logged off/on since the prior fix. Resolved by directly updating Shell Folders via RMM. ## Configuration Changes ### Maras-HP-Laptop (pst-admin HKCU, applied via SYSTEM/HKU) - `HKCU\...\Explorer\User Shell Folders`: - `{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}` set to `C:\Users\pst-admin\Saved Games` (was \\PST-SERVER\...SavedGames) - `{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}` set to `C:\Users\pst-admin\Links` (was \\PST-SERVER\...Links) - fix_remaining_folders.ps1 earlier fixed: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E}, {56784854-C6CB-462B-8169-88E350ACB882}, {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C} - `HKCU\...\Explorer\Shell Folders`: 10 entries corrected from \\PST-SERVER to C:\Users\pst-admin\... (Desktop, Personal, My Pictures, My Video, My Music, Favorites, {374DE290}/Downloads, {56784854}/Contacts, {BFB9D5E0-404C}/Links, {4C5C32FF-43B0}/SavedGames) ### Scripts written (DESKTOP-0O8A1RL) - `C:\Users\guru\Desktop\fix_remaining_folders.ps1` — 3 standard GUIDs + CSE cleanup - `C:\Users\guru\AppData\Local\Temp\hp_reg_diag.ps1` — diagnostic via RMM/HKU - `C:\Users\guru\AppData\Local\Temp\hp_final_fix.ps1` — 2 WSE GUIDs + Shell Folders ## Credentials & Secrets | Item | Value | |------|-------| | GuruRMM API login | claude-api@azcomputerguru.com / ClaudeAPI2026!@# | | GuruRMM JWT secret | ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE= (vault: infrastructure/gururmm-server.sops.yaml) | | pst-admin password | SpiritWalk26! (update vault) | ## Infrastructure & Servers | Component | Value | |-----------|-------| | GuruRMM API external | https://rmm.azcomputerguru.com | | GuruRMM API internal | http://172.16.3.30:3001 | | RMM auth endpoint | POST /api/auth/login | | RMM command submit | POST /api/agents/{uuid}/command | | RMM command result | GET /api/commands/{cmdId} | | HP RMM agent UUID | 13cb3629-5043-4bd6-b977-6968eeccf804 | | pst-admin SID | S-1-5-21-1105246401-3156558273-4088333098-1118 | ## Commands & Outputs ### RMM auth + command submit (correct pattern) ```powershell $auth = Invoke-RestMethod -Uri "https://rmm.azcomputerguru.com/api/auth/login" -Method POST -ContentType "application/json" -Body (@{ email = "claude-api@azcomputerguru.com"; password = "ClaudeAPI2026!@#" } | ConvertTo-Json) $token = $auth.token $payload = py -c "import json; print(json.dumps({'command_type':'powershell','command':open(r'C:\path\to\script.ps1',encoding='utf-8').read()}))" $resp = Invoke-RestMethod -Uri "https://rmm.azcomputerguru.com/api/agents/$agent/command" -Method POST -Headers @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" } -Body $payload # Poll result: GET /api/commands/{cmdId} — output in .stdout field ``` ### hp_final_fix.ps1 verification output ``` === Verification: any remaining server paths? === === Done - pst-admin must log off and back on === # (no lines output = zero remaining server paths confirmed) ``` ## Pending / Incomplete Tasks | Task | Status | Notes | |------|--------|-------| | Test OneDrive KFM after pst-admin logoff/on | **PENDING** | Registry fully clean; logoff/on required to rebuild live session Shell Folders | | Update vault with pst-admin new password | **PENDING** | SpiritWalk26! | | Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx; agent 13cb3629-5043-4bd6-b977-6968eeccf804 | | Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx; agent 4a993b61-59b3-42f4-bdb5-d4362941f7d6 | | Test pre-login VPN at Windows logon screen | **PENDING** | rasdial confirmed in user session only | | Browser default (http/https) for pst-admin | **PENDING** | Must click "Make Chrome default" in Chrome once | | Clean up PST-SERVER temp files | **PENDING** | C:\ProgramData\: gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, misc .ps1s | | Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135), TEMP-CertEnroll-DCOM (TCP 49152-65535) | ## Reference Information - WSE non-standard GUIDs vs standard KF GUIDs: - SavedGames — WSE: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} | Standard: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E} - Links — WSE: {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968} | Standard: {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C} - Shell Folders (HKCU\...\Explorer\Shell Folders) = resolved runtime cache; User Shell Folders = template. Both must be clean for OneDrive KFM. - All _FolderRedirectionPolicyValue_* markers: NONE confirmed - Folder Redirection CSE history ({25537BA6}): NONE confirmed - OneDrive HKCU/HKLM policies: NONE - DisablePersonalDirChange: NOT SET --- ## Update: 19:11 PT — Root cause: SHSetKnownFolderPath flags bug ## User - **User:** Mike Swanson (mike) - **Machine:** DESKTOP-0O8A1RL - **Role:** admin - **Session span:** 2026-05-11 evening continuation ## Session Summary After reboot, a post-reboot registry diagnostic via RMM confirmed that USF and SF registry entries showed all local paths with no redirection markers or CSE history, indicating a clean registry state. Despite this, the Location tab for Documents, Desktop, and Pictures remained greyed, prompting further investigation. A OneDrive-specific diagnostic confirmed no policies were set in HKLM or HKCU, and OneDrive was using a personal account with valid registry entries. However, attempts to access ClientPolicy.ini files via PowerShell hung due to an exclusive lock held by OneDrive. A profile type check confirmed the pst-admin profile was local, eliminating roaming profile reapplication as a potential cause. Further checks of desktop.ini files, CLSID overrides, ntuser.pol, and FolderDescriptions found no redirection markers or anomalous settings. The root cause was identified: prior scripts had been calling `SHSetKnownFolderPath` with `flags=0x4000` (KF_FLAG_DONT_VERIFY), which is only valid for the GET call. Per MSDN, `SHSetKnownFolderPath` requires `flags=0` (reserved). All SET calls across all prior script iterations had been returning `0x80070057 (E_INVALIDARG)` silently — the shell's internal Known Folder state was never updated. The registry was correct from our direct HKU edits, but the shell's in-process known folder infrastructure still showed the folders as policy-managed. A corrected script, `reset_kf_final.ps1`, was written with `flags=0` for SHSetKnownFolderPath. When run in pst-admin's session context, it will properly update the shell's Known Folder state, which is what controls both the Location tab editability and OneDrive's KFM eligibility check. ## Key Decisions - Eliminated roaming profile as cause by checking `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID}` — `ProfileImagePath=C:\Users\pst-admin`, `Flags=0`, confirming local profile. - Investigated ClientPolicy.ini lock rather than assuming it contained a blocking entry — the file was inaccessible due to OneDrive holding an exclusive lock; HKLM/HKCU OneDrive policy paths confirmed NONE. - Identified the correct diagnostic gap: all prior SHSetKnownFolderPath calls failed silently with E_INVALIDARG due to invalid flags=0x4000; the registry workaround (HKU direct writes) was correct for data but bypassed the shell API layer that maintains known folder state. - Chose to write a new script (`reset_kf_final.ps1`) rather than patch existing ones, ensuring the API call is correct before the next pst-admin session. ## Problems Encountered - **ClientPolicy.ini reads hung**: Get-Content and FileShare.ReadWrite both blocked because OneDrive held an exclusive lock on the settings .ini files. Deferred; HKLM/HKCU policy paths confirmed NONE, so lock contents were not blocking KFM from the policy path. - **Location tab still greyed post-reboot despite clean registry**: Root cause: `SHSetKnownFolderPath` was called with `flags=0x4000` in every prior script iteration. The SET function rejects any non-zero flags with E_INVALIDARG. This caused the shell to never update its internal known folder state. Our direct HKU registry writes were correct for the data layer but the shell's known folder infrastructure reads its own internal state (not just the registry) to determine policy-management status. - **RMM commands hanging on file reads**: Several diagnostic scripts hung when attempting to read OneDrive settings files or use `SHGetKnownFolderPath` P/Invoke from SYSTEM context. Mitigated by isolating commands to simple registry reads and cmd-based file access; P/Invoke shell API calls from SYSTEM context are not safe. ## Configuration Changes ### Scripts written (DESKTOP-0O8A1RL) - `C:\Users\guru\Desktop\reset_kf_final.ps1` — corrected SHSetKnownFolderPath with flags=0; run as pst-admin to update shell Known Folder state ### No registry changes this segment Registry was confirmed clean from previous segment. No further writes made. ## Credentials & Secrets No new credentials this segment. ## Infrastructure & Servers | Component | Value | |-----------|-------| | HP RMM agent UUID | 13cb3629-5043-4bd6-b977-6968eeccf804 | | pst-admin SID | S-1-5-21-1105246401-3156558273-4088333098-1118 | | pst-admin profile type | LOCAL (C:\Users\pst-admin, Flags=0, not roaming) | | OneDrive account | Personal — mara.concordia@gmail.com (cid: 25f0851177ceabfd) | | OneDrive version | 26.070.0414.0001 | ## Commands & Outputs ### Post-reboot registry state (confirmed clean via RMM) ``` USF server paths: NONE - all local SF server paths: NONE - all local FolderRedirectionPolicyValue markers: NONE CSE history (25537BA6): NONE OneDrive HKCU/HKLM policies: NONE ``` ### SHSetKnownFolderPath bug — prior vs corrected ```powershell # WRONG (all prior scripts) — flags=0x4000 is GET-only, causes E_INVALIDARG on SET $hr = [KFHelper]::SHSetKnownFolderPath([ref]$guid, [uint32]0x4000, [IntPtr]::Zero, $path) # Result: HRESULT=0x80070057 (E_INVALIDARG) for every folder # CORRECT (reset_kf_final.ps1) $hr = [KFHelper2]::SHSetKnownFolderPath([ref]$guid, 0, [IntPtr]::Zero, $path) # flags MUST be 0 per MSDN ("reserved, must be 0") ``` ### pst-admin profile check ``` ProfileImagePath : C:\Users\pst-admin Flags : 0 FullProfile : 1 State : 0 # No CentralProfile, no UNC path → confirmed LOCAL profile ``` ### Desktop.ini checks ``` Documents\desktop.ini : NOT FOUND Desktop\desktop.ini : NOT FOUND Pictures\desktop.ini : standard ShellClassInfo/icon entries only — no redirection markers ntuser.pol : NOT FOUND CLSID overrides (HKCU) for Documents/Desktop/Pictures: none ``` ## Pending / Incomplete Tasks | Task | Status | Notes | |------|--------|-------| | Run reset_kf_final.ps1 as pst-admin + logoff/on | **PENDING** | Script at C:\Users\guru\Desktop\reset_kf_final.ps1; must run non-elevated as pst-admin | | Test OneDrive KFM after reset_kf_final + logoff/on | **PENDING** | If SET calls return OK, Location tab should unlock and KFM should work | | Update vault with pst-admin new password | **PENDING** | SpiritWalk26! | | Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx; agent 13cb3629-5043-4bd6-b977-6968eeccf804 | | Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx; agent 4a993b61-59b3-42f4-bdb5-d4362941f7d6 | | Test pre-login VPN at Windows logon screen | **PENDING** | | | Browser default (http/https) for pst-admin | **PENDING** | Must click "Make Chrome default" in Chrome once | | Clean up PST-SERVER temp files | **PENDING** | C:\ProgramData\: gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, misc .ps1s | | Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135), TEMP-CertEnroll-DCOM (TCP 49152-65535) | ## Reference Information - MSDN: SHSetKnownFolderPath — dwFlags is reserved, must be 0. flags=0x4000 (KF_FLAG_DONT_VERIFY) is only valid for SHGetKnownFolderPath. - Known Folder GUIDs used in reset_kf_final.ps1: Documents FDD39AD0, Desktop B4BFCC3A, Pictures 33E28130, Music 4BD8D571, Videos 18989B1D, Downloads 374DE290, Favorites 1777F761, Links BFB9D5E0, Contacts 56784854 - OneDrive settings path: C:\Users\pst-admin\AppData\Local\Microsoft\OneDrive\settings\Personal\ — ClientPolicy.ini locked by OneDrive process; use FileShare.ReadWrite or robocopy /B if needed - RMM result endpoint: GET /api/commands/{cmdId} (not /api/agents/{id}/command/{cmdId}) - SHGetKnownFolderPath / SHSetKnownFolderPath P/Invoke hangs when called from SYSTEM context — only use in user-context scripts