328 lines
39 KiB
Markdown
328 lines
39 KiB
Markdown
---
|
|
type: client
|
|
name: rednour
|
|
display_name: Rednour Law Offices
|
|
last_compiled: 2026-06-30
|
|
compiled_by: HOWARD-HOME/claude-main
|
|
sources:
|
|
- clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
|
|
- clients/rednour/reports/2026-06-01-carla-password-set.md
|
|
- clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
|
|
- clients/rednour/session-logs/2026-06-02-session.md
|
|
- clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md
|
|
- clients/rednour/session-logs/2026-06/2026-06-26-howard-nick-mac-rmm-rootcause.md
|
|
- clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md
|
|
- clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md
|
|
- clients/rednour/session-logs/2026-06/2026-06-29-howard-carrie-win11-upgrade-applyimage.md
|
|
- clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md
|
|
- clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md
|
|
- clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md
|
|
- session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md
|
|
---
|
|
|
|
# Rednour Law Offices
|
|
|
|
## Profile
|
|
|
|
- **Business type:** Law firm (Arizona)
|
|
- **Syncro Customer ID:** 1224246
|
|
- **Contract type:** Break-fix / time-and-materials (prepaid hours: 0)
|
|
- **Recurring line:** ~$59.09/mo (small managed/hosting line)
|
|
- **Labor rate:** In-shop / remote $150/hr (confirmed on #32368 + #32343 labor lines); onsite higher (verify)
|
|
- **Managed asset count:** 4 (per Syncro)
|
|
- **Active open tickets:** None as of 2026-06-30 (#32368 invoiced as #67912)
|
|
- **Primary historical ticket:** Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Invoiced. URL: https://computerguru.syncromsp.com/tickets/111409967
|
|
|
|
## Contacts
|
|
|
|
| Name | Role | UPN / Email | Object ID | Notes |
|
|
|---|---|---|---|---|
|
|
| Carrie Rednour | Owner / attorney; M365 Global Admin | crednour@rednourlaw.com, sysadmin@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | sysadmin@ is an alias on the same account; communicates via text with Mike directly |
|
|
| Carla Skinner | Legal assistant / employee | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below) |
|
|
| Nick Pafford | Employee | npafford@rednourlaw.com, nick@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local `nick` on REDNOURCARRIEVI -> `Documents`); on an Apple Silicon Mac (GuruRMM enrollment pending — installer runs but agent does not enroll; fix staged) |
|
|
| receptionist | Shared mailbox | receptionist@rednourlaw.com | — | No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep |
|
|
|
|
System recipient: DiscoverySearchMailbox (Exchange system object — not a user).
|
|
|
|
**Nick's Mac (ScreenConnect name `DUXs-Mac-Studio`):** Apple Mac Studio, Mac13,1, Apple M1 Max (arm64), macOS 26.5.1, serial F6QR2PN2R6. Confirm this is Nick's box before enrolling (name suggests a "Dux" user).
|
|
|
|
## Infrastructure
|
|
|
|
### Network
|
|
|
|
- **Topology:** Workgroup (no on-prem AD, no domain join). All three enrolled machines report `PartOfDomain=False`.
|
|
- **LAN subnet:** 192.168.10.0/24, default gateway 192.168.10.1.
|
|
- **ZeroTier:** Present on REDNOURCARRIEVI (IP: 10.147.17.253 / fcfb:1c63:8659:2d21:d189::1). Not documented on other workstations.
|
|
|
|
### Workstations (GuruRMM enrolled)
|
|
|
|
All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items). As of 2026-06-29 the GuruRMM fleet shows them as FrontDeskReception, LegalAsst, rednourcarrievirt (agent display names may differ from Windows hostnames; `rednourcarrievirt` is the current network/SMB name for Carrie's box, formerly REDNOURCARRIEVI).
|
|
|
|
| Hostname | Model | CPU | RAM | OS | IP | Agent ID | Grade |
|
|
|---|---|---|---|---|---|---|---|
|
|
| FRONTDESKRECEPT | Dell OptiPlex 3080 | i5-10505 6c/12t | 15.8 GB | Win 11 Pro build 26200 | 192.168.10.115 | 04765560-3e8a-46e5-a507-c5f5f4ead6eb | RED |
|
|
| LEGALASST | Generic OEM | AMD Ryzen 3 3200G 4c/4t | 5.9 GB | Win 11 Pro (upgraded 2026-06-29) | 192.168.10.213 | 18825ea7-df58-47bb-b492-822cb16fb5ec | RED |
|
|
| REDNOURCARRIEVI (rednourcarrievirt) | Generic OEM | i3-9100 4c/4t | 7.7 GB | Win 11 Pro 25H2 (build 26200, upgraded 2026-06-29) | 192.168.10.194 | 8e4e2221-7e2a-4a6f-9eda-864568539961 | RED |
|
|
|
|
**Common issues across all three at onboarding:**
|
|
- ScreenConnect (ConnectWise Control) running — prior MSP remote-access agent, not yet removed
|
|
- Splashtop Streamer running — prior MSP remote-access agent, not yet removed
|
|
- Syncro agent running — prior MSP agent, not yet removed
|
|
- No backup agent detected on any workstation
|
|
|
|
**LEGALASST additional:**
|
|
- Win 10 22H2 (build 19045) — EOL since 2025-10-14; no longer receives security patches
|
|
- 43 days uptime at baseline; reboot pending
|
|
- Local admins include stale accounts `Ale` and `Emma` (pre-rename artifact)
|
|
- Active local account: `emma`; profile: `C:\Users\Ale`; OneDrive: `carla@rednourlaw.com`
|
|
- Leftover `SyncroLive.Agent.Runner` still running as of 2026-06-29
|
|
- AMD GPU driver 31.0.12027.9001 (2023-03-29); 7-Zip 26.02 installed 2026-06-29 at `C:\Program Files\7-Zip\`
|
|
- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y: `\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — Status OK as of 2026-06-29
|
|
- SFC ran 2026-06-29, repaired corruption (0 unrepairable); repair pending reboot to load
|
|
|
|
**REDNOURCARRIEVI (rednourcarrievirt) additional (baseline 2026-05-29; box now on Win 11 25H2):**
|
|
- Was Win 10 22H2 (build 19045) at baseline — EOL since 2025-10-14; upgraded to Win 11 25H2 (build 26200) on 2026-06-29
|
|
- Defender real-time protection OFF + antimalware service not running at baseline (critical)
|
|
- Datto RMM running — prior MSP agent, not yet removed
|
|
- C: drive at 11.7% free (54.4 GB of 465.1 GB) at baseline
|
|
- Last hotfix at baseline: KB5072653 (2025-12-20 — severely behind)
|
|
- 151 installed programs, 19 non-MS scheduled tasks — elevated attack surface
|
|
- RDP enabled without NLA at baseline
|
|
- Time source: local CMOS clock (not NTP) at baseline
|
|
|
|
**FRONTDESKRECEPT additional:**
|
|
- BitLocker off on OS volume
|
|
- 2 pending Windows updates at baseline
|
|
- Local admin account `guru` present (ACG account, expected)
|
|
|
|
### File Shares (workgroup, peer-to-peer)
|
|
|
|
REDNOURCARRIEVI / rednourcarrievirt (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD):
|
|
|
|
- **`Documents`** -> `C:\Users\Carrie\Documents` — the primary working share (also exposed redundantly as `ShareName`, same path). Mac/PC clients authenticate with a **local Windows account** on the box.
|
|
- Local accounts with access to Documents: `Carrie`, `emma` (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), `localadmin`, and **`nick`** (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`).
|
|
- Other shares present: `Time Matters Shared Files`, `Timeslips`, `Program Files sage`, `Users`, `New folder`. **Security note:** several are over-broad (`Everyone=Full` on `Program Files`/`Users`/`Time Matters`) — cleanup candidate.
|
|
- Mac mount string: `smb://192.168.10.194/Documents`.
|
|
|
|
### GuruRMM Site
|
|
|
|
- **Site name:** Main Office
|
|
- **Site code:** GREEN-FALCON-7214
|
|
- **Site UUID:** `c7f5787c-8e71-45b3-841f-fa52436f7d26`
|
|
- **Client UUID:** `85f7cff4-d4db-48a8-b477-b8788122a361`
|
|
- **Enrollment key vault path:** `clients/rednour/gururmm-site-main.sops.yaml`
|
|
|
|
## Cloud / M365
|
|
|
|
- **Tenant domain:** rednourlaw.com
|
|
- **Tenant ID:** `4a4ca18a-f516-478b-99da-2e0722c5dc18`
|
|
- **Onboarded to ComputerGuru MSP suite:** 2026-05-31 (bootstrapped by Mike during Emma->Carla rename session)
|
|
|
|
### MSP Service Principals
|
|
|
|
All five ComputerGuru SPs are fully consented as of 2026-05-31:
|
|
|
|
| SP Name | App ID | SP Object ID | Role(s) Assigned |
|
|
|---|---|---|---|
|
|
| Tenant Admin | 709e6eed-0711-4875-9c44-2d3518c47063 | 671a2ace-be9e-440c-a7d6-5ff982e4500c | Conditional Access Administrator |
|
|
| Security Investigator | bfbc12a4-f0dd-4e12-b06d-997e7271e10c | 704da463-7f4e-484c-b1da-40e447615d52 | Exchange Administrator |
|
|
| Exchange Operator | b43e7342-5b4b-492f-890f-bb5a4f7f40e9 | 59a68ba9-5e1e-4a56-92ae-507a9a669a79 | Exchange Administrator |
|
|
| User Manager | 64fac46b-8b44-41ad-93ee-7da03927576c | dc3b79a2-638b-42fe-8ecb-51592db7d40f | User Administrator + Authentication Administrator |
|
|
| Defender Add-on | dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b | 052da8aa-1ca5-4f60-b9c5-7aafcb74264b | None |
|
|
|
|
[WARNING] No MDE license in this tenant. Defender Add-on is consented but calling Defender ATP endpoints returns AADSTS650052. Skip the `defender` tier for all remediation work against this tenant.
|
|
|
|
### Mailboxes
|
|
|
|
| Display Name | UPN | Object ID | Notes |
|
|
|---|---|---|---|
|
|
| Carla Skinner | carla@rednourlaw.com | 93074d1a-6db2-4794-8f7d-c84a619e4494 | Renamed from Emma on 2026-05-31; aliases: emma@, dgarcia@, alee@, dgarcia@rednourlaw.onmicrosoft.com |
|
|
| Carrie Rednour | crednour@rednourlaw.com | a0fc8517-1c2a-4d72-b774-c0d5c929167a | Global Admin; sysadmin@ is also hers |
|
|
| Nick Pafford | npafford@rednourlaw.com | fe859088-bcbc-49dc-aaea-4c6e68f7d5bb | nick@ alias added 2026-05-31 |
|
|
| receptionist | receptionist@rednourlaw.com | — | 34 contacts in mailbox |
|
|
| DiscoverySearchMailbox | (system) | — | Exchange system object |
|
|
|
|
**Carla's retained aliases:** The mailbox mailNickname was historically `dgarcia` (prior employee Garcia -> passed to Emma -> now Carla). Both `dgarcia@` and `alee@` were kept by operator's explicit choice on 2026-05-31. The `emma@` alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses.
|
|
|
|
## Syncro
|
|
|
|
- **Customer:** Rednour Law Offices, id `1224246`
|
|
- **Contract type:** Break-fix / T&M; prepaid hours: 0; recurring ~$59.09/mo
|
|
- **Managed asset count:** 4
|
|
- **Primary ticket:** #32343 (id 111409967), Status: Invoiced
|
|
- 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — on the existing invoice
|
|
- Comments: 415513323 (hidden/internal), 415514647 (customer-visible), 416427937 (internal — 2026-06-02 follow-up contact fix)
|
|
- Additional onsite labor from 2026-06-25 SMB share work deferred by Howard; Syncro supports multiple invoices per ticket
|
|
- **Hardware/upgrade ticket #32368** (id 111999527) — "New machine for Carrie ... + reception upgrade". **Invoiced 2026-06-29 as #67912, total $669.55:** In-Shop labor (573881) Carrie clone+Win11 1.5h ($225) + FRONTDESKRECEPT NVMe clone 1.0h ($150) + Labor-Remote LEGALASST Win10->11 1.5h ($225, prior session, id 43069980) + hardware (HDMI cable $19.99 + USB-to-HDMI adapter $43.99). Nick's printer setup + future custom phone/desk cables billed as **NO CHARGE** (documented in a public Work Summary note, comment 421331789 — not a line item).
|
|
- **[WARNING] Plaintext local-account passwords in Syncro customer notes** (carrie, ale accounts). These are being vaulted separately — vault migration pending. Do not use Syncro notes as the authoritative credential source.
|
|
|
|
## History
|
|
|
|
### 2026-05-29 — GuruRMM enrollment + onboarding baselines
|
|
|
|
Three workstations enrolled in GuruRMM site "Main Office": FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI. Onboarding diagnostic baselines captured (all graded RED). Prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM on Carrie's machine) still present — not yet removed.
|
|
|
|
### 2026-05-31 — M365 onboarding + Emma -> Carla rename
|
|
|
|
**Syncro ticket #32343.** Operator: Mike Swanson.
|
|
|
|
Tenant had never been fully onboarded to the ComputerGuru MSP suite — only Tenant Admin was consented, and Exchange Operator lacked Exchange Administrator role. Root cause surfaced as an HTTP 403 when attempting Get-Mailbox during the rename. Resolution: Mike clicked the Tenant Admin admin-consent URL as Global Admin (Carrie's account), then ran `onboard-tenant.sh rednourlaw.com` to consent the remaining four SPs and assign directory roles.
|
|
|
|
After Exchange role propagation (~60s), the rename was executed in three calls:
|
|
1. `Set-Mailbox` via Exchange REST — updated EmailAddresses (carla@ as primary, emma@/dgarcia@/alee@ as aliases)
|
|
2. Graph `PATCH /users/{id}` — updated UPN, displayName, mailNickname, givenName, surname
|
|
3. `POST /users/{id}/revokeSignInSessions` — invalidated active tokens
|
|
|
|
Nick Pafford already existed as `npafford@`; `smtp:nick@rednourlaw.com` was added as an alias on his existing mailbox (no UPN change, no session revoke). Ticket set to Resolved; shared-drive access for Nick deferred.
|
|
|
|
### 2026-06-01 — Carla password set (client-directed)
|
|
|
|
Carla's account password set administratively via Graph User Manager app at client direction (`forceChangePasswordNextSignIn: false`, no session revocation). Password quality flagged to operator as weak (dictionary word + sequential digits) but applied as directed.
|
|
|
|
### 2026-06-02 — Stale pinned contact fix (Carrie's mailbox)
|
|
|
|
Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (`IPF.Contact.MOC.QuickContacts`) in Carrie's own mailbox mapping `emma@rednourlaw.com` -> display name "Emma - Rednour Law". Because `emma@` is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin.
|
|
|
|
Fix: deleted the pin via EWS (`ExchangeImpersonation` of crednour@rednourlaw.com using Exchange Operator SP `full_access_as_app`; `DeleteItem` with `MoveToDeletedItems` — recoverable). Graph contacts call (403) confirmed no `Contacts.Read` scope in any suite app; EWS was the correct path.
|
|
|
|
All four real-user mailboxes swept — only Carrie was affected:
|
|
|
|
| Mailbox | Contacts scanned | Stale entries found |
|
|
|---|---|---|
|
|
| Carrie Rednour | 237 (across 10 folders) | 1 — deleted |
|
|
| Nick Pafford | 0 (empty) | none |
|
|
| receptionist | 34 (across 10 folders) | none |
|
|
| Carla Skinner | 40 (across 9 folders) | none |
|
|
|
|
No time billed on this follow-up per Mike's standing rule (never log time without explicit minutes + labor type).
|
|
|
|
### 2026-06-25 — SMB share access for Nick Pafford + Mac RMM enrollment attempt
|
|
|
|
**Operator: Howard Enos.** Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the **`Documents` SMB share on REDNOURCARRIEVI** (`C:\Users\Carrie\Documents`); identified via `Get-SmbShare` across all three GuruRMM-enrolled workstations. It was previously reached only through the local `emma` account.
|
|
|
|
Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (PasswordNeverExpires), granted **share = Change** and **NTFS = Modify** on the Documents folder. Credential vaulted at `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`. Nick's Mac (Apple Silicon) was confirmed mounting `smb://192.168.10.194/Documents` (Finder Cmd+K, `nick` + keychain-saved password) and working onsite.
|
|
|
|
**GuruRMM macOS enrollment FAILED** on Nick's Apple Silicon Mac (site Main, `GREEN-FALCON-7214`). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Initial working hypothesis was that the served binary was unsigned (SIGKILL on Apple Silicon). Fix path flagged; deferred for further diagnosis.
|
|
|
|
**Return visit pending:** phone + printer setup at Rednour; may require running a new wire or installing a switch.
|
|
|
|
Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time. Resolution was to generate the password locally (injected via placeholder) and apply the NTFS ACE with `icacls` (no `/T`).
|
|
|
|
### 2026-06-26 — Mac RMM enrollment root-cause analysis (offline diagnosis)
|
|
|
|
**Operator: Howard Enos** (pre-staging before onsite visit). Nick's Mac was offline in ScreenConnect. All diagnosis done from the repo and the RMM server endpoints.
|
|
|
|
**Disproved the "unsigned binary" hypothesis.** Parsed the Mach-O load commands of the served arm64 binary directly: it carries an `LC_CODE_SIGNATURE` with the adhoc flag set (linker-inserted ad-hoc signature, identifier `gururmm_agent-51a9f25b57c13649`). An ad-hoc-signed arm64 binary satisfies Apple Silicon's AMFI and runs — the SIGKILL/unsigned theory was wrong. All six linked dylibs are stock system frameworks.
|
|
|
|
**Real root cause found in source:** The server's enrollment endpoint (`server/src/api/enroll.rs`, line 29) types `EnrollRequest.site_id` as `uuid::Uuid` — it requires a UUID. The macOS install script (`/install/GREEN-FALCON-7214/macos`) writes the site **code** string `GREEN-FALCON-7214` into `/usr/local/etc/gururmm/site.plist` as `site_id`. The agent reads that and POSTs `site_id: "GREEN-FALCON-7214"` to `/api/enroll`, which fails UUID deserialization (HTTP 422) — enrollment retries forever, agent never connects. The "file not found" symptom Howard observed is a secondary effect: `config.rs::default_config_path()` has no macOS branch, so a manual `gururmm-agent run` with no readable plist falls back to the Linux path `/etc/gururmm/config.toml` (does not exist on macOS).
|
|
|
|
**Correct site UUID for Rednour Main:** `c7f5787c-8e71-45b3-841f-fa52436f7d26` (confirmed via RMM API). The `.pkg` postinstall hardcodes `d008c7d4-...` which belongs to a different/test site — do not use.
|
|
|
|
**Fix staged:** a self-contained Terminal paste-block was delivered to Howard's Discord DMs that installs the agent, writes `site.plist` with the UUID (not the code), writes the LaunchDaemon, reloads, and verifies. Per Howard's instruction, the wiki, coord todo 6f2d22be, and Mike were NOT updated pending onsite verification.
|
|
|
|
### 2026-06-29 — Mac RMM install attempt (still not enrolling)
|
|
|
|
**Operator: Howard Enos** (onsite at Rednour). Provided Nick the macOS `curl | sudo bash` one-liner (`/install/GREEN-FALCON-7214/macos`). Verified the binary is arm64 Mach-O before handoff. Nick (or someone at the Mac) ran the installer and it reported success. Fleet checks repeated 3x — no macOS agent appeared under Rednour Law Offices. The install script ran the original (unpatched) path and wrote the site CODE (not UUID) to `site.plist`, so the agent retries enrollment forever without connecting. Howard is no longer onsite and does not have the user's Mac password.
|
|
|
|
Mike was flagged via Discord DM (message_id 1521264675965374656) that the macOS installer has an enrollment issue; asked whether he has another M1/Apple Silicon Mac to test. Next step: run foreground `sudo /usr/local/bin/gururmm-agent` on the Mac to capture the connect/enroll error, and overwrite `site.plist` with the UUID fix.
|
|
|
|
**Install page note:** The public install page `/install/GREEN-FALCON-7214` shows only Windows and Linux download buttons — no Mac button. The macOS path is the `curl | sudo bash` one-liner at `/install/GREEN-FALCON-7214/macos`.
|
|
|
|
### 2026-06-29 — LEGALASST (legal assistant / "Emma") explorer hang on .zip + WordPerfect 5 save error; Win11 upgrade planned
|
|
|
|
**Operator: Howard Enos** (reported via Carrie). The legal assistant's workstation **LEGALASST** (Carla Skinner's box; active local account `emma`, profile `C:\Users\Ale`, OneDrive `carla@rednourlaw.com`) repeatedly hung explorer when opening files. Diagnosed live over GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`).
|
|
|
|
- **explorer HANGS, not crashes** — AppHang Event 1002 (no Event 1000 / faulting module); ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot.
|
|
- **Root cause: the built-in Windows Compressed Folders handler** (explorer's zip-as-folder namespace). Symptom narrowed to **opening `.zip` only** (Word/PDF/folders fine), and the failing zip is **local (desktop)** — not OneDrive, not a network share. `zipfldr.dll` is intact + validly signed, so the hang is environmental, not a corrupt handler DLL.
|
|
- **Ruled out:** Adobe shell extensions (blocked/tested via the Microsoft `Shell Extensions\Blocked` list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z -> `\\rednourcarrievirt` (Status OK, SMB healthy); `.NET Runtime 1022` "profiling API attach" (201 events but no `COR_PROFILER` set — benign noise).
|
|
- **SFC** (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a reboot to load.
|
|
- **Workaround:** Howard installed **7-Zip 26.02** (`C:\Program Files\7-Zip\7zFM.exe`); it opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for `.zip` (and `.7z`/`.rar`, currently unassociated). `.zip` had no UserChoice; 7-Zip only registered a `7-Zip.iso` ProgId on install.
|
|
- **Second issue (same machine): WordPerfect 5 "not enough free space" on save** regardless of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value overflows -> false "disk full"). App-level; **the OS upgrade will not fix it**. Mitigate via DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs Windows) to be confirmed.
|
|
- **Plan: upgrade LEGALASST to Windows 11** — expected to resolve the zip-handler hang by rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local `.zip` with the *built-in* handler post-upgrade. If the hang persists, next lead is Defender archive-scan + cloud (MAPS) lookup stalling the shell.
|
|
|
|
All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an orphaned RMM diagnostic process killed) — the box was left clean.
|
|
|
|
### 2026-06-29 (evening) — LEGALASST upgraded to Windows 11 (completed, ~1.5 hr remote)
|
|
|
|
**Operator: Howard Enos** (remote, ~1.5 hr). Completed the in-place Windows 10 -> 11 upgrade on LEGALASST. The box is an unsupported config (no TPM enabled, Secure Boot off, AMD Ryzen 3 3200G not on the Win11 CPU list), so the upgrade used the TPM/CPU bypass (`HKLM\SYSTEM\Setup\MoSetup\AllowUpgradesWithUnsupportedTPMOrCPU = 1`) plus `setup.exe /product server` from a mounted ISO with **keep personal files + apps**. Files, apps, and settings migrated intact.
|
|
|
|
**The upgrade was the only remaining way to fix the corrupted Windows install.** The system files were corrupt (SFC had found and flagged corruption), which is what drove the explorer-on-`.zip` hangs and the misbehaving saves; in-place repair/SFC alone had not fully cleared it. A feature upgrade rebuilds the entire shell/system-file set, so upgrading to Win11 was effectively a full OS repair-in-place and the only practical path short of a wipe-and-reload — which is why both long-standing issues cleared once it completed.
|
|
|
|
**Both prior LEGALASST issues look resolved after the upgrade:**
|
|
- **Explorer-on-`.zip` hang** (built-in Compressed Folders handler) — no longer reproduces post-upgrade, as anticipated (the feature upgrade rebuilt the shell/system files and applied the pending SFC repair).
|
|
- **WordPerfect 5 "not enough free space" on save** — reported resolved after the upgrade. This contradicts the earlier hypothesis that an OS upgrade would not fix a legacy free-space-overflow bug; treat as observed-resolved and confirm in normal use.
|
|
|
|
**Recommendation: replace LEGALASST due to age.** Generic OEM whitebox on a 2019-era AMD Ryzen 3 3200G APU with only 5.9 GB RAM and no TPM/Secure Boot — outside Win11 hardware support and at the end of its useful service life. Recommend quoting a replacement workstation rather than investing further in this machine.
|
|
|
|
### 2026-06-29 — Carrie's machine Win10 -> Win11 upgrade fails at SAFE_OS / APPLY_IMAGE
|
|
|
|
**Operator: Howard Enos** (diagnostic only; no remote action). The in-place Windows 10 -> 11 upgrade on **Carrie's machine** (REDNOURCARRIEVI / rednourcarrievirt) rolled back with `0x8007000D - 0x2000C` — "The installation failed in the SAFE_OS phase with an error during APPLY_IMAGE operation."
|
|
|
|
Decoded: `0x8007000D` = `ERROR_INVALID_DATA`; `0x2000C` = failure in the SAFE_OS (offline WinPE) phase during the APPLY_IMAGE step — Setup choked while laying down the new image. This signature points at corrupt/incomplete setup media or download, a storage/disk issue, or interference from drivers/AV/attached externals — NOT a TPM/hardware-compatibility block (which fails earlier with a different message).
|
|
|
|
Remediation path provided (prioritized): (1) unplug all non-essential externals + temporarily disable third-party AV; (2) build fresh media via the Media Creation Tool and run `setup.exe` from a mounted ISO rather than the in-place download/Update Assistant; (3) clear the upgrade cache (`$WINDOWS.~BT`, `$WINDOWS.~WS`, `SoftwareDistribution\Download`) after stopping wuauserv/bits; (4) DISM RestoreHealth + SFC + chkdsk, confirm 20+ GB free; (5) update storage/chipset drivers (Intel RST / AMD RAID is a classic APPLY_IMAGE culprit).
|
|
|
|
Howard reported driver updates and OS repairs were already done. He will attempt the upgrade **manually on-site tonight (2026-06-29)** and loop back if it fails. If the next attempt fails, the actionable next step is to pull the first error from `C:\$WINDOWS.~BT\Sources\Panther\setuperr.log` around the APPLY_IMAGE step. (NOTE: a same-day "GuruRMM not working for Rednour" claim was later DISPROVED — see the evening entry; RMM works on the Windows boxes.)
|
|
|
|
### 2026-06-29 (evening) — Carrie's machine (REDNOURCARRIEVI) upgraded to Win11 25H2; root cause = corrupt download
|
|
|
|
**Operator: Howard Enos** (in-shop, ~1.5 hr). After three identical SAFE_OS/APPLY_IMAGE `0x8007000D` failures, diagnosed and resolved live over GuruRMM (agent `8e4e2221...`, v0.6.66 — RMM works fine on this box, contradicting the earlier note).
|
|
|
|
**Root cause: a corrupt Win11 install image.** The real upstream error in `setuperr.log` was `SPWIMCallback: Error in apply of ...\ks.sys. GLE 1392` -> `CApplyWIM ... Error 0x80070570` (ERROR_FILE_CORRUPT); `0x8007000D` was only the final SAFE_OS rollup. Proven by hashing: the desktop ISO's `install.wim` and the extracted `C:\temp` copy had **identical SHA256** (`9AD2EF7251AED36BCF5E36D4F067B5277C205ED02E3FDFA354069505214C7D54`) = same corrupt bytes (not extraction damage; disk SMART healthy, so not a failing-drive read). The first attempt was additionally masked by running media from the **OneDrive-redirected Desktop** — the `install.wim` was a cloud placeholder, so the offline WinPE/SAFE_OS phase (OneDrive not running) hit `0x80070780` ERROR_CANT_ACCESS_FILE.
|
|
|
|
**Fix:** re-downloaded via **Media Creation Tool** (`C:\temp\Windows.iso`, ESD-based, label `ESD-ISO` — MCT validates its own download), mounted it, ran `setup.exe` from the mounted drive on local storage. The down-level apply then climbed clean past the ~49% `ks.sys` point (all three prior runs died there), rebooted through SAFE_OS, and booted into **Windows 11 25H2 (build 26200)**. Verified post-upgrade: reboot pending No, `Windows.old` present (10-day rollback window), Datto AV auto-restored Running, Defender RTP Off (expected — Datto AV is primary).
|
|
|
|
**Billing:** all session work invoiced on #32368 (#67912, $669.55) — see Syncro section. Identified `endpointprotection.exe` for Howard = Datto AV (see Patterns).
|
|
|
|
## Patterns & Known Issues
|
|
|
|
- **EWS required for personal contact work.** No app in the ComputerGuru suite holds `Contacts.Read` or `Contacts.ReadWrite` on Graph. Personal contact folder reads and modifications must go through EWS (`full_access_as_app` on the Exchange Operator SP with `ExchangeImpersonation`).
|
|
- **Security Investigator EXO token unreliable on this tenant.** The `investigator` SP's EXO token (aud=outlook.office365.com) returned 401 on InvokeCommand during the 2026-06-02 session; the Exchange Operator SP token worked. Prefer Exchange Operator for EXO InvokeCommand on rednourlaw.com.
|
|
- **Stale-pin shadowing pattern:** `IPF.Contact.MOC.QuickContacts` folder entries override the GAL for display-name resolution in Outlook/Teams. If any user reports a renamed sender still showing the old name, run the EWS contact-folder sweep against that user's mailbox.
|
|
- **emma@ alias is live by design.** Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it.
|
|
- **No MDE license — skip Defender tier.** Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant.
|
|
- **Prior MSP agents still installed.** ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-29.
|
|
- **macOS RMM agent installs but does not enroll (site code vs UUID bug).** The macOS install script writes the site enrollment CODE (`GREEN-FALCON-7214`) into `site.plist` as `site_id`. The server's `EnrollRequest.site_id` is typed `uuid::Uuid` — posting the code string causes a 422 UUID deserialization error; the agent retries enrollment forever without connecting. Fix: overwrite `site.plist` with the site UUID `c7f5787c-8e71-45b3-841f-fa52436f7d26` and reload the LaunchDaemon. The paste-block fix was delivered to Howard's Discord DMs (2026-06-26) but has not been applied to Nick's Mac (blocked: no onsite access + no Mac password as of 2026-06-29). Root code fix for Mike: either the install script should stamp the UUID (like the `.pkg` postinstall), or `/api/enroll` should accept a site code. Secondary: add a macOS branch to `default_config_path()` in `agent/src/config.rs`. Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm).
|
|
- **All three workstations now on Win 11 (as of 2026-06-29).** LEGALASST via unsupported-hardware bypass; REDNOURCARRIEVI (Carrie's) to Win 11 25H2 build 26200 on clean Media Creation Tool media; FRONTDESKRECEPT was already Win 11. No remaining Win 10 EOL exposure on the enrolled fleet.
|
|
- **GuruRMM WORKS on Rednour's Windows boxes (corrects an earlier note).** The Windows agents (incl. REDNOURCARRIEVI `8e4e2221...`, v0.6.66) are online and execute commands fine — Carrie's entire upgrade was diagnosed and watched live over `/rmm` on 2026-06-29. Quirk: `/api/agents` returns `is_connected: null` even when `status`="online" and commands complete exit 0 — judge by `status`, not `is_connected`. The client filter uses client_name **"Rednour Law Offices"** (not "rednour") — search by hostname. The only RMM gap is the **macOS** agent (Nick's Mac — separate code-vs-UUID bug below).
|
|
- **[RESOLVED 2026-06-29] Win11 upgrade on REDNOURCARRIEVI failed 3x at SAFE_OS / APPLY_IMAGE (`0x8007000D - 0x2000C`) — root cause was a CORRUPT Win11 download.** The real upstream error was `ks.sys` failing to decompress from the WIM with `0x80070570` (ERROR_FILE_CORRUPT); `0x8007000D` was only the final rollup. Proven by hashing: ISO `install.wim` and the extracted copy had identical SHA256 (`9AD2EF...`) = same corrupt bytes (not extraction damage; SSD healthy). First attempt was also masked by running media from a OneDrive-redirected Desktop (cloud placeholder -> `0x80070780` ERROR_CANT_ACCESS_FILE in WinPE). Fix: re-download via **Media Creation Tool** (validates its own download) and run `setup.exe` from a mounted ISO on LOCAL storage. **Lesson: for repeated APPLY_IMAGE/`ks.sys` corruption, suspect a bad download first — hash the WIM, don't keep retrying the same media.**
|
|
- **`endpointprotection.exe` on these boxes = Datto AV, not malware.** Path `C:\Program Files\infocyte\agent\dattoav\Endpoint Protection SDK\endpointprotection.exe`, service `EndpointProtectionService` ("Endpoint Protection Service"). It's the AV engine inside the Datto EDR/Infocyte agent (ACG-managed, tenant azcomp4587). To pause for a feature upgrade: `Stop-Service EndpointProtectionService -Force` (Auto-start; returns on reboot).
|
|
- **REDNOURCARRIEVI: Defender real-time protection is OFF by design — Datto AV is the registered primary AV** (verified 2026-06-29 post-upgrade: Defender RTP False, Datto AV `EndpointProtectionService` Running). The onboarding "antimalware service not running / Defender off" finding is explained by Datto AV being the active product — confirm Datto AV is healthy rather than expecting Defender RTP on.
|
|
- **REDNOURCARRIEVI: RDP enabled without NLA at onboarding.** Restrict RDP to VPN-only or require NLA.
|
|
- **[RESOLVED 2026-06-29 after Win11 upgrade] LEGALASST: built-in Compressed Folders handler hangs explorer on `.zip` open.** Local zips; Word/PDF fine. `zipfldr.dll` intact (environmental, not a corrupt DLL). AppHang Event 1002, no faulting module. The Win11 in-place upgrade rebuilt the shell/system files and the hang no longer reproduces. 7-Zip 26.02 remains installed as a fallback. If it ever recurs, suspect Defender archive-scan + cloud (MAPS) lookup stalling the shell; to test-disable any shell extension reversibly, add its CLSID to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (delete to restore).
|
|
- **[RESOLVED 2026-06-29 after Win11 upgrade] LEGALASST: WordPerfect 5 "not enough free space" on save** despite verified free space and regardless of save location. Originally hypothesized as a legacy free-space overflow on large-capacity volumes that an OS upgrade would not fix — but it looks resolved after the Win11 upgrade (confirm in normal use). If it recurs, mitigate via DOSBox / SUBST small-capacity drive and confirm WP version/edition.
|
|
- **`.NET Runtime 1022` "profiling API attach" errors are noise** unless a `COR_PROFILER` env var is actually set — do not chase them as a hang cause.
|
|
- **Plaintext local-account passwords in Syncro customer notes.** Accounts `carrie` and `ale` appear in Syncro notes in plaintext — vault migration pending. Do not rely on Syncro notes as the authoritative credential store for these accounts.
|
|
|
|
## Active Work / Open Items
|
|
|
|
| Priority | Action | Owner | Notes |
|
|
|---|---|---|---|
|
|
| P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state |
|
|
| P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only |
|
|
| DONE | Upgrade LEGALASST to Windows 11 | Howard | 2026-06-29 (remote, ~1.5 hr): in-place upgrade completed via TPM/CPU bypass + `setup.exe /product server`, keep files + apps. Explorer-on-.zip hang and WordPerfect save error both look resolved post-upgrade. Machine is aged/unsupported (Ryzen 3 3200G, 5.9 GB RAM) -> recommend replacement (see below) |
|
|
| P2 | Recommend replacing LEGALASST (age / unsupported hardware) | Howard/Mike | Generic OEM whitebox, AMD Ryzen 3 3200G (2019-era APU), 5.9 GB RAM, no TPM/Secure Boot - outside Win11 support and at end of useful life. Quote a replacement workstation rather than investing further |
|
|
| DONE | Upgrade REDNOURCARRIEVI (Carrie's machine) to Windows 11 | Howard | 2026-06-29 (in-shop, 1.5h): completed to Win 11 25H2 build 26200. 3 prior failures were a corrupt Win11 download (`ks.sys` 0x80070570 -> SAFE_OS 0x8007000D); fixed with fresh Media Creation Tool media mounted from local storage. Windows.old present (10-day rollback window) |
|
|
| RESOLVED | GuruRMM functionality for Rednour | Howard | 2026-06-29: GuruRMM WORKS on the Windows boxes (Carrie's upgrade diagnosed live over /rmm). The earlier "not working" note was incorrect / referred to the macOS agent. Only the Mac enrollment remains broken (separate row) |
|
|
| P2 | Verify SMB shares + local accounts survived Carrie's Win11 upgrade | Howard | Feature upgrades can reset sharing/firewall. Confirm Documents / Time Matters / Timeslips shares + local accounts (carrie/nick/emma) still work (Nick's Mac mounts `smb://192.168.10.194/Documents`; mapped X/Y/Z on LEGALASST) |
|
|
| P3 | Carrie's machine: let `Windows.old` ride until ~2026-07-09 | Howard | Don't run Disk Cleanup until Carrie confirms Time Matters / Timeslips / WordPerfect work on Win 11 — preserves the 10-day rollback |
|
|
| P3 | Carrie: deliver the correct USB-C/HDMI adapter | Howard | Interim USB-to-HDMI adapter provided + billed on #32368; swap when the proper adapter arrives |
|
|
| DONE | Bill Carrie-machine / reception-upgrade work to Syncro #32368 | Howard | 2026-06-29: invoiced as #67912, $669.55 (in-shop Carrie clone+Win11 1.5h + FRONTDESKRECEPT NVMe clone 1.0h + LEGALASST remote 1.5h prior + hardware). Public Work Summary note added; Nick = no charge |
|
|
| P1 | Fix GuruRMM macOS agent enrollment on Nick's Apple Silicon Mac | Howard/Mike | Agent installs but does not enroll. Root cause: install script writes site CODE not UUID; server expects UUID. Fix = overwrite `/usr/local/etc/gururmm/site.plist` with `site_id = c7f5787c-8e71-45b3-841f-fa52436f7d26` and reload LaunchDaemon. Paste-block delivered to Howard's Discord DMs (2026-06-26). Blocked: need onsite access + Mac password. Code fix for Mike: enroll.rs accept site code OR install script stamp UUID. Coord todo 6f2d22be |
|
|
| P1 | Vault migration of plaintext local-account passwords in Syncro customer notes | Howard/Mike | Accounts carrie, ale; not yet vaulted |
|
|
| DONE | LEGALASST: WordPerfect 5 "not enough free space" on save | Howard | 2026-06-29: looks resolved after the Win11 upgrade (contradicts earlier "OS upgrade won't fix" hypothesis - confirm in normal use). If it recurs, mitigate via DOSBox / SUBST small-capacity drive |
|
|
| DONE | LEGALASST: built-in zip-handler explorer hang | Howard | 2026-06-29: looks resolved after the Win11 upgrade (shell/system files rebuilt). 7-Zip 26.02 remains installed as a fallback; setting it default for `.zip` is now optional |
|
|
| P2 | Return visit: Nick's custom phone/desktop cables | Howard | Printer setup DONE (no charge). Returning with a box of cable to make custom cables so Nick can place the phone where he wants while keeping it connected to his desktop. Phone/printer wiring may still need a new run / switch |
|
|
| P2 | Final invoice on Syncro #32343 | Mike | 0.5h remote labor (line item 42654682) sitting on Invoiced ticket; additional onsite labor from 2026-06-25 SMB share work deferred by Howard |
|
|
| P2 | Address BitLocker gap on FRONTDESKRECEPT | Mike/Howard | OS volume unencrypted at onboarding |
|
|
| P2 | Confirm Nick's Mac is actually `DUXs-Mac-Studio` | Howard | ScreenConnect shows this name; "Dux" username may indicate it's not Nick's machine — verify before enrolling |
|
|
| P3 | Remove stale local admin accounts (Ale, Emma on LEGALASST) | Howard | Left from prior user assignment |
|
|
| P3 | emma@ alias — revisit if firm wants it decommissioned | Mike | Retained by design; currently serves as Carla's legacy address |
|
|
| P3 | Security cleanup: over-broad Everyone=Full SMB shares on REDNOURCARRIEVI | Howard | Time Matters Shared Files, Program Files sage, Users shares |
|
|
| P3 | Fix REDNOURCARRIEVI RDP: require NLA or restrict to VPN | Howard | RDP open without NLA at onboarding |
|
|
| DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` |
|
|
|
|
## Backlinks
|
|
|
|
- [[projects/gururmm]] — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office); macOS enrollment code-vs-UUID bug (coord todo 6f2d22be)
|