azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6183b1c3194f01f73ffc82ec4bf465246629f158
claudetools/clients/peaceful-spirit/session-logs/2026-05-11-session.md
Mike Swanson 6183b1c319 sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-11 18:22:21 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-11 18:22:21
2026-05-11 18:22:23 -07:00

33 KiB
Raw Blame History

Peaceful Spirit — IKEv2 Pre-Login VPN: Machine Cert Enrollment Prep

Date: 2026-05-11 Client: Peaceful Spirit (Country Club site) Ticket scope: Pre-login IKEv2 VPN for Mara — machine certificate auth path

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin
  • Session span: Continuation of 2026-05-10 session

Session Summary

The session resumed from a prior effort to enable pre-login IKEv2 VPN for Mara on three machines (MaraHomeNew, Maras-HP-Laptop, PST-SURFACE), which had been blocked by error 812. The PST-SERVER CA was confirmed to be trusted and correctly configured, but the Machine certificate template had the AutoEnroll flag set to "Access is denied" due to missing permissions for the Domain Computers group. Multiple attempts to correct this failed due to access restrictions, incorrect credentials, and tool limitations, until a PowerShell script run as sysadmin successfully added the AutoEnroll right.

Despite this, certificate enrollment on the client machines failed due to lack of access to the PST-SERVER DCOM endpoint, which is required for enrollment but blocked without the IKEv2 VPN. The NPS policy was confirmed to allow PEAP and MSCHAPv2 for the WseRemoteAccessUsers group, and the OpenVPN configuration on MaraHomeNew was identified as a potential workaround to enable access to PST-SERVER.

The user agreed to update the OpenVPN config on MaraHomeNew to connect to the Country Club site (UCG at 98.190.129.150), which would allow access to the internal network for certificate enrollment. The session was interrupted before completing the enrollment process.

Key Decisions

  • Used a PowerShell script (fix_acl.ps1) run as sysadmin via scheduled task to grant AutoEnroll rights to Domain Computers — direct ADSI from SYSTEM context failed ("Access is denied"), dsacls failed to resolve both name and GUID formats on Server 2016.
  • Identified domain admin credentials as sysadmin / r3tr0gradE99! (not pst-admin, which is a domain user but not domain admin).
  • Determined that cert enrollment failure was due to remote machines having no route to PST-SERVER DCOM (192.168.0.2) — not a permissions problem after the ACL fix, but a network path problem.
  • Chose OpenVPN as the bootstrap path to get MaraHomeNew onto the office LAN for cert enrollment, rather than attempting manual cert generation on PST-SERVER and PFX transfer (which would require non-standard key handling).
  • NPS confirmed functional: order-1 policy allows PEAP (0x19) and MSCHAPv2 (0x1a), WseRemoteAccessUsers condition, Ignore-User-Dialin-Properties=TRUE, Allow-Dial-In=TRUE — no NPS policy changes needed.

Problems Encountered

  • AutoEnroll permission denied on Machine template: SYSTEM context (PST-SERVER$ machine account, in Domain Controllers group) and ADSI/dsacls all failed to write the ACL. Resolved by writing a PS script to disk via RMM, then registering a scheduled task to run it as sysadmin (domain admin). Script ran successfully and ACL was confirmed via secondary sysadmin-context query.
  • dsacls doesn't resolve Certificate-AutoEnrollment name or GUID on Server 2016: Both Certificate-AutoEnrollment string and {a2a8902a-...} GUID returned "No GUID Found." Resolved by using PowerShell ActiveDirectoryAccessRule with the GUID directly, run as domain admin.
  • certutil -autoenroll not available on Windows 10/11 clients: Only exists on Server. Switched to certreq/Get-Certificate approaches.
  • certreq and Get-Certificate failed on all 3 Mara machines: CERTSRV_E_PROPERTY_EMPTY / "no default enrollment policy server." Root cause: machines are remote and cannot reach PST-SERVER (192.168.0.2) via DCOM — Certificate Enrollment Policy Service not installed on PST-SERVER, enrollment falls back to DCOM which requires LAN access.
  • Catch-22: Need machine cert to establish IKEv2 VPN, but need IKEv2 VPN (or another LAN path) to enroll the machine cert from the domain CA. Resolution path: use OpenVPN to reach the office LAN first.
  • pst-admin vs sysadmin: First several ACL attempts used wrong credentials (pst-admin / 24Hearts$). User corrected — domain admin is sysadmin / r3tr0gradE99!.

Configuration Changes

PST-SERVER (via RMM — persisted in AD)

  • Modified certificate template ACL: added AutoEnroll extended right (GUID a2a8902a-4010-11d1-a7b0-0060b0576642) for Domain Computers (SID S-1-5-21-1105246401-3156558273-4088333098-515) on the Machine/Computer template in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local
  • Method: scheduled task as sysadmin running C:\ProgramData\fix_acl.ps1 (temp file, can be deleted)
  • Wrote and left temporary files: C:\ProgramData\fix_acl.ps1, C:\ProgramData\acl_result.txt, C:\ProgramData\verify_acl.ps1, C:\ProgramData\acl_verify.txt — safe to delete

Mara Machines (already deployed in previous session, unchanged this session)

  • AllUserConnection VPN profile "Peaceful Spirit VPN" on MaraHomeNew, Maras-HP-Laptop, PST-SURFACE
    • TunnelType: IKEv2, Auth: EAP, AllUserConnection: True, SplitTunneling: True
    • Server: 98.190.129.150
    • EAP XML: needs verification (XML object rendering issue prevented reading type value)

Not Changed

  • NPS policies on PST-SERVER: no changes this session; PST-VPN-Test was already deleted
  • UCG: no changes
  • VPN profiles on Mara machines: no changes

Credentials & Secrets

Item Value
PST-SERVER domain admin PEACEFULSPIRIT\sysadmin / r3tr0gradE99!
PST-SERVER SSH sysadmin / r3tr0gradE99!
VPN credential PEACEFULSPIRIT\pst-admin / 24Hearts$ (domain user, in WseRemoteAccessUsers)
UCG SSH key ~/.ssh/pst-cc-ucg / password: Gptf*77ttb123!@#
VPN PSK (L2TP) z5zkNBds2V9eIkdey09Zm6Khil3DAZs8
NPS RADIUS shared secret PST-RADIUS-UCG-2026!@#
pst-admin (domain user) 24Hearts$
OpenVPN config user on MaraHomeNew C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-auth.txt (creds unknown)

Note: pst-admin is NOT domain admin. sysadmin is domain admin.

Vault paths:

  • clients/peaceful-spirit/server.sops.yaml — PST-SERVER, UCG details
  • clients/peaceful-spirit/vpn.sops.yaml — VPN credentials, PSK, network

Infrastructure & Servers

Component Value
PST-SERVER IP (LAN) 192.168.0.2
PST-SERVER OS Windows Server 2016 Essentials (build 14393)
PST-SERVER domain PEACEFULSPIRIT.local
PST-SERVER roles AD DS, DNS, RRAS (VPN server), NPS, Enterprise Root CA
CA name PEACEFULSPIRIT-PST-SERVER-CA
CA thumbprint 56DAF43C60F246BF2C80A671EE9812C727D8C298 (valid 3/8/2061)
PST-SERVER machine cert DB71981ABE4CBA1DE96FEEEAF178F6259663B543 (CN=PST-SERVER.PEACEFULSPIRIT.local, valid 5/9/2027)
UCG-PST-CC WAN IP 98.190.129.150
UCG VPN endpoint UDP 500/4500 → forwarded to 192.168.0.2 (PST-SERVER RRAS)
PST network 192.168.0.0/24
GuruRMM client Peaceful Spirit (00015eae-50e5-4102-93fa-ab0fdb135c08)
GuruRMM site Country Club (7b32983d-982a-4a5c-af07-45a23453f589)
PST-SERVER agent ID 6b6106a7-8515-4b6b-857d-0dc6ede53f35
MaraHomeNew agent ID c778b6a3-c646-4454-a065-8c8bdcb1578e
Maras-HP-Laptop agent ID 13cb3629-5043-4bd6-b977-6968eeccf804
PST-SURFACE agent ID 4a993b61-59b3-42f4-bdb5-d4362941f7d6
Domain Computers SID S-1-5-21-1105246401-3156558273-4088333098-515
WseRemoteAccessUsers SID S-1-5-21-1105246401-3156558273-4088333098-1113

CA / Machine Cert State on Mara Machines

Machine CA in Trusted Root Machine Cert in LocalMachine\My
MaraHomeNew YES (56DAF43C) No
Maras-HP-Laptop Not checked No
PST-SURFACE Not checked No

OpenVPN on Mara Machines

Machine Status Config Location
MaraHomeNew Not running C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn (remote 64.139.88.249:1194 TCP, NW site)
Maras-HP-Laptop OpenVPN Connect running (4 processes) No config in standard paths
PST-SURFACE OpenVPN Connect running (4 processes) No config in standard paths

Commands & Outputs

Grant AutoEnroll to Domain Computers on Machine template (PST-SERVER via sysadmin scheduled task)

# Script written to C:\ProgramData\fix_acl.ps1, run as PEACEFULSPIRIT\sysadmin
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1105246401-3156558273-4088333098-515")
$guid = [Guid]"a2a8902a-4010-11d1-a7b0-0060b0576642"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid, "ExtendedRight", "Allow", $guid, "None")
$t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local"
$acl = $t.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$t.psbase.CommitChanges()

Result: "SUCCESS" — confirmed via ACL query: PEACEFULSPIRIT\Domain Computers | Allow on AutoEnroll GUID.

NPS Order-1 Policy (from netsh nps show np)

Name             = {502F03DC-1EC9-49A9-811A-99BA53619319}
Processing order = 1
Policy source    = 2 (Windows Server Solutions)
Condition0       = 0x1fb5 "S-1-5-21-1105246401-3156558273-4088333098-1113" (WseRemoteAccessUsers)
Ignore-User-Dialin-Properties = TRUE
NP-Allow-Dial-in = TRUE
NP-Allowed-EAP-Type = "19000000..." (PEAP type 25) + "1a000000..." (MSCHAPv2 type 26)
NP-Authentication-Type = 0x3, 0x9, 0x4, 0xa, 0x5

OpenVPN config on MaraHomeNew

client
dev tun
proto tcp
remote 64.139.88.249 1194   <- NW site, NOT CC
auth-user-pass PST-NW-VPN-auth.txt
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
key-direction 1
redirect-gateway def1

Mike will replace with config pointing to CC site (UCG 98.190.129.150:1194) to enable LAN access for cert enrollment.

Certificate enrollment failures on Mara machines

certutil -autoenroll        → CertUtil: Unknown arg: -autoenroll  (not available on Win10/11)
certreq -enroll -machine -q Machine  → Template not found + CERTSRV_E_PROPERTY_EMPTY
Get-Certificate -Template Machine   → CX509PolicyServerUrl::_GetStringProperty: CERTSRV_E_PROPERTY_EMPTY
                                       (no enrollment policy server; DCOM unreachable from remote)

Pending / Incomplete Tasks

Task Status Notes
Place CC OpenVPN config on MaraHomeNew PENDING (Mike) Mike will add config pointing to 98.190.129.150:1194 (UCG at CC). Auth-user-pass with credentials file, or cert-based. Need to replace PST-NW-VPN-auth.txt with CC site credentials.
Connect MaraHomeNew via OpenVPN to CC PENDING Once CC config is in place, trigger openvpn --config ... via RMM (or manually). Verify route to 192.168.0.2.
Enroll machine cert on MaraHomeNew via certreq PENDING Once on office LAN: certreq -enroll -machine -q -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" Machine
Verify machine cert enrolls correctly PENDING Check Cert:\LocalMachine\My for CN=MaraHomeNew.PEACEFULSPIRIT.local from PEACEFULSPIRIT-PST-SERVER-CA
Enroll machine certs on Maras-HP-Laptop and PST-SURFACE PENDING Same process once MaraHomeNew is confirmed working. HP and Surface also have OpenVPN Connect installed.
Configure RRAS to accept machine cert auth for IKEv2 PENDING May need additional RRAS config after certs are enrolled; verify if current config auto-detects machine certs
Update Mara machines' VPN profiles to MachineCertificate auth PENDING Change AuthenticationMethod from Eap to MachineCertificate; remove EAP XML
Test pre-login VPN connection on MaraHomeNew PENDING After machine cert enrolled and VPN profile updated
Verify EAP XML type in current "Peaceful Spirit VPN" profile PENDING Get-VpnConnection returned XmlElement object instead of string; need to verify type 25 vs 26
Identify Mara's OpenVPN Connect profile source on HP and Surface PENDING OpenVPN Connect running but no .ovpn files found in standard paths — check ConnectHandler user data or registry
Clean up temp files on PST-SERVER PENDING C:\ProgramData\fix_acl.ps1, acl_result.txt, verify_acl.ps1, acl_verify.txt — safe to delete
Confirm PST-VPN-Test NPS policy is gone DONE Not listed in netsh nps show np output
Grant AutoEnroll on Machine template for Domain Computers DONE ACL write confirmed via sysadmin-context query

Reference Information

  • GuruRMM API: https://rmm.azcomputerguru.com/api/
  • PST-SERVER agent: https://rmm.azcomputerguru.com/api/agents/6b6106a7-8515-4b6b-857d-0dc6ede53f35
  • MaraHomeNew agent: https://rmm.azcomputerguru.com/api/agents/c778b6a3-c646-4454-a065-8c8bdcb1578e
  • Maras-HP-Laptop agent: https://rmm.azcomputerguru.com/api/agents/13cb3629-5043-4bd6-b977-6968eeccf804
  • PST-SURFACE agent: https://rmm.azcomputerguru.com/api/agents/4a993b61-59b3-42f4-bdb5-d4362941f7d6
  • Peaceful Spirit client in RMM: ID 00015eae-50e5-4102-93fa-ab0fdb135c08
  • Country Club site in RMM: ID 7b32983d-982a-4a5c-af07-45a23453f589
  • Certificate AutoEnroll GUID: a2a8902a-4010-11d1-a7b0-0060b0576642
  • Certificate Enroll GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55
  • Vault: clients/peaceful-spirit/server.sops.yaml, clients/peaceful-spirit/vpn.sops.yaml
  • Prior session log: clients/peaceful-spirit/session-logs/2026-05-10-session.md
  • MaraHomeNew OpenVPN config: C:\Users\PeacefulSpiritMassag\OpenVPN\config\PST-NW-VPN-Windows\PST-NW-VPN-Windows.ovpn

Update: 15:07 PT — Machine cert auth working on MaraHomeNew; HP/Surface PFXs generated

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin
  • Session span: Continuation of 2026-05-11 session (afternoon)

Session Summary

The session began by resuming from a prior troubleshooting effort where MaraHomeNew had "IKE authentication credentials are unacceptable" after switching to MachineCertificate auth. The installed cert (bf2b2482) had correct EKUs but the wrong identity: Subject and SAN both showed CN=PST-SERVER.PEACEFULSPIRIT.local because the Machine template was configured to build the Subject from the submitting machine's AD identity (msPKI-Certificate-Name-Flag=0x18000000), and PST-SERVER had submitted the CSR in the prior session. The template was corrected by setting msPKI-Certificate-Name-Flag to 0x1 (ENROLLEE_SUPPLIES_SUBJECT). The wrong cert was deleted, a new CSR was generated on MaraHomeNew with the correct Subject and SAN, transferred via SCP over OpenVPN to PST-SERVER for local CA submission, and the resulting cert (D067E07B) was accepted on MaraHomeNew.

With the correct cert installed, rasdial still returned the same error. Get-VpnAuthProtocol on PST-SERVER revealed that UserAuthProtocolAccepted only contained EAP and MsChapv2 — Certificate was not listed. Set-VpnAuthProtocol was used to add Certificate, RemoteAccess was restarted, and rasdial "Peaceful Spirit VPN" succeeded.

Win32-OpenSSH was installed on PST-SERVER during this session, enabling direct SSH access from DESKTOP-0O8A1RL via OpenVPN. SSH key auth was configured using the existing id_ed25519 key; the administrators_authorized_keys file required SYSTEM+Administrators-only permissions — presence of an Authenticated Users ACE caused key auth to fail silently. SSH access is now working and was used for all subsequent PST-SERVER administration.

To onboard Maras-HP-Laptop and PST-SURFACE without requiring OpenVPN bootstrap on each machine, a PFX-based cert deployment workflow was designed: generate exportable certs on PST-SERVER centrally, export as password-protected PFX, deploy to each machine with Import-PfxCertificate + Add-VpnConnection. The gen_certs.ps1 script ran successfully after a fix (MachineKeySet=FALSE initially used, caused template context conflict; corrected to MachineKeySet=TRUE). PFXs for both machines were generated and SCP'd to DESKTOP-0O8A1RL.

Key Decisions

  • Changed msPKI-Certificate-Name-Flag from 0x18000000 to 0x1 (ENROLLEE_SUPPLIES_SUBJECT): the prior value caused the CA to build Subject/SAN from the submitting machine's AD DNS identity rather than the CSR content. This is a domain-wide template change; acceptable for this environment.
  • Used SCP over OpenVPN for CSR/cert transfer (MaraHomeNew → PST-SERVER → MaraHomeNew) rather than RMM base64 method — SSH now installed on PST-SERVER made this viable and faster.
  • "Certificate" is the correct enum value for Set-VpnAuthProtocol, not "MachineCertificate" — confirmed via PowerShell ValidateSet error. Valid values: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey.
  • PFX-based onboarding for HP and Surface: generates private key on PST-SERVER with Exportable=TRUE. Less ideal from key hygiene standpoint but eliminates the need for each machine to have an OpenVPN bootstrap path before cert enrollment.
  • MachineKeySet=TRUE required in certreq INF when template is the Machine template: MachineKeySet=FALSE causes "User context template conflicts with machine context" rejection at certreq -submit.

Problems Encountered

  • Wrong cert Subject/SAN (CN=PST-SERVER instead of MaraHomeNew): Machine template msPKI-Certificate-Name-Flag=0x18000000 caused CA to use submitting machine identity. Fixed by setting flag to 0x1 and reissuing cert.
  • IKE authentication failure persisted after correct cert: RRAS UserAuthProtocolAccepted did not include Certificate. Fixed via Set-VpnAuthProtocol + Restart-Service RemoteAccess.
  • RMM polling was reading wrong field: Commands completing with output, but code was checking "output" field; actual output is in "stdout". Fixed once full JSON response was inspected.
  • Win32-OpenSSH key auth silently failing: administrators_authorized_keys had Authenticated Users:(RX) ACE which Win32-OpenSSH rejects as insecure. Fixed via icacls /inheritance:r removing user ACEs.
  • PFX cert generation — MachineKeySet=FALSE conflicts with Machine template: certreq -submit returned "User context template conflicts with machine context." Fixed by changing INF to MachineKeySet=TRUE and checking Cert:\LocalMachine\My instead of CurrentUser\My.
  • SCP path format with Win32-OpenSSH: Windows-style paths (C:\ProgramData\file) failed; Unix-style (/C:/ProgramData/file) required for Win32-OpenSSH sftp-server.

Configuration Changes

PST-SERVER

  • msPKI-Certificate-Name-Flag on Machine cert template: 0x180000000x1 (ENROLLEE_SUPPLIES_SUBJECT)
    • LDAP path: CN=Machine,CN=Certificate Templates,...,DC=PEACEFULSPIRIT,DC=local
  • Win32-OpenSSH installed at C:\Program Files\OpenSSH\OpenSSH-Win64\; sshd service Automatic/Running; firewall TCP 22 inbound allow
  • C:\ProgramData\ssh\administrators_authorized_keys: acg-admin@pst-cc-ucg key (pre-existing) + guru@DESKTOP-0O8A1RL; permissions SYSTEM:(F) BUILTIN\Administrators:(F) only
  • RRAS UserAuthProtocolAccepted: added Certificate (was EAP, MsChapv2 only); RemoteAccess restarted
  • Certs issued: Maras-HP-Laptop (RequestId 66, thumbprint 4CADDE8F940FC3EEFC37919B6A4541A913801296) and PST-SURFACE (RequestId 67, thumbprint 197FF22A97F26EF19DECF9E752B1B88C7E7ED42E)
  • PFX files: C:\ProgramData\Maras-HP-Laptop.pfx, C:\ProgramData\PST-SURFACE.pfx (password: PstVpn2026!)
  • Temp files (safe to delete): gen_certs.ps1, diag_out.txt, Maras-HP-Laptop.{inf,req,cer,pfx}, PST-SURFACE.{inf,req,cer,pfx}, machine2.req/cer

MaraHomeNew

  • Wrong cert bf2b2482 (CN=PST-SERVER) removed from Cert:\LocalMachine\My
  • New cert installed: thumbprint D067E07B4A670AF5C6DE27250EB533B06F28FD6A, CN=MaraHomeNew.PEACEFULSPIRIT.local, SAN DNS=MaraHomeNew.PEACEFULSPIRIT.local, valid to 5/10/2027
  • "Peaceful Spirit VPN" AllUserConnection: AuthenticationMethod MachineCertificate, confirmed working via rasdial

DESKTOP-0O8A1RL

  • ~/.ssh/known_hosts: stale 192.168.0.2 entries cleared; new ED25519 host key for PST-SERVER accepted

Credentials & Secrets

Item Value
PST-SERVER SSH sysadmin@192.168.0.2, key: ~/.ssh/id_ed25519 (DESKTOP-0O8A1RL)
PST-SERVER domain admin PEACEFULSPIRIT\sysadmin / r3tr0gradE99!
PFX password (HP + Surface) PstVpn2026!
VPN credential PEACEFULSPIRIT\pst-admin / 24Hearts$
UCG SSH key ~/.ssh/pst-cc-ucg / Gptf*77ttb123!@#

Infrastructure & Servers

Component Value
PST-SERVER SSH port 22, key auth from DESKTOP-0O8A1RL (requires OpenVPN to PST-CC active)
PST-SERVER OpenSSH path C:\Program Files\OpenSSH\OpenSSH-Win64\
Machine template NameFlag 0x1 (ENROLLEE_SUPPLIES_SUBJECT) — changed this session
RRAS UserAuthProtocolAccepted EAP, MsChapv2, Certificate
MaraHomeNew cert D067E07B (CN=MaraHomeNew.PEACEFULSPIRIT.local, to 5/10/2027)
Maras-HP-Laptop cert 4CADDE8F (CA RequestId 66) — PFX on PST-SERVER + local Temp
PST-SURFACE cert 197FF22A (CA RequestId 67) — PFX on PST-SERVER + local Temp
PFX local copies C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx, PST-SURFACE.pfx

Commands & Outputs

Fix Machine template Subject Name source (PST-SERVER as sysadmin)

$t = [ADSI]"LDAP://CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=PEACEFULSPIRIT,DC=local"
$t.Properties["msPKI-Certificate-Name-Flag"].Value = 1
$t.CommitChanges()
# Returns 1 — confirmed

Reissue cert for MaraHomeNew

# On MaraHomeNew
certreq -new C:\Windows\Temp\machine2.inf C:\Windows\Temp\machine2.req
scp C:\Windows\Temp\machine2.req sysadmin@192.168.0.2:/C:/ProgramData/machine2.req
# On PST-SERVER
certreq -submit -config "PST-SERVER.PEACEFULSPIRIT.local\PEACEFULSPIRIT-PST-SERVER-CA" C:\ProgramData\machine2.req C:\ProgramData\machine2.cer
# Back on MaraHomeNew
scp sysadmin@192.168.0.2:/C:/ProgramData/machine2.cer C:\Windows\Temp\machine2.cer
certreq -accept C:\Windows\Temp\machine2.cer
# Result: D067E07B4A670AF5C6DE27250EB533B06F28FD6A

Add Certificate to RRAS auth (PST-SERVER via SSH)

Set-VpnAuthProtocol -UserAuthProtocolAccepted EAP, MsChapv2, Certificate
Restart-Service RemoteAccess
# Valid enum: EAP, Certificate, MsChapv2, Chap, PAP, PreSharedKey

VPN test result

rasdial "Peaceful Spirit VPN"
Connecting to Peaceful Spirit VPN...
[SUCCESS]

Win32-OpenSSH install on PST-SERVER

& "C:\Program Files\OpenSSH\OpenSSH-Win64\install-sshd.ps1"
Start-Service sshd; Set-Service sshd -StartupType Automatic
netsh advfirewall firewall add rule name="OpenSSH" dir=in action=allow protocol=TCP localport=22

SSH from DESKTOP-0O8A1RL (requires OpenVPN active)

ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2

PFX deployment command (target machine, run as admin)

Import-PfxCertificate -FilePath .\MachineName.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString "PstVpn2026!" -AsPlainText -Force)
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -SplitTunneling -Force

Pending / Incomplete Tasks

Task Status Notes
Deploy cert + VPN to Maras-HP-Laptop via RMM PENDING PFX at C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx. RMM agent: 13cb3629
Deploy cert + VPN to PST-SURFACE via RMM PENDING PFX at C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx. RMM agent: 4a993b61
Test pre-login VPN on all 3 machines PENDING MaraHomeNew rasdial confirmed. HP and Surface pending cert deployment.
Test VPN at Windows login screen (pre-login) PENDING rasdial works in user session. Need to verify AllUserConnection triggers at logon screen.
Clean up temp files on PST-SERVER PENDING C:\ProgramData: fix_acl.ps1, acl_result.txt, verify_acl.ps1, gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, diag_out.txt
Remove TEMP firewall rules on PST-SERVER PENDING TEMP-CertEnroll-RPC (TCP 135) and TEMP-CertEnroll-DCOM (TCP 49152-65535) from prior session
Identify OpenVPN Connect profiles on HP/Surface PENDING OpenVPN Connect running (4 procs each) but no .ovpn files in standard paths

Reference Information

  • PST-SERVER SSH: ssh -i ~/.ssh/id_ed25519 sysadmin@192.168.0.2 (OpenVPN to PST-CC required)
  • PFX deploy one-liner: Import-PfxCertificate + Add-VpnConnection (see Commands section)
  • RMM agents: MaraHomeNew c778b6a3, Maras-HP-Laptop 13cb3629, PST-SURFACE 4a993b61, PST-SERVER 6b6106a7
  • SCP to/from PST-SERVER: use /C:/path/to/file format (not C:\)
  • gen_certs.ps1 at C:\ProgramData\gen_certs.ps1 on PST-SERVER — reusable for future machines
  • Machine template NameFlag GUID reference: ENROLLEE_SUPPLIES_SUBJECT = 0x1, prior value 0x18000000 (DNS_AS_CN | ALT_REQUIRE_DNS)

Update: 18:18 PT — OneDrive KFM shell folder deep fix

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin
  • Session span: 2026-05-11 afternoon continuation

Session Summary

Troubleshooting of the OneDrive KFM "Capabilities: 0x101" error for user pst-admin on Maras-HP-Laptop resumed. The user provided a screenshot showing three GUID entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders still pointing to \PST-SERVER. These GUIDs were not covered by prior fix scripts, which only targeted standard KF GUIDs. A new script, fix_remaining_folders.ps1, was written and deployed to update the three GUIDs to local userprofile paths, clear remaining FolderRedirectionPolicyValue markers, and remove Folder Redirection CSE history from Group Policy\History. The user ran the script, but the error remained.

A full registry diagnostic via GuruRMM API was initiated against the HP, accessing pst-admin's hive via HKU\S-1-5-21-1105246401-3156558273-4088333098-1118. The diagnostic revealed two WSE-specific non-standard GUID entries in User Shell Folders still pointing to the server, and a stale Shell Folders resolved cache that still showed all original \PST-SERVER paths for every redirected folder. The Shell Folders key is what the shell and OneDrive actually read at runtime; it had not been rebuilt because pst-admin had not logged off/on since the prior fix ran.

A second script, hp_final_fix.ps1, was deployed via RMM running as SYSTEM against the HKU hive. It corrected the two non-standard WSE GUIDs in User Shell Folders and directly updated all 10 server-pointing Shell Folders entries to local C:\Users\pst-admin... paths. Verification confirmed zero remaining \PST-SERVER entries in either key. The fix is complete in the registry; pst-admin must log off and back on for the live session to reflect the corrected state.

Key Decisions

  • Targeted WSE non-standard GUIDs after discovering they differ from standard KF GUIDs: WSE wrote its own GUID variants alongside the standard ones; prior scripts only addressed the standard GUIDs.
  • Deployed the final fix via RMM as SYSTEM against the HKU hive: allows both User Shell Folders and Shell Folders to be corrected in one pass regardless of what pst-admin was doing.
  • Directly updated Shell Folders (the resolved cache) in addition to User Shell Folders: the cache had not been rebuilt at logon because prior fixes ran while pst-admin was still logged in; direct correction ensures the fix is visible immediately after the next logoff/on.
  • Used /api/auth/login endpoint instead of raw JWT: raw HS256 JWT generation returned 401 despite correct secret; session token from login endpoint worked.

Problems Encountered

  • fix_remaining_folders.ps1 did not resolve error: Script ran and cleared markers/CSE history, but error remained. Root cause: stale Shell Folders resolved cache and two additional WSE-specific GUIDs not targeted by the script.
  • JWT auth returning 401: Raw HS256 JWT (manually constructed) rejected by RMM API despite correct secret and algorithm. Resolved by using /api/auth/login with admin credentials to obtain session token.
  • Wrong RMM result endpoint: Initial poll used /api/agents/{id}/command/{cmdId} (404). Correct endpoint: /api/commands/{cmdId}.
  • ConvertTo-Json nesting PS script body: PowerShell hashtable caused ConvertTo-Json to emit nested map; API expected plain string for command field. Resolved by using py to JSON-encode the script file.
  • WSE non-standard GUIDs: WSE GPO wrote two non-standard GUID variants in User Shell Folders alongside standard KF GUIDs. Standard: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E} / {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C}. WSE variants: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} / {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}. Both sets had to be fixed.
  • Shell Folders not rebuilt at logon: Cache still contained server paths after User Shell Folders was fixed, because pst-admin had not logged off/on since the prior fix. Resolved by directly updating Shell Folders via RMM.

Configuration Changes

Maras-HP-Laptop (pst-admin HKCU, applied via SYSTEM/HKU)

  • HKCU\...\Explorer\User Shell Folders:
    • {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} set to C:\Users\pst-admin\Saved Games (was \PST-SERVER...SavedGames)
    • {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968} set to C:\Users\pst-admin\Links (was \PST-SERVER...Links)
    • fix_remaining_folders.ps1 earlier fixed: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E}, {56784854-C6CB-462B-8169-88E350ACB882}, {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C}
  • HKCU\...\Explorer\Shell Folders: 10 entries corrected from \PST-SERVER to C:\Users\pst-admin... (Desktop, Personal, My Pictures, My Video, My Music, Favorites, {374DE290}/Downloads, {56784854}/Contacts, {BFB9D5E0-404C}/Links, {4C5C32FF-43B0}/SavedGames)

Scripts written (DESKTOP-0O8A1RL)

  • C:\Users\guru\Desktop\fix_remaining_folders.ps1 — 3 standard GUIDs + CSE cleanup
  • C:\Users\guru\AppData\Local\Temp\hp_reg_diag.ps1 — diagnostic via RMM/HKU
  • C:\Users\guru\AppData\Local\Temp\hp_final_fix.ps1 — 2 WSE GUIDs + Shell Folders

Credentials & Secrets

Item Value
GuruRMM API login claude-api@azcomputerguru.com / ClaudeAPI2026!@#
GuruRMM JWT secret ZNzGxghru2XUdBVlaf2G2L1YUBVcl5xH0lr/Gpf/QmE= (vault: infrastructure/gururmm-server.sops.yaml)
pst-admin password SpiritWalk26! (update vault)

Infrastructure & Servers

Component Value
GuruRMM API external https://rmm.azcomputerguru.com
GuruRMM API internal http://172.16.3.30:3001
RMM auth endpoint POST /api/auth/login
RMM command submit POST /api/agents/{uuid}/command
RMM command result GET /api/commands/{cmdId}
HP RMM agent UUID 13cb3629-5043-4bd6-b977-6968eeccf804
pst-admin SID S-1-5-21-1105246401-3156558273-4088333098-1118

Commands & Outputs

RMM auth + command submit (correct pattern)

$auth = Invoke-RestMethod -Uri "https://rmm.azcomputerguru.com/api/auth/login" -Method POST -ContentType "application/json" -Body (@{ email = "claude-api@azcomputerguru.com"; password = "ClaudeAPI2026!@#" } | ConvertTo-Json)
$token = $auth.token
$payload = py -c "import json; print(json.dumps({'command_type':'powershell','command':open(r'C:\path\to\script.ps1',encoding='utf-8').read()}))"
$resp = Invoke-RestMethod -Uri "https://rmm.azcomputerguru.com/api/agents/$agent/command" -Method POST -Headers @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" } -Body $payload
# Poll result: GET /api/commands/{cmdId} — output in .stdout field

hp_final_fix.ps1 verification output

=== Verification: any remaining server paths? ===
=== Done - pst-admin must log off and back on ===
# (no lines output = zero remaining server paths confirmed)

Pending / Incomplete Tasks

Task Status Notes
Test OneDrive KFM after pst-admin logoff/on PENDING Registry fully clean; logoff/on required to rebuild live session Shell Folders
Update vault with pst-admin new password PENDING SpiritWalk26!
Deploy cert + VPN to Maras-HP-Laptop via RMM PENDING PFX: C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx; agent 13cb3629-5043-4bd6-b977-6968eeccf804
Deploy cert + VPN to PST-SURFACE via RMM PENDING PFX: C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx; agent 4a993b61-59b3-42f4-bdb5-d4362941f7d6
Test pre-login VPN at Windows logon screen PENDING rasdial confirmed in user session only
Browser default (http/https) for pst-admin PENDING Must click "Make Chrome default" in Chrome once
Clean up PST-SERVER temp files PENDING C:\ProgramData: gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, misc .ps1s
Remove TEMP firewall rules on PST-SERVER PENDING TEMP-CertEnroll-RPC (TCP 135), TEMP-CertEnroll-DCOM (TCP 49152-65535)

Reference Information

  • WSE non-standard GUIDs vs standard KF GUIDs:
    • SavedGames — WSE: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} | Standard: {4C5C32FF-BB9D-4518-B176-DEC04FF96F7E}
    • Links — WSE: {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968} | Standard: {BFB9D5E0-C6A9-4D9F-9667-1F64AD761B0C}
  • Shell Folders (HKCU...\Explorer\Shell Folders) = resolved runtime cache; User Shell Folders = template. Both must be clean for OneDrive KFM.
  • All FolderRedirectionPolicyValue* markers: NONE confirmed
  • Folder Redirection CSE history ({25537BA6}): NONE confirmed
  • OneDrive HKCU/HKLM policies: NONE
  • DisablePersonalDirChange: NOT SET
Reference in New Issue View Git Blame Copy Permalink