azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
35b227ec8e9180372df7ad10a131ee1bcf14db8c
claudetools/wiki/clients/lonestar-electrical.md
Howard Enos 35b227ec8e sync: auto-sync from HOWARD-HOME at 2026-06-02 17:51:53 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-02 17:51:53
2026-06-02 17:52:03 -07:00

16 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client lonestar-electrical Lone Star Electrical Systems LLC 2026-06-02 Howard-Home/claude-main
clients/lonestar-electrical/session-logs/2026-06-02-session.md
clients/lonestar-electrical/session-logs/2026-06-01-session.md
clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md
clients/lonestar-electrical/docs/apple-mdm-setup-reference.md
session-logs/2026-03-23-session.md
session-logs/2026-03-24-session.md
credentials.md
clients/lonestar-electrical/google-workspace.sops.yaml (vault)
temp/lonestar-russ-setup.py
temp/lonestar-kyla-reset.py
temp/lonestar-kyla-2fa-fix.py

Lone Star Electrical Systems LLC

Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the fleet for being a Google Workspace shop (not Microsoft 365) with mobile devices managed by ManageEngine MDM (Zoho), not Intune. Field-heavy: techs use phones/tablets on job sites.

Profile

  • Company type: Electrical contractor (field service)
  • Contract type: Prepaid hour block
  • Hours remaining: 13.5 hrs as of 2026-06-02 (Syncro live — always re-check GET /customers/33809612 before billing).
  • Billing rate: (verify — check recent Syncro invoices; not captured in available sources)
  • Syncro customer ID: 33809612 (Lone Star Electrical Systems LLC)
  • Address: 3774 North Warren Avenue, Tucson, AZ
  • Managed assets (Syncro): 1 asset on record
  • Sites: Norris site (location of the LS-1 / LS-2 Win11 workstations)
  • Key contacts:
    • Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact)
    • Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue
    • sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed)
    • James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role]
    • Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles]
    • Main phone on file (Syncro): 520-730-3642
  • Active ticket: None open in Syncro as of 2026-06-02

Infrastructure

Email & Identity

  • Platform: Google Workspace (domain lonestarelectrical.net). NOT Microsoft 365 — the M365 remediation tool does not apply here.
  • GWS admin: sysadmin@lonestarelectrical.net
  • GWS mobile management: set to Basic (no Google-native MDM push) — device management is delegated to ManageEngine.
  • ACG management plane: Google Workspace API access via the ACG-MSP-Access (Google Workspace) service account (vault: MSP Tools). lonestarelectrical.net is an onboarded tenant. Service-account key: temp/acg-msp-access-8f72339997e5.json.

Mobile Device Management (MDM)

  • Platform: ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
  • MDM admin: mike@azcomputerguru.com (Zoho account, Super Admin)
  • Enrolled devices: 2 company tablets (named Zach and JOSE), enrolled 2025-12-04 via QR code, fully managed. These are direct enrollments and are unaffected by the Google third-party-EMM integration.

Workstations

  • LS-1, LS-2 — Windows workstations at the Norris site; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the previous MSP with Sophos Endpoint Protection (managed via the previous MSP's Sophos Central — no ACG access). Sophos has been fully removed from both machines as of 2026-06-02 (Syncro #32347; see Patterns for full procedure). Both enrolled in GuruRMM during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (SafeBoot\Network).
    • LS-1 GuruRMM agent: 6b9617fa-5c77-40e1-8b64-a1545e730895
    • LS-2 GuruRMM agent: 97fe5582-aa3d-4132-94a6-f4c8582bca31
    • Windows Defender: active and real-time protection enabled on both as of 2026-06-02.

Unraid Server

  • Status: Running Unraid 7.1.4 as of 2026-06-02 (migrated to new USB flash drive).
  • Hostname: [verify]
  • LAN IP: [verify]
  • License type: [verify — Basic / Plus / Pro]
  • Boot device: New USB flash drive (written via Unraid USB Creator, 7.1.4). Original failed stick: label UNRAID, /dev/sda1, Generic Flash Disk 8GB — retired but kept as temporary backup until new stick confirmed stable.
  • Config: Old config/ folder (array assignments super.dat, shares, network settings, license .key) copied from the failing stick onto the new one. Disk layout and array configuration preserved; only the OS files are fresh.
  • License: Re-registered to the new USB GUID via Unraid webGUI Tools > Registration > Replace Key on 2026-06-02.
  • Root credentials: Carried over from the old config/shadow; root password is NOT yet vaulted for this client. Only ACG's own Unraid boxes are vaulted (infrastructure/jupiter-unraid-primary.sops.yaml, infrastructure/uranus-unraid.sops.yaml). [verify and vault]
  • Array/disk layout: [verify — confirm all disks landed in correct slots from copied super.dat]
  • Health check: Mike's Claude session was running a check on 2026-06-02 post-migration — results pending.

Access

  • Google Workspace admin: sysadmin@lonestarelectrical.net — vault: clients/lonestar-electrical/google-workspace.sops.yaml
  • ManageEngine MDM: mike@azcomputerguru.com (Zoho Super Admin) — https://mdm.manageengine.com/webclient
  • GWS service account (programmatic): ACG-MSP-Access (Google Workspace) (vault: MSP Tools); key file temp/acg-msp-access-8f72339997e5.json
  • Vault root: clients/lonestar-electrical/ in vault repo
  • Unraid server: root credentials not yet vaulted [verify and vault]

Patterns & Known Issues

  • Inherited Sophos with no Central access — kernel-driver tamper-protection removal (procedure proven and COMPLETE on LS-1 and LS-2, 2026-06-02). LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has no Central access, so no remote uninstall and no way to disable tamper protection from the management plane. The procedure is now proven end-to-end and reusable. Key findings from the full execution:

    • SophosZap's gate is a registry flag, not just the driver. SophosZap checks HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled — if this is 1, SophosZap exits with "does not run with tamper protection on" even when the kernel driver is renamed/disabled. The driver disable alone is not sufficient; SEDEnabled=0 must be set.

    • Two Sophos boot drivers — treat them differently:

      • SophosED.sys = "Sophos Endpoint Defense" (the TAMPER driver). Start=0 by default (Boot-start). Safe to rename/remove. Correct procedure: set service Start=4 in the offline hive AND clear SEDEnabled=0. With SEDEnabled=0, SophosZap passes the tamper check and removes it cleanly.
      • SophosEL.sys = "Sophos ELAM" (Early Launch Anti-Malware). Start=0, ErrorControl=3 (CRITICAL). NEVER rename or delete this file manually. If SophosEL.sys is missing on boot, Windows drops to Automatic Repair: SrtTrail.txt root cause: "Boot critical file C:\WINDOWS\system32\DRIVERS\SophosEL.sys is corrupt." Recovery requires booting back to PE and restoring the file. SophosZap removes the ELAM driver and its service itself, the boot-safe way, after tamper protection is neutralized.

    • Offline hive editing: always read the active ControlSet first. CurrentControlSet does not exist in an offline hive. Read HKLM\OFFSYS\Select\Current to determine which numbered set is active (e.g., 0x1 = ControlSet001) before editing service entries. Editing the wrong ControlSet leaves the machine unchanged.

    • Correct offline procedure (PE):

      1. reg load HKLM\OFFSYS X:\Windows\System32\config\SYSTEM
      2. reg query HKLM\OFFSYS\Select /v Current — note the active set number
      3. Under HKLM\OFFSYS\ControlSet00N\Services\Sophos Endpoint Defense: set Start=4; under ...\TamperProtection\Config: set SEDEnabled=0
      4. reg unload HKLM\OFFSYS
      5. Reboot to normal Windows. Do NOT rename or delete SophosEL.sys.
      6. Verify Defender is active. Run SophosZap.exe --confirm via RMM or locally. Reboot as prompted.
      7. Run SophosZap.exe --confirm a second time. Confirm: services/drivers/folders NONE, Defender RTP True.

    • PE helper script: clients/lonestar-electrical/scripts/Remove-Sophos-Offline-PE.ps1 (hardened with top-level try/catch and guaranteed Read-Host pause).

    • Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible. (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.)

  • Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2). Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity /pop startup entry during logon. Removing the Datto startup registry entry addressed the logon contention.

  • ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24). A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was two independent triggers: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a third-party EMM provider inside Google Workspace (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. Fix required both: disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change.

  • Google Workspace, not M365. Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client.

  • Field/mobile-first. Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm.

  • Recurring bzfirmware checksum boot error = failing USB flash drive. Replace the stick (Unraid USB Creator + copy old config/ + re-register license to new GUID). Do NOT just replace the file — if the error recurs after a file-level fix, the stick itself is failing. Reusable for any Unraid box.

Active Work

No open Syncro tickets as of 2026-06-02.

  • Sophos removal on LS-1 / LS-2 — COMPLETE (2026-06-02). Both machines are fully clean: no Sophos services, drivers, folders, or Add/Remove entries; Windows Defender real-time protection active on both. Billed and closed on Syncro #32347 (2.0h in-shop, prepaid). See Patterns for the full reusable procedure including the critical SophosEL ELAM boot-driver lesson.

  • Unraid server USB replacement — COMPLETE (2026-06-02). New stick running Unraid 7.1.4, config/ preserved, license re-registered. Documented and billed on Syncro #32372 (1.5h in-shop, prepaid, Closed). Still open:

    • Vault the Lonestar Unraid root password and document the server (hostname, IP, Unraid 7.1.4, license type) in the wiki.
    • Capture and fold in the results of Mike's server health check (array start state, disk assignments, parity validity, registration status).
    • Verify array integrity: confirm all disks landed in correct slots from the copied super.dat; ensure no unwanted parity rebuild was triggered.
    • Retire the old failing USB stick once the new stick is confirmed stable.

History Highlights

Date Event
2025-12-04 Two company tablets (Zach, JOSE) enrolled in ManageEngine MDM via QR code, fully managed
2026-03-10 Emergency: James's account hacked (Syncro #32010, resolved)
2026-03-11 Tablet unable to edit PDFs (#32015)
2026-03-23 Lonestar MDM issue investigated — identified ManageEngine self-enrollment as the cause of joser's personal-phone prompt; fix initially blocked by a broken Zoho portal page
2026-03-24 MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately
2026-05-04 Win11 upgrades on LS-1 and LS-2 (#32244)
2026-05-05 iPhone field setup (#32251)
2026-05-28/29 Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by SophosED.sys kernel driver — WinRE offline removal staged (Ventoy USB), completion pending
2026-06-01 Recovered the (previously unlogged) Sophos removal context, reconstructed it into a session log, and handed the WinRE completion procedure to Howard via coordinator (msg 689cfb7c)
2026-06-02 Unraid server USB flash drive failed (recurring bzfirmware checksum error); migrated to new stick (Unraid 7.1.4 via USB Creator), copied old config/, re-registered license to new GUID
2026-06-02 LS-1 Sophos offline-PE prep: BitLocker confirmed off, SophosZap staged, drive-letter check run; SED service Start=4 + SEDEnabled=0 set offline
2026-06-02 Sophos removal COMPLETED on LS-1 and LS-2 — offline tamper-disable (SED Start=4 + SEDEnabled=0) + SophosZap two-pass via GuruRMM; LS-2 hit Automatic Repair after boot-critical SophosEL.sys was renamed (recovered by restoring the file from PE, then relying on already-correct offline edits + SophosZap to remove it safely); Windows Defender active on both
2026-06-02 Syncro #32347 (Sophos removal, 2.0h in-shop) and #32372 (Unraid USB replacement, 1.5h in-shop) created, billed, and closed against prepaid block — 17.0 -> 13.5 hrs remaining

Compilation Notes

  • Refreshed 2026-06-02 ~17:45 PT (recompile by Howard-Home/claude-main) to absorb the "17:39 PT — Sophos removal COMPLETE" update section of the 2026-06-02 session log: marked Sophos removal COMPLETE on both LS-1/LS-2 in Active Work and Infrastructure; updated hours remaining to 13.5 (Syncro #32347 2.0h + #32372 1.5h billed/closed); expanded Patterns with the proven full procedure including the critical two-driver distinction (SophosEL ELAM boot-critical — never rename/delete; SophosED tamper driver — disable via Start=4+SEDEnabled=0); added LS-1/LS-2 GuruRMM agent IDs; added two new History Highlights rows (PE+SophosZap completion, billing).
  • Refreshed 2026-06-02 22:10 PT (recompile by HOWARD-HOME/claude-main) to absorb the 22:10 PT update section of the 2026-06-02 session log: updated Active Work Sophos bullet to reflect execution-in-progress on LS-1 (BitLocker confirmed off, SophosZap staged, awaiting drive-letter check before PE delete); updated Patterns wording from "in progress 2026-05-28/29" to "execution started 2026-06-02"; added History Highlights row for the LS-1 PE execution start.
  • Refreshed 2026-06-02 (recompile by HOWARD-HOME/claude-main) to absorb the 2026-06-02 session log: added Unraid server infrastructure subsection, new bzfirmware checksum pattern, history row, and pending Active Work items.
  • Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (.claude/tmp/ollama_prompt.txt) and coord message 8a5cb25c. A proper session log was reconstructed at clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md before this compile.
  • Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612).
  • Vault slug is lonestar-electrical (matches clients/lonestar-electrical/ in the vault), though session logs and temp scripts use the un-hyphenated lonestar.
  • Lonestar work now lives in both clients/lonestar-electrical/ (docs + session-logs) and root session logs / temp/ scripts.
  • Flagged [verify]: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory; Unraid server hostname/IP/license type/root credentials.

Backlinks

(none yet)

Reference in New Issue View Git Blame Copy Permalink