claudetools/wiki/clients/cascades-tucson.md

type, name, display_name, last_compiled, compiled_by, sources, backlinks

type	name	display_name	last_compiled	compiled_by	sources	backlinks
client	cascades-tucson	Cascades of Tucson	2026-06-13	HOWARD-HOME/claude-main	session-logs/2026-03-24-session.md session-logs/2026-03-31-session.md session-logs/2026-04-01-session.md session-logs/2026-04-16-session.md session-logs/2026-04-16-howard-client-docs-import.md session-logs/2026-04-17-session.md session-logs/2026-04-17-howard-session.md session-logs/2026-04-18-session.md session-logs/2026-04-20-session.md session-logs/2026-04-20-mac-session.md session-logs/2026-04-21-mac-vault-setup.md session-logs/2026-04-21-howard-remediation-vault-gap.md session-logs/2026-04-28-session.md session-logs/2026-04-29-session.md session-logs/2026-04-30-session.md session-logs/2026-05-01-session.md session-logs/2026-05-01-howard-syncro-billing-batch-and-tmp-path-incident.md session-logs/2026-05-10-session.md session-logs/2026-05-18-session.md session-logs/2026-05-18-howard-billing-review-and-ticket-updates.md session-logs/2026-05-20-session.md session-logs/2026-05-21-session.md session-logs/2026-05-23-session.md session-logs/2026-05-24-GURU-KALI-session.md clients/cascades-tucson/session-logs/2026-05-22-session.md session-logs/2026-05-26-howard-session.md clients/cascades-tucson/session-logs/2026-06-02-howard-efax-scanner-ticket.md clients/cascades-tucson/session-logs/2026-06-03-session.md clients/cascades-tucson/session-logs/2026-06-04-howard-email-delivery-investigation.md clients/cascades-tucson/session-logs/2026-06-04-howard-caregiver-laptop-enrollment.md clients/cascades-tucson/session-logs/2026-06-04-session.md clients/cascades-tucson/session-logs/2026-06-05-session.md clients/cascades-tucson/session-logs/2026-06-05-howard-cascades-entra-ticket-billing.md clients/cascades-tucson/session-logs/2026-06/2026-06-08-howard-edge-unc-download-bug-diagnosis.md clients/cascades-tucson/session-logs/2026-06/2026-06-10-howard-meredith-locked-word-doc.md clients/cascades-tucson/session-logs/2026-06/2026-06-12-howard-shared-mailboxes-grievances-surveys.md clients/cascades-tucson/docs/overview.md clients/cascades-tucson/docs/network/topology.md clients/cascades-tucson/docs/network/vlans.md clients/cascades-tucson/docs/servers/cs-server.md clients/cascades-tucson/docs/billing-log.md .claude/memory/project_cascades_admin_accounts.md .claude/memory/project_cascades_ca_phased_rollout.md .claude/memory/project_cascades_pilot_cleanup.md .claude/memory/feedback_syncro_cascades_contact.md .claude/memory/feedback_cascades_user_security_group.md .claude/memory/project-cascades-migration-plan.md .claude/memory/feedback_cascades_folder_redirect.md	projects/gururmm

Cascades of Tucson

Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24.

---

Entra Access Architecture (canonical overview)

In one line: a HIPAA-driven, identity-based access-control system that splits staff into two security postures and enforces them with Microsoft Entra Conditional Access on top of hybrid identity (Entra Connect), with ALIS (clinical EHR) wired for SSO. Tickets: #109412123 (Entra setup), #110680053 (domain migration).

Foundation — hybrid identity

• On-prem AD cascades.local synced to Entra/M365 via Entra Connect (PHS + Seamless SSO). UPN suffix cascadestucson.com, so a user's Windows login = email = M365/ALIS identity (one credential everywhere).

Two user buckets (the core design)

1. Restricted — caregivers + medtechs (group SG-Caregivers, 8b8d9222): sign in only on the Cascades network and only on approved devices (shared Galaxy phones + a set of caregiver laptops/desktops). No MFA (no personal devices) — protected by location + device controls + 8h sign-in frequency instead. Effect: caregiver credentials are useless off-site or off an approved device — the anti-hacker / bad-employee-from-home control.
2. Privileged — admins / directors / managers / nurses (NOT in SG-Caregivers): email + ALIS from anywhere, seamless onsite / 2FA offsite (Authenticator/PIN). Untouched by the caregiver lockdown.

Conditional Access enforcement (caregivers)

• CSC - Block caregivers off Cascades network (e35614e1)
• CSC - Block caregivers on non-compliant device (ede985e2) — being replaced by a device allow-list (CSC - Caregivers: allow-listed devices only, 1b7fd025): phones (displayName -startsWith "CSC-") + tagged caregiver machines (extensionAttribute1 -eq "CSCCaregiverDevice", or explicit deviceId). Note: extensionAttribute changes lag >70 min into CA's filter cache — deviceId matching is the lag-free lever for the small device set.
• CSC - Caregiver sign-in frequency 8h (7d491c7a)
• Rollout is per-user via group membership (test group SG-Caregivers-DeviceTest db5849ec carries the full rule set for one-at-a-time validation; promote to SG-Caregivers + disable compliance-block when validated).

Devices

• Phones: Samsung A15s in Intune Shared Device Mode (Android Enterprise, device-token enrolled) — live.
• Laptops/desktops: caregiver shared machines (Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC) joined to Entra so CA recognizes them and they go on the allow-list (group Cascades - Caregiver Devices 02c6f698 for policy targeting).

ALIS SSO

• Entra app registration -> OIDC SSO into ALIS; tenant-wide admin consent granted (2026-06-03). Per-user join key = ALIS staff Email must equal the Entra UPN. Caregivers SSO silently on phones (ALIS-native 2FA off); office users SSO with offsite MFA.

Caregiver desktop/laptop management — Hybrid Entra Join + GPO (the chosen path)

Because per-user Intune never provisioned tenant-wide (INTUNE_A = PendingInput; no Windows device ever Intune-enrolled — MS case open), Windows caregiver devices are managed via Hybrid Entra Join + on-prem Group Policy instead. This needs no Intune. The CA access model is unchanged (hybrid join just gives the device an Entra object so the allow-list/deviceId still applies).

• Hybrid join proven on NURSESTATION-PC (2026-06-05): SCP written (ConfigureSCP.ps1), OU=Caregiver Devices,OU=Staff PCs,OU=Workstations added to Entra Connect sync scope → device synced to Entra as trustType: ServerAd, dsregcmd shows AzureAdJoined+DomainJoined YES, pilot.test gets AzureAdPrt: YES. On hybrid-joined machines Ngc PreReqResult: WillNotProvision (PolicyEnabled NO) → Windows Hello does not auto-provision (no Hello popup) — exactly what shared caregiver devices need, so no separate Hello-disable step.
• Device control is one-at-a-time: caregiver machine computer objects are moved into OU=Caregiver Devices (only that OU is in sync scope) and into a location group SG-PC-MainTower or SG-PC-MemoryCare. Add a device = move it into the OU + correct location group.
• App + printer delivery GPO CSC - Caregiver Workstation ({3B5CD9A6-A278-4676-A9FD-9396D21A8261}, User-config GPP) — BUILT + VALIDATED on NURSESTATION as pilot.test (2026-06-05). Linked at OU=Caregivers,OU=Departments; security filter = SG-Caregivers-Test (Apply, pilot.test only) + Authenticated Users (Read, for MS16-072). Go-live = swap filter to SG-Caregivers. Contents: 3 desktop shortcuts — ALIS, LinkRx, Helpany (https://app.safe-living.com/login — named "Helpany," the brand caregivers know) — + 6 \\CS-SERVER shared printers (NursesPrinter, HealthServices, MCMedTech, MCReception, MCDirector, CopyRoom) with default printer by device location (Nurses for SG-PC-MainTower, MC MedTech for SG-PC-MemoryCare, computer-context ILT) + HKCU LegacyDefaultPrinterMode=1 so the default sticks. Build scripts: clients/cascades-tucson/scripts/build-caregiver-gpo.ps1 + link-caregiver-gpo.ps1. NOTE: the domain-wide CSC - Printer Deployment GPO is intentionally disabled (empty CSE / version 0) and is not to be used — reference only.
• Device lockdown GPO CSC - Caregiver Device Lockdown ({E6174988-2721-4D96-ADF5-F5BB44E92769}, computer-only, linked to OU=Caregiver Devices) — DEPLOYED 2026-06-05. Auto-logoff is a HIPAA requirement (§164.312(a)(2)(iii)) for shared PHI devices. Settings (Howard): screen lock at 3 min, auto sign-out at 15 min total idle, 90-second warning before sign-out, never sleep (display off 10 min). Delivered via a computer startup script (caregiver-lockdown.ps1, in SYSVOL) that sets InactivityTimeoutSecs=180, powercfg, and registers a logon-triggered scheduled task running an idle monitor (GetLastInputInfo → msg.exe warning at 13.5 min → shutdown /l at 15 min) in each caregiver's session. Deploy script: deploy-device-lockdown-gpo.ps1. Startup scripts run at boot — NURSESTATION must reboot to activate lock@3min / 90s warning / sign-out@15min / never-sleep (not yet verified). Companion: ALIS app session timeout 20→15 min (Howard, ALIS admin) PENDING. Lock/logoff are device-level (affect any user on the device in OU=Caregiver Devices).

Status (as of 2026-06-05)

• Proven working end-to-end on a hybrid-joined desktop (NURSESTATION + pilot.test): caregiver lockdown (CA off-network block + device allow-list) and silent ALIS SSO. The allow-list policy 1b7fd025 carries NURSESTATION's current deviceId d3bf931f-f128-4261-8398-b46c34a4b342 (the old Entra-joined id e16c4af5 is stale/deleted) and the device is tagged extensionAttribute1=CSCCaregiverDevice.
• GPOs DEPLOYED: CSC - Caregiver Workstation (shortcuts + printers + LegacyDefaultPrinterMode, {3B5CD9A6-A278-4676-A9FD-9396D21A8261}) built and validated on pilot.test. CSC - Caregiver Device Lockdown ({E6174988-2721-4D96-ADF5-F5BB44E92769}) deployed to OU=Caregiver Devices 2026-06-05 — takes effect on next NURSESTATION reboot (verify lock@3min, 90s warning, sign-out@15min). Monday go-live: swap GPO filter SG-Caregivers-Test → SG-Caregivers; CA allow-list test group → SG-Caregivers; move real caregiver machines into OU=Caregiver Devices + correct SG-PC-* location group one at a time; ALIS email-match the 38 caregivers + medtechs. Still pending: lower ALIS app timeout 20→15 min (Howard, ALIS admin); reboot NURSESTATION to verify lockdown.
• Independent open item: Microsoft case for INTUNE_A PendingInput — does NOT block caregiver access (hybrid+GPO path replaces the Intune dependency).

---

Profile

• Contract type: Prepaid hour block
• Key contacts:
  • Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. NEVER set her as ticket contact in Syncro — she is the wrong default that keeps being selected.
  • John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account)
  • Lauren Hasselman — Accounting
  • Zachary Nelson — Accounting Assistant
  • Lois Lane — CareTakers department head (DESKTOP-KQSL232); resistant to domain migration; John Trozzi is liaison
  • Crystal Rodriguez — staff
  • Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI)
  • Ashley Jensen — Accountant (DESKTOP-U2DHAP0)
  • Shelby Trozzi — MemCare Director (MDIRECTOR-PC)
  • Chris Knight — Accounting / Business Office (same access tier as Lauren Hasselman); chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com); bill.com and BOK Financial recipient (issue investigated 2026-06-04). Workstation setup 2026-06-08: machine DESKTOP-N5G1ROO (Win 11 Pro for Workstations) domain-joined + GuruRMM-enrolled (agent 205025ee-2676-4498-8a27-e88562a6f69a, site CascadesTucson), Office (O365) installed. AD account chris.knight (OU=Administrative) finished to match Lauren: home folder created, added to SG-FolderRedirect, mail set, AD password Cascades2026! (change-at-logon cleared). Mailbox remains cloud-only/unsynced (same split state as Lauren — see Entra sync note).
  • JD Martin — Syncro-confirmed contact (jd.martin@cascadestucson.com); role not yet documented.
• Billing rate: $175/hr all labor (prepaid block customer)
• Hours remaining: 55.75 hrs (live Syncro pull 2026-06-13). Most recent draws: 1.0h onsite for ASSISTNURSE-PC Win11 reinstall on #32303 (implied by balance chain 57.75→56.75; no dedicated session log captured); 0.5h remote 2026-06-10 Meredith locked Word doc (ticket #32403, invoice $0.00 prepaid, 56.75→56.25); 0.5h remote 2026-06-12 shared mailboxes Grievances+Surveys (ticket #32417, invoice $0.00 prepaid, 56.25→55.75). Always live-check via GET /customers/20149445 before billing — balance is unreliable across sessions.
• Syncro customer ID: 20149445
• Managed devices (Syncro): 29 (live pull 2026-06-13)
• Active tickets: Syncro full pull 2026-06-13 shows one real open ticket — #32370 [New] (eFax/scanner onsite). #32414 [New] is an automated "payment on the way" notification stub, not work.
  • #110680053 / #32303 — Entra / domain migration project ("Domain setup-entra sync"). Status: Invoiced as of 2026-06-05. Latest billing: 7.0h onsite 2026-06-05, invoice #67782 ($0.00 prepaid). Monday caregiver cutover will generate further work on this ticket. Plan: C:\Users\Howard\.claude\plans\wise-discovering-panda.md
  • #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status)
  • #109035475 — John Trozzi desktop WiFi upgrade (billed)
  • #32370 — [New] / open (confirmed live 2026-06-13) — eFax setup on Karen's and Christin's machines + portable scanner setup on both. No appointment scheduled as of 2026-06-02.
  • #32381 — Tamra scanner onsite (0.5h onsite, billed 2026-06-04, prepaid block)
  • #32382 — Megan file access onsite (1.5h onsite, billed 2026-06-04, prepaid block)
  • #32383 — Resolved (confirmed live 2026-06-13) — Chris Knight bill.com / BOK email delivery (1.5h remote, billed 2026-06-04, prepaid block; Syncro id 112201209). Fix was sender-side (bill.com support call + SendGrid suppression clear; BOK portal correction); ticket since closed.
  • #32403 — Meredith locked Word doc / stale owner files (0.5h remote, billed 2026-06-10, prepaid block; Invoiced)
  • #32417 — Shared mailboxes Grievances+Surveys (0.5h remote, billed 2026-06-12, prepaid block; Invoiced)

---

Infrastructure

Servers & Services

Host	IP	Role	OS	Notes
CS-SERVER	192.168.2.254	DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server	Windows Server 2019 Standard	Dell PowerEdge R610 (~2009 hardware, 16+ years old). Single DC — CRITICAL risk. No backup. GuruRMM agent ID: c39f1de7-d5b6-45ae-b132-e06977ab1713 (re-enrolled; the older 6766e973-... is stale — always resolve the agent live by hostname, never hardcode the UUID)
CS-SERVER iDRAC	192.168.2.65	Out-of-band management	—	Dell OOB interface
CS-QB (Hyper-V VM on CS-SERVER)	192.168.2.228	VoIP server	—	[REVIEW — transitioning away from traditional landlines to wireless phones; revisit this entry]
cascadesDS (Synology NAS)	192.168.0.120	NAS / legacy file storage	DSM	Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only.
pfSense Firewall	192.168.0.1	Perimeter firewall, inter-VLAN routing	pfSense 24.0	Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a

[WARNING] CS-SERVER hardware: Dell R610 with mixed SATA laptop drives (OS array, no hot spare) and enterprise SAS drives from 2015-2016. No backup exists. No second DC. Hardware will fail — DC migration is urgent.

[WARNING] HIPAA violation: No backup for CS-SERVER (§164.308(a)(7)). Synology Active Backup for Business is blocked (ext4 filesystem, not Btrfs).

Email & Identity

• M365 tenant: cascadestucson.com | Tenant ID: 207fa277-e9d8-4eb7-ada1-1064d2221498
• M365 license: Business Premium (SPB) — 34 seats enabled, 3 consumed, 31 free. Business Standard (O365_BUSINESS_PREMIUM) — SUSPENDED, 31 users still assigned. Relicensing 31 users Business Standard → Business Premium is pending and time-sensitive — those users may have degraded service.
• On-prem AD domain: cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness)
• MX / mail flow: Exchange Online (M365). SPF: v=spf1 a mx ip4:72.194.62.5 include:spf.protection.outlook.com include:spf-0.secureserver.net -all. DKIM: both M365 selectors published. DMARC: p=quarantine;pct=100 — upgraded from p=none. Reports to info@cascadestucson.com (unmonitored). No third-party email gateway (EOP direct MX).
• MFA: CA policy "Require MFA for all users" is enabled. Caregiver bypass in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. Voice-call MFA is disabled tenant-wide (SMS + Authenticator are the allowed methods). Exception: security group "MFA - Voice Call Scoped (sysadmin)" (id 304f941e-3594-4705-b8e6-ee676297df11, single member sysadmin@) has Voice method enabled — created 2026-06-05 so Howard has a code-delivery path on the shared GA without a tenant-wide change. sysadmin@ phone methods after 2026-06-05: mobile/SMS +1 520-289-1912 (Mike); alternateMobile/voice +1 520-585-1310 (Howard, was +1 520-331-5551).
• Entra Connect: Installed on CS-SERVER 2026-04-25. Exited staging 2026-05-14 — actively syncing (last sync confirmed 2026-05-27). OU=Administrative not yet in sync scope; UPN suffix updates for Administrative OU users pending before that OU can be added.
• Break-glass accounts: Two planned (breakglass1-csc@cascadestucson.com, breakglass2-csc@cascadestucson.com). Confirmed not yet created as of 2026-05-27 (live tenant check). FIDO2 YubiKeys ordered — arrival unconfirmed. Vault entries not yet created.
• Admin accounts:
  • admin@cascadestucson.com — Mike's working admin (cloud-only, Connect-excluded by design)
  • sysadmin@cascadestucson.com — Howard's working admin (cloud-only, Connect-excluded by design). Object id: 471b13dc-3cf8-416b-a132-f5f3bc8d1cc8. Password rotated by Mike 2026-06-04; vaulted by Howard 2026-06-05 at clients/cascades-tucson/m365-sysadmin.sops.yaml.
• ALIS (clinical SaaS): https://cascadestucson.alisonline.com — Entra SSO live and working; proven end-to-end with pilot.test on Galaxy A15 caregiver phones. Install key: d796539d-356b-4190-9c17-35f0f1129376. Vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml (Entra app reg + ALIS Inbound Connections Basic Auth creds + install key). ALIS application ID d5108493-cba8-4f08-90b6-1bb0bc09eb2a, client secret expires 2028-05-06 (rotation reminder — expiry breaks ALIS SSO tenant-wide). Per-caregiver: ALIS staff-record Email must match Entra UPN exactly. BAA with Medtelligent not yet verified — confirm with Meredith.
  • Admin consent (2026-06-03): Tenant-wide admin consent (AllPrincipals User.Read) granted on ALIS Entra service principal (e1cae4ad-5beb-44ca-82d4-434c9bd835ad) via Graph API (oauth2PermissionGrant id reTK4etbykSC1ENMm9g1rTplOyzgVClCofKDVRrn-ds). This resolved AADSTS65001 sign-in failures that office/clinical staff (megan.hiatt, karen.rossini, memcarereceptionist) were hitting on non-phone devices. Root cause was missing admin consent — NOT Conditional Access, network, or password. Prior state: only two per-user (Principal) consent grants existed, so all other users hit 65001. CA policies had conditionalAccessStatus: success on all failing sign-ins; both WAN IPs were trusted Named Locations.
  • How to enable ALIS SSO for one user (procedure — confirmed 2026-06-03):
    1. User needs a valid Entra identity (synced or cloud-only both work).
    2. Tenant-wide admin consent for the ALIS app must exist — done globally 2026-06-03, so this is a one-time prerequisite, NOT per-user.
    3. In ALIS admin -> Staff -> the user's record, set the Email field = the user's exact Entra UPN (e.g. crystal.rodriguez@cascadestucson.com). This is the per-user SSO join key.
    4. User signs in via "Sign in with Microsoft" — not the ALIS username/password box.
    5. Turn off ALIS-native 2FA on that user's account (Entra is the second factor; native 2FA conflicts and locked out Karen Rossini on 2026-05-29).
    • Diagnostic signature: a user with zero ALIS-app sign-in events in the Entra sign-in logs is still on the old direct-login path (never reached Entra) — the fix is the ALIS Email match, not anything in Entra. Confirmed with Crystal Rodriguez (2026-06-03): identical to Megan Hiatt on identity, sync state, security group, and even held her own per-user consent grant — the ONLY difference was the missing ALIS Email match. Adding her email fixed SSO immediately. Megan worked because her ALIS record was already Email-matched and she used the Microsoft login; Crystal was falling back to direct ALIS login.
    • Sweep target: apply to all office/clinical users (Karen Rossini, MemCare reception, etc.) to standardize everyone onto SSO.
• Caregiver phones: 22 Samsung Galaxy A15s enrolled in Intune Shared Device Mode (SDM). Enrollment profile: CSC - Android Shared Phones (Entra SDM) (9a0fcc6d-0a88-466e-aa53-44401bb74fca); 25 devices enrolled per 2026-06-03 Intune pull. Dynamic group: Cascades - Shared Phones (ea96f4b7-3000-45da-ab1f-ddb28f509526). Used by caregivers for Teams, Outlook, and ALIS. CA policies: block off-network, block non-compliant device (see below re: pending replacement with allow-list), 8h sign-in frequency. Android enrollment token expires 2027-05-08 — token is a join key only; expiry does NOT unenroll existing devices.
• Audit retention: Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription e507e953-2ce9-4887-ba96-9b654f7d3267, RG rg-audit-cascadestucson. Not yet built. Runbook: .claude/skills/remediation-tool/references/audit-retention-runbook.md.
• Inky: No Inky deployment exists in this tenant. No connector, no transport rule, no OAuth app, no add-in. Confirmed 2026-06-04.
• EXO MSP app auth note (2026-06-04): When the MSP app cert is not in the Windows cert store on a given machine, use client_credentials flow to obtain an EXO-scoped access token and connect via Connect-ExchangeOnline -AccessToken. This bypasses both the cert requirement and interactive MFA. App: ComputerGuru Exchange Operator (b43e7342-5b4b-492f-890f-bb5a4f7f40e9). Vault: msp-tools/computerguru-exchange-operator.sops.yaml.
• Shared mailboxes (created 2026-06-12): grievances@cascadestucson.com (DisplayName "Grievances") and Surveys@cascadestucson.com (DisplayName "Surveys") — both SharedMailbox type, cloud-only, no license consumed (under 50 GB). Delegated to Meredith Kuhn (meredith.kuhn@) and Ashley Jensen (ashley.jensen@) with FullAccess (auto-mapping enabled) + SendAs on each (Send As chosen over Send on Behalf so outbound mail appears strictly from the shared address). Created via ComputerGuru Exchange Operator MSP app (b43e7342), cert-based EXO access token auth, get-token.sh tier exchange-op. ExchangeOnlineManagement module v3.10.0 was installed on Howard-Home (PSGallery, CurrentUser scope) for this session — it was not previously present on that machine. All 8 permission grants verified with Get-MailboxPermission / Get-RecipientPermission post-creation. Ticket #32417, 0.5h remote, invoice $0.00 prepaid.

Network

• ISP / WAN: Dual-WAN Cox Fiber (primary, static 184.191.143.62/30, gateway 184.191.143.61) + Cox Coax (secondary, DHCP 72.211.21.217). Both WAN IPs added as Cascades Named Location in Entra (ID: 061c6b06-b980-40de-bff9-6a50a4071f6f).
• Firewall: pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, 10.[floor].[room].0/28). Staff/infra VLAN 20 (10.0.20.0/24, gateway 10.0.20.1). Guest VLAN 50 (10.0.50.0/24, RFC1918 blocked).
• Switching: Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Switch hardware replacement on floors 2/3/4 complete.
• WiFi SSIDs:
  • CSCNet — staff, VLAN 20
  • CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds
  • Guest — isolated, VLAN 50
• VoIP: AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static.

External Vendors & Mail Senders

• bill.com (BILL): Sends from inform.bill.com, hq.bill.com, hello.bill.com, mc.bill.com. MX via pphosted.com (Proofpoint). Confirmed delivering successfully to meredith.kuhn, ashley.jensen, lauren.hasselman, zachary.nelson as of 2026-06-04. Safe sender: account-services@inform.bill.com.
• BOK Financial: Sends from bokfinancial.com. MX via pphosted.com (Proofpoint). DMARC p=reject. Zero emails to any cascadestucson.com user in 90-day history as of 2026-06-04 (likely wrong recipient address on BOK's side for the accounts in question).

---

Access

• CS-SERVER: Via ScreenConnect or GuruRMM (live agent ID c39f1de7-d5b6-45ae-b132-e06977ab1713 as of 2026-06-08; re-enrolls — resolve live by hostname, do not hardcode)
• CS-SERVER iDRAC: 192.168.2.65
• pfSense admin: https://192.168.0.1 — vault: clients/cascades-tucson/pfsense-firewall.sops.yaml
• Synology DSM: http://192.168.0.120:5000 — vault: clients/cascades-tucson/ (existing entry)
• M365 admin: admin@cascadestucson.com — vault: clients/cascades-tucson/m365-admin.sops.yaml
• M365 sysadmin: sysadmin@cascadestucson.com — vault: clients/cascades-tucson/m365-sysadmin.sops.yaml
• WiFi CSCNet: vault: clients/cascades-tucson/wifi-cscnet.sops.yaml
• MDM service account: vault: clients/cascades-tucson/mdm-service-account.sops.yaml
• svc-scan (scan-to-folder service account): vault: clients/cascades-tucson/svc-scan.sops.yaml (credentials.password). AD account on CS-SERVER for the Accounting Brother's SMB scans — see Patterns -> File Shares & Scan-to-Folder.
• ALIS SSO app registration: vault: clients/cascades-tucson/alis-sso-app-registration.sops.yaml
• GuruRMM — RECEPTIONIST-PC: agent ID 9c91d324-1073-449c-8cc0-45c5bccfc218 (flaky WebSocket, may lag fleet updates)
• GuruRMM — ASSISTMAN-PC (Meredith Kuhn): agent ID cf86fa5e-96a2-494d-9cb1-8be22a518ad0
• Remediation tool: Full tiered app suite consented 2026-04-21. All six apps active: Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on, Intune Manager. Old app fabb3421 (ComputerGuru - AI Remediation) still present but superseded.
• ComputerGuru Exchange Operator MSP app: b43e7342-5b4b-492f-890f-bb5a4f7f40e9 — vault: msp-tools/computerguru-exchange-operator.sops.yaml. Use access token auth when cert not in store (see Email & Identity section).
• Vault root: clients/cascades-tucson/ in vault repo

---

Patterns & Known Issues

Syncro / Billing

• Never set a contact on any Syncro ticket unless explicitly requested. This is a global rule, not Cascades-specific. At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects — she is not the correct contact. Leave contact_id blank; Syncro routes to the correct distribution emails automatically. Source: feedback_syncro_blank_contact.md.
• Billing product for prepaid block draw: Use a real labor type (Remote, Onsite, etc.) — NOT "Prepaid project labor" (exempt, won't decrement the block).
• Always live-check hours before billing: GET /customers/20149445 in Syncro. The 2026-05-01 invoice debit may not have fired correctly — treat all cached hour counts as approximate.

Exchange Online / Message Tracing

• Get-MessageTrace is hard-deprecated (Sept 2025). As of 2025-09-01, Get-MessageTrace returns BadRequest / ValidationException via EXO InvokeCommand. Use Get-MessageTraceV2 instead. Key parameter change: use ResultSize (not PageSize). The deprecation error may be silently swallowed by downstream jq filters — if a trace returns unexpectedly empty, check the raw response for a deprecation error string before assuming no mail. Source: 2026-06-04 Chris Knight investigation.
• Sender-side suppression (SendGrid ESP): If a user never receives mail from a specific sender despite a healthy mailbox, and message trace shows zero records (not even bounces), consider a SendGrid suppression list. Resends will also fail silently. Fix requires contacting the sender's support to clear the suppression — there is no M365 action that can resolve this. Confirmed with bill.com / inform.bill.com. Pattern also applies to other high-volume senders using SendGrid.

Active Directory / User Management

• Security group assignment is always explicit. When creating or adding any Cascades user, always ask which security group(s). OU → group auto-mirror was explicitly declined 2026-05-14. OU placement controls Entra Connect sync scope; group membership controls CA policy — two separate deliberate decisions. Source: feedback_cascades_user_security_group.md.

• New user mandatory order (folder redirection):

  1. Create AD user
  2. Run New-HomeFolder -Username "<sam>" on CS-SERVER (creates root + Desktop/Documents/Downloads/Music/Pictures with correct ACL)
  3. Add to SG-FolderRedirect
  4. THEN first domain logon
  • Skipping step 2 causes fdeploy to cache a failure silently and never retry. Source: feedback_cascades_folder_redirect.md.

• Folder redirect recovery: If fdeploy cached a failure ("No changes detected"), run clients/cascades-tucson/scripts/fix-shell-redirect.ps1 via GuruRMM while user is logged in. Must set both GUID-based and legacy-name registry keys. Folders must already exist on server.

• fdeploy1.ini flags: Changed from Flags=1211 (included Grant Exclusive Rights bit 0x400, causing WRITE_DAC failures on new subfolders) to Flags=187. File at {512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini on CS-SERVER.

• [ROOT CAUSE + FIX 2026-06-08] Native Folder Redirection was DOA on every machine — the config file was MISNAMED. Every Cascades machine (LE + staff) had needed the manual fix-shell-redirect.ps1 registry workaround because native FR never worked. Root cause: the redirect targets in GPO CSC - Folder Redirection ({512B43A4-...}) were saved in a file named fdeploy1.ini, but the Windows Folder Redirection client-side extension only ever reads fdeploy.ini. No fdeploy.ini existed, so the client knew which 5 folders to redirect but received an empty target path (FR Operational event 1006 shows Path = "", no 1008 "successfully redirected") and silently did nothing. The file was hand-built by editing fdeploy1.ini (the wrong filename). Fix: wrote a correct fdeploy.ini (5 folders, Flags=187, FullPath=\\CS-SERVER\Homes\%USERNAME%\<Folder>) into {512B43A4-...}\User\Documents & Settings\, bumped the GPO version 917506→983042 (GPT.INI and AD versionNumber kept in sync), confirmed FR CSE registered. Backup of the original \User tree + GPT.INI at C:\Windows\Temp\frfix-20260608-161144 on CS-SERVER. Native FR now redirects all 5 folders on first logon — the registry workaround should no longer be needed for new users. The dead fdeploy1.ini was left in place (ignored by Windows) — do NOT edit it; edit redirection only via GPMC or the fdeploy.ini artifact in clients/cascades-tucson/gpo/.

  • LE GPO also broken: CSC - Folder Redirection (LE) ({889BE7BE-...}, linked at OU=Life Enrichment) has a completely empty \User tree — no fdeploy at all. Sharon Edwards / Susan Hicks have likewise only ever worked via the registry workaround. Follow-up: retire the LE GPO and put LE users into SG-FolderRedirect (covered by the now-working all-staff GPO inherited at OU=Departments), or apply the same fdeploy.ini fix to the LE GPO. Caveat: Sharon/Susan are NOT currently in SG-FolderRedirect (the all-staff GPO is security-filtered to that group), so add them before relying on inheritance.
  • Note: the all-staff CSC - Folder Redirection GPO is linked at OU=Departments and security-filtered to SG-FolderRedirect (members as of 2026-06-08: Megan.Hiatt, Crystal.Rodriguez, Lois.Lane, Ashley.Jensen, lauren.hasselman, Zachary.Nelson, Nurses, chris.knight). Existing members get native redirection at their next sign-in.

• Login-screen hide (SpecialAccounts\UserList): An enabled local admin that does not appear in the Windows sign-in picker is a SpecialAccounts\UserList suppression, not a disabled account. Registry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, value <username>=0. Fix: delete the DWORD value (or set it to 1); account reappears after sign-out/reboot. Confirmed on NURSESTATION-PC (RMM agent f5a89784-834f-47b1-82e2-7e3e9dd337ff) 2026-06-05 — localadmin=0 removed; account was already enabled and in Administrators (unchanged).

File Shares & Scan-to-Folder (Accounting)

• Accounting department folder + scan dropbox (built 2026-06-09):
  • D:\Shares\Accounting on CS-SERVER — inheritance broken; SYSTEM / BUILTIN\Administrators = Full; lauren.hasselman, chris.knight, zachary.nelson = Modify (no Everyone). Shared as \\CS-SERVER\AcctDept (Change: those 3 users + svc-scan; Full: Admins).
  • Share is named AcctDept, NOT Accounting — a printer share named Accounting (Canon MF455DW, LocalsplOnly) already exists. Do not collide with it: New-SmbShare -Name Accounting / Grant-SmbShareAccess -Name Accounting will silently hit the printer share. (Happened 2026-06-09; printer share's Everyone:Read was restored.)
  • D:\Shares\Accounting\Scans — scan dropbox; inherits the 3 users + adds CASCADES\svc-scan = Modify (least-privilege writer; can't read the rest of Accounting; bypass-traverse lets it reach the subfolder).
  • svc-scan = dedicated AD service account (CN=Users, PasswordNeverExpires, CannotChangePassword) for the Brother's SMB auth. Vault: clients/cascades-tucson/svc-scan.sops.yaml.
  • REUSE svc-scan for EVERY future scanner→network-folder setup at Cascades (Howard, 2026-06-09) — do NOT create a per-printer/per-folder scan account. For a new scan destination: grant CASCADES\svc-scan Modify on the new scan folder, then enter cascades\svc-scan + the vaulted password (NTLMv2) in that scanner's Scan-to-Network profile.
• Brother MFC-L8900CDW "Business Office" printer (10.0.20.220) — Scan-to-Network profile (working 2026-06-09): Network Folder Path \\192.168.2.254\AcctDept\Scans; Auth Method NTLMv2 (not Auto/Kerberos — printer can't KDC across VLAN); Username cascades\svc-scan; PDF Multi-Page. Configured via the printer WBM (http://10.0.20.220), panel: Scan -> to Network.
• [NETWORK] CS-SERVER cannot reach the VLAN-20 printers — main-LAN 192.168.2.x -> VLAN 20 10.0.20.x is blocked at pfSense. Verified: CS-SERVER -> 10.0.20.220:80/443/445 all fail. So you cannot configure a 10.0.20.x printer's web UI from CS-SERVER — use a VLAN-20 PC's browser (e.g. ACCT2-PC 10.0.20.209) or go onsite. The reverse (printer -> CS-SERVER:445) is open, which is all scan-to-folder needs (svc-scan SMB write verified from ACCT2-PC).
• Persistent drive maps to \\cs-server\AcctDept (per-user, via RMM user_session): Chris (DESKTOP-N5G1ROO) Y:, Zachary (ACCT2-PC) Y:, Lauren (DESKTOP-H6QHRR7) X: (Y: was already in use on hers).

Synology NAS (cascadesDS) / Shared File Access

• Stale Word owner (lock) files on cascadesDS shares: Word creates a hidden ~$<truncated filename> owner file when a document is opened; if the user's session ends without cleanly closing Word (crash, logoff with file open), the ~$ file is orphaned. Any later open of the same document displays "locked for editing by [name]" even with no live session. Confirmed 2026-06-10: five ~$ files dated 2024 on \\cascadesds\Public\Company Web Docs\Staff Trainings\ caused false lock messages across several training docs. Diagnosis: list the folder for ~$ files; check the timestamp — if hours or days old with no matching active session, it is stale. Fix: delete the ~$ file(s). If the file is still locked after deleting orphaned owner files, check Synology DSM -> File Services -> Resource Monitor for a live SMB handle and clear it there.
• Accessing cascadesDS from RMM — always use a user session, not CS-SERVER SYSTEM. The domain-joined CS-SERVER machine account cannot authenticate to the Synology Public share because cascadesDS uses workgroup "CASCADES" (same short name as the AD domain), causing Kerberos auth failures. CS-SERVER SYSTEM → \\cascadesds\* returns access denied. Workaround: run the command in the user_session context of a machine where the target user is actively logged in (e.g. ASSISTMAN-PC agent cf86fa5e for Meredith-accessible shares). When constructing UNC paths in PowerShell over the RMM transport, use char-code path construction to avoid backslash loss across bash → jq → agent → PowerShell ([char]92 for \).

Browser / Edge

• [BUG - FLEET] Edge 149 cannot open Office files via download-list when Downloads is a UNC-redirected folder (Chromium issue 519243472). A regression introduced in Chromium 149 (feature LaunchShellExecuteViaExplorer) prepends \\?\ to UNC paths without converting to the correct \\?\UNC\ form, producing a malformed path (\\?\\\cs-server\...). Symptom: clicking an .xlsx or .docx in the Edge download panel shows "Windows cannot find '\?\\cs-server\homes<user>\Downloads<file>'." Text files and PDFs open fine from the same panel (PDF uses Edge's built-in viewer and does not invoke ShellExecute; Office routes through the broken external-launch path). The same Office file double-clicked from File Explorer opens normally. Trigger: Downloads folder redirected via GPO Folder Redirection to a UNC path with no mapped drive letter (\\cs-server\homes\<user>\Downloads) — exactly Cascades' Homes-share redirect configuration. Affected build: Edge stable 149.0.4022.52 (Chromium 149 base); last known-good: Chromium 148 (148.0.7778.217). Cascades exposure as of 2026-06-08: Ashley Jensen (DESKTOP-U2DHAP0) and Lois Lane (DESKTOP-KQSL232) confirmed on 149.0.4022.52; fleet-wide for any Cascades user whose Downloads is redirected to \\cs-server\homes and who is running Edge 149. Fix options (none applied as of 2026-06-08 session; decision left to Howard):
  1. Update Edge forward past the fix (Chromium fix crrev 7900033 "Correctly handle UNC paths in InvokeShellExecute," merged M149/M150, verified Chromium 151.0.7875.0 — preferred when a patched stable ships).
  2. Interim feature flag: add --disable-features=LaunchShellExecuteViaExplorer to the Edge shortcut target (quit Edge fully first; applies only to launches from that shortcut).
  3. Zero-config workaround: use "Show in folder" in the Edge download panel, then double-click from File Explorer.
  4. Supported 149→148 rollback (one major back is in-bounds): download 148 stable MSI from https://www.microsoft.com/en-us/edge/business/download; set HKLM\SOFTWARE\Policies\Microsoft\Edge\RollbackToTargetVersion (DWORD) = 1 before install; pin via HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate\TargetVersionPrefix{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} = 148. and Update{56EB18F8-...} = 2; unwind the pin once a fixed 149.x/150 ships. Edge stable app GUID: {56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}. Note: pinning to 148 forfeits 149 security fixes; prefer option 1 or 3 for HIPAA machines.

Conditional Access / Caregiver Policies

• Phased rollout — never tenant-wide. CA policies for caregivers now target SG-Caregivers (8b8d9222-5d71-419a-936d-56d895c6c332) (Entra Connect exited staging 2026-05-14; SG-Caregivers-Pilot superseded). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on excludeGroups, never replace. Source: project_cascades_ca_phased_rollout.md.
• Enforced caregiver CA policy set (unchanged as of 2026-06-03):
  • CSC - Block caregivers off Cascades network (e35614e1-e896-4a13-9407-076963af488f) — BLOCK if location not Cascades
  • CSC - Block caregivers on non-compliant device (ede985e2-ee7e-4521-88b2-34c847c3db20) — BLOCK if device non-compliant. Pending DISABLE at allow-list cutover (see below).
  • CSC - Caregiver sign-in frequency 8h (7d491c7a-ad90-4420-9990-40a1e676a76c)
• Caregiver device allow-list (2026-06-03 — report-only): The device restriction is being changed from compliance-based to an explicit device allow-list (phones matching displayName -startsWith "CSC-" plus 5 tagged laptops/PCs with extensionAttribute1=CSCCaregiverDevice). Rationale: tenant has no Windows compliance policy and secureByDefault=false, meaning compliance-only would admit any future-enrolled machine. New CA policy created in report-only:

  • CSC - Caregivers: allow-listed devices only (REPORT-ONLY) — id 1b7fd025-1aad-47c8-9274-c32c3e0b163c; state enabledForReportingButNotEnforced

  • Target group: SG-Caregivers (8b8d9222). Excludes: sysadmin@, admin@, SG-CA-BreakGlass (131e51ac-d69b-44b8-9c81-56890537a796)

  • Device filter (mode exclude): (device.displayName -startsWith "CSC-") -or (device.extensionAttribute1 -eq "CSCCaregiverDevice")

  • Allowed device list (target — 6 caregiver/medtech devices, tagged CSCCaregiverDevice):

    Device	OS	GuruRMM agent	Notes
    NURSESTATION-PC	Win 11 (26200)	8164c6fa-62e7-4aa5-88e4-624f2f656932	hybrid-join track; tagged
    Laptop2	Win 11 (26200)	dc8daf71-a2e6-4181-8cf2-c463c95dcd7d	already Pro; Entra-joined + tagged
    LAPTOP-DRQ5L558	Win 11 (26200)	f9e25b3b-da63-40ff-94a6-8cec3b9a19ce	Win10 Home→Win11 Pro (our key); joined + tagged
    LAPTOP-E0STJJE8	Win 11 (26200)	4ac00700-9a9b-4e7f-a7aa-c51857b77661	Win10 Home→Win11 Pro (our key); joined + tagged
    LAPTOP-8P7HDSEI	Win 10/11 — verify	9b74852c-623a-4d4a-bdda-1709ee75ae44	was Win10 19045; Win11 25H2 upgrade + join/tag pending verification
    ASSISTNURSE-PC	Win 11 Pro for Workstations 24H2 (clean reinstall 2026-06-08)	62d108d6 (new — re-enrolled after reinstall; old 88891eb8 deleted)	shared MC medtech device (Christine Nyanzunda + medtechs). NEW Entra device object after reinstall → needs re-join + re-tag CSCCaregiverDevice before allow-list cutover; old Entra device record to clean. 3 caregiver Public-Desktop shortcuts (ALIS/LinkRx/Helpany) deployed via RMM 2026-06-08

  • Join model (decided 2026-06-03): The 4 laptops are Entra-joined (cloud join), NOT domain-joined — a domain-only PC has no Entra device object, so the CA device filter cannot allow-list it. The laptops are shared ALIS/Teams/Outlook access points and do not need the on-prem GPO stack. NURSESTATION-PC stays domain-joined and gets Hybrid Entra Join (needs on-prem printers + ALDocs share); requires a one-time device-options config in Entra Connect on CS-SERVER, and its stale 2021 Entra record (Workplace, last seen 2021-07-03) should be cleaned. Mixed model is supported.

  • Enrollment account: devices@cascadestucson.com (Cloud Device Administrator, aaca80c6-861b-4294-8068-1033c68d7667). Licensed Business Premium + usageLocation=US on 2026-06-04 and ready to join/auto-enroll. The license is needed only at enrollment time so auto-MDM-enroll fires; the device stays enrolled and allow-listed afterward regardless of the enroller's license, so the SPB seat can be reclaimed after the batch (30 SPB seats free as of 2026-06-03). One license covers sequential enrollments. Mark each laptop a shared device (remove primary user) to drop per-user license dependency. Confirm MDM user scope = All (Entra -> Devices -> Mobility) before joining — not verifiable via API.

  • Printing: does NOT require domain join — Entra-joined laptops print via direct IP network printers or an Intune-pushed Add-Printer config. Printers: FrontDesk Epson ET-5800 192.168.2.147, CopyRoom Canon C478iF 192.168.2.230, MCReception Epson ET-5800.

  • Enrollment progress (updated 2026-06-08): 3 laptops Entra-joined + tagged CSCCaregiverDevice — Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 (all Win11 26200). ASSISTNURSE-PC upgraded 2026-06-08 — clean Win11 reinstall (was Win10 19045; in-place upgrades failed), RMM re-enrolled (62d108d6), but the reinstall created a NEW Entra device object so it still needs re-join + re-tag before cutover. Still pending: LAPTOP-8P7HDSEI Win11 25H2 upgrade + join/tag (verify current state). NURSESTATION-PC confirmed permanent caregiver device (hybrid-joined 2026-06-05). Full set = phones + those 6 machines. All joined laptops show isManaged=null (auto-MDM-enroll did not fire — MDM user scope likely not =All, and only local logins so far). Intune is OPTIONAL: the allow-list is tag-based and works on Entra-join alone; Intune only needed for printer-push / a Windows compliance policy. Intune/MDM decision deferred until all devices on Win11 25H2. Enrollment account devices@ (Cloud Device Admin), licensed Business Premium transiently (reclaim after batch).

  • Cutover (low-risk, can be all-at-once): verified no gap — only CSC- phones are compliant today and the allow-list also permits them, so enabling the allow-list ADDS the laptops without removing phone access; nobody on a phone gets locked out. Per-user go-live gate is the ALIS email-match + test sign-in (one at a time), not a CA change. Cutover = enable CSC - Caregivers: allow-listed devices only + disable CSC - Block caregivers on non-compliant device.

  • Restricted vs privileged classification (2026-06-04): Restricted/inside (SG-Caregivers) = the 38 + Veronica Feller (caretaker; inventory shows her remote/PA — confirm on-site) + Christine Nyanzunda (MC admin asst + PT medtech; uses ASSISTNURSE-PC; directory surname typo "Nyanzuda" to fix). Privileged/outside (NOT in SG-Caregivers; ALIS via SSO + offsite MFA) = Lois Lane, Karen Rossini, Christina DuPras, and all admins/directors/managers; nurses ruled OUTSIDE. Zachary Nelson is accounting/no-ALIS (not a caregiver). Still pending classification: Judith Palmer, Patricia Sandoval-Beck, Joey Ty, Alejandra Vallejo, Celia Lassey. Worklist: clients/cascades-tucson/reports/2026-06-04-caregiver-alis-sso-worklist.md.

  • User<->computer map source: Syncro kabuto_information.last_user (GuruRMM does not expose logged-in user). DuPras=ALASSIST-PC, Lois Lane=DESKTOP-KQSL232, Karen Rossini=DESKTOP-LPOPV30, shared medtech=ASSISTNURSE-PC, shared MemCare reception=MEMRECEPT-PC (excluded from caregiver allow-list, receptionist-only). CONTEXT.md GuruRMM roster stale (27->32) — refresh pending.

  • Caregiver desktop app shortcuts: ALIS (https://cascadestucson.alisonline.com), LinkRx (https://pharmcare.linkrxnow.com/), HelpAny (https://app.safe-living.com/login) — deploy via a Public-Desktop PowerShell script launching Edge --app mode (preserves SSO device-claim), pushed via GuruRMM to the 6 caregiver machines.

  • Login UX: Entra/Microsoft sign-in (and ALIS SSO) requires the full UPN — no bare-username option for cloud accounts. Minimize typing via Windows Hello PIN on laptops + silent ALIS SSO once signed in; pursue ALIS Login PINs (Medtelligent limited-release).

  • Caregiver test rig (2026-06-05, validated): Phased-test infra before promoting to all caregivers. SG-Caregivers-DeviceTest (db5849ec, USERS) carries the full caregiver rule set (off-network block + sign-in-freq + allow-list, excluded from compliance-block); Cascades - Caregiver Devices (02c6f698, STATIC devices) targets Intune profiles (NURSESTATION only for now); SG-Intune-Enrollment (13d94f6e, holds devices@) scopes MDM auto-enroll. Test acct pilot.test@cascadestucson.com (d26e0e5a, Business Premium, ephemeral). NURSESTATION-PC is Hybrid Entra Joined (re-domain-joined Win11 25H2; new deviceId d3bf931f-f128-4261-8398-b46c34a4b342, object id de199a15-3f5d-4da3-8b17-3faade7f7dad, trustType ServerAd). Intune profiles (idle-lock 5min + disable-WHfB OMA-URI) assigned to device group but NOT yet applied — INTUNE_A: PendingInput tenant-wide blocks enrollment on newly-licensed accounts (devices@, pilot.test); MS case open; does NOT block caregiver access (GPO path used instead). PROVEN 2026-06-05: pilot.test on NURSESTATION-PC -> ALIS opened via SSO with lockdown holding (off-network blocked, only allow-listed device passes). ALIS first threw CA 53003 because the extensionAttribute1 tag takes >70 min to propagate into CA's device-filter cache; fixed by adding NURSESTATION's deviceId directly to the allow-list rule (immediate, lag-free) — for the small caregiver device set, deviceId matching is the reliable lever. Windows Hello does NOT auto-provision on hybrid-joined machines (WillNotProvision: PolicyEnabled NO). GPOs deployed 2026-06-05: CSC - Caregiver Workstation validated on pilot.test; CSC - Caregiver Device Lockdown deployed to OU=Caregiver Devices (activates on reboot). Monday go-live: promote allow-list + GPO filter from test group to SG-Caregivers; disable compliance-block; move real machines in one at a time.

  • Threat model (confirmed 2026-06-05): off-network + device allow-list specifically defeats remote credential abuse (hacker / bad employee from home) — stolen caregiver creds unusable off-site/off-device because CA blocks the cloud sign-in before ALIS/email. Risk-based MFA policies are inert (tenant has no Identity Protection P2 license).

• GDAP exclusion: CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + SG-External-Signin-Allowed + SG-Break-Glass, otherwise ACG partner admins lose access at CA cutover.
• Pilot cleanup required when done: Delete pilot.test@cascadestucson.com, clean up howard.enos@cascadestucson.com, remove SG-Caregivers-Pilot from CA policy targets and delete the group. Source: project_cascades_pilot_cleanup.md.

EXO / Message Trace

• Get-MessageTrace is deprecated. Use Get-MessageTraceV2 instead. V2 has a 10-day max window — loop 9 consecutive windows to cover 90 days. A wildcard sender with a 30-day window returns false positives due to the window-limit violation; keep windows to 10 days and use specific sender domains.
• EXO access token auth: When Connect-ExchangeOnline -Credential fails (MFA/modern auth block) and the app cert is not in the Windows cert store, use client_credentials flow to get an EXO-scoped token and pass it via -AccessToken. See access note in the Access section above.

Known Issues / Pending Hygiene (as of 2026-06-04)

• [BUG] Stale exclude-group on MFA-all-users policy: The Require multifactor authentication for all users policy (7e87a1c7…) currently excludes SG-Caregivers-Pilot (0674f0bc…) instead of the live SG-Caregivers (8b8d9222…). Functionally harmless today (pilot group still exists), but this is a known bug that must be corrected. Fix: PATCH excludeGroups to replace SG-Caregivers-Pilot with SG-Caregivers.
• [DESIGN] ALIS-native 2FA is not a perimeter control. The Require MFA for all users policy excludes AllTrusted locations, so Entra never prompts on the Cascades network. A non-SSO ALIS user can reach ALIS from anywhere with only ALIS credentials — Entra never sees that login. The correct permanent model: force all ALIS logins through Entra SSO (SSO-only, credential fallback disabled), so Entra enforces onsite-seamless / offsite-MFA. Office/privileged users should be standardized onto ALIS SSO as a separate workstream; ALIS-native 2FA should then be disabled per-user then globally.
• [INFO] Android enrollment token expiry (2027-05-08) does NOT unenroll devices. The CSC - Android Shared Phones (Entra SDM) enrollment token (9a0fcc6d) is a join key only. Existing enrolled devices (25 as of 2026-06-03) are unaffected by token expiry. Renewal is needed only before enrolling new devices after that date.
• [INFO] Chris Knight bill.com/BOK Financial emails (2026-06-04): Zero bill.com or BOK Financial emails ever delivered to chris.knight@ or c.knight@ in 90 days. bill.com confirmed delivering to other Cascades users (no tenant-wide block). Root cause: bill.com and BOK Financial backends likely still have Chris Knight's old email address. Resolved externally by Howard. No tenant config changes needed.

Security Incidents (historical)

• Megan Hiatt (2026-04-16): Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached).
• John Trozzi (2026-04-16, 2026-04-20): Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in clients/cascades-tucson/reports/.
• Crystal Rodriguez (2026-04-19): Phishing investigation. Report: clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md.
• Canva email delivery (2026-05-20): Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies.
• ALIS AADSTS65001 (2026-06-03): megan.hiatt, karen.rossini, memcarereceptionist could not sign in to ALIS on non-phone devices. Root cause: missing tenant-wide admin consent on ALIS SP (e1cae4ad). Resolved by granting AllPrincipals User.Read via Graph API. CA was NOT the cause — all failures showed conditionalAccessStatus: success from trusted IPs.
• dunedolly21@gmail.com: External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified]
• Chris Knight bill.com / BOK email delivery (2026-06-04): chris.knight@cascadestucson.com (alias: c.knight@cascadestucson.com) not receiving bill.com or BOK Financial emails. M365 mailbox confirmed healthy: 24 inbound messages traced over prior 48h, no inbox rules, no forwarding, no junk/quarantine hits, no transport rules or connectors blocking. Root cause: SENDER-SIDE, not M365. bill.com sends via SendGrid (inform.bill.com); the address was on SendGrid's ESP suppression list — mail dropped before SMTP, so nothing appeared in message trace and repeated resends never arrived. BOK diagnosis confirmed: correcting the email in BOK's portal produced a "Welcome to Exchange!" delivery from alerts@exchange.bokfinancial.com within minutes. bill.com fix requires calling bill.com support — the account email cannot be changed in the web UI (it is the locked login identity); support must update it AND clear the SendGrid suppression. Ticket #32383, 1.5h remote.

HIPAA Compliance

• Primary objective. Cascades stores PHI on CS-SERVER and uses ALIS for clinical records.
• Critical open gaps: No backup (§164.308(a)(7)); no audit logging on D:\Homes (§164.312(b)); Object Access auditing disabled; no SMB encryption on homes share; no file access auditing.
• Restored 7 deleted mailboxes (2026-04-25) for HIPAA §164.316(b)(2) 7-year retention.
• Termination policy established: Convert to shared mailbox, hide from GAL, retain 7 years.

---

Active Work

Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053). Syncro full pull 2026-06-13: one real open ticket — #32370 (eFax/scanner onsite); #32414 [New] is an automated payment-notification stub.

Migration phase status (as of 2026-05-26):

Machine / User	Status
Sharon Edwards (DESKTOP-DLTAGOI)	Domain-joined, folder redirect working via registry workaround
Ashley Jensen (DESKTOP-U2DHAP0)	Domain-joined, folder redirect manually fixed
Crystal Rodriguez (CRYSTAL-PC)	Domain-joined, folder redirect confirmed working 2026-05-21
RECEPTIONIST-PC (frontdesk)	Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design
NURSESTATION-PC	Domain-joined, folder redirect complete
Lauren Hasselman	Domain-joined, folder redirect complete 2026-05-23
Megan Hiatt (Marketing)	COMPLETE 2026-05-27 — domain joined via ProfWiz, folder redirection live, data on server
DESKTOP-KQSL232 (Lois Lane — CareTakers)	Blocked — Lois Lane resistant to change; John Trozzi working with her
CHEF-PC, SALES4-PC, MDIRECTOR-PC	Not yet started

Blocking issues / pending:

• M365 relicensing: 31 Business Standard → Business Premium (SUSPENDED — time-critical, 31 SPB seats free)
• Break-glass accounts: not created (confirmed 2026-05-27)
• Audit retention infra: not built
• RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet
• Entra Connect: OU=Administrative not yet in sync scope; UPN suffix updates for that OU pending
• NURSESTATION-PC: reboot required to activate CSC - Caregiver Device Lockdown GPO (deployed 2026-06-05, linked to OU=Caregiver Devices; startup script runs at boot — verify lock@3min, 90s warning, sign-out@15min, never-sleep)
• #32370 [New / open — confirmed live 2026-06-13]: Howard onsite — eFax setup on Karen's and Christin's machines; portable scanner setup on both. No appointment scheduled as of 2026-06-02.
• Caregiver device allow-list: ASSISTNURSE-PC needs re-join + re-tag after Win11 reinstall; LAPTOP-8P7HDSEI Win11 upgrade + join/tag still pending; then cutover (enable allow-list policy, disable compliance-block)
• ALIS office/privileged standardization: move office/managers/nurses to ALIS SSO-only; disable ALIS-native 2FA per-user then globally (separate workstream)
• Fix stale SG-Caregivers-Pilot exclude-group on Require MFA for all users policy (known bug, see Known Issues)
• LAPTOP-8P7HDSEI: upgrade Win 10 → Win 11 before PHI use
• Chris Knight bill.com/BOK Financial addresses: confirm updated in bill.com backend and at BOK Financial (resolved externally 2026-06-04 but no confirmation of actual address update on vendor side)
• Edge UNC download bug (Chromium 149): decide fix path for Ashley Jensen + Lois Lane and fleet (see Patterns -> Browser / Edge); no fix applied as of 2026-06-08
• ALIS app session timeout: lower from 20 to 15 min (Howard, ALIS admin) — PENDING

---

History Highlights

Date	Event
2026-03-06	ACG onboarding begins. Initial audit (CS-SERVER Dell R610, pfSense, UniFi, Synology). 19 machines. No backup, no HIPAA compliance.
2026-03-09	AD security hardening: Monica Ramirez removed from Domain Admins, lockout policy fixed, AD Recycle Bin enabled, MachineAccountQuota set to 0.
2026-03-31	Cascades onboarded to remediation tool. Tenant ID documented. 50 users, Secure Score 34%.
2026-04-13	Major onsite: 13 stale AD accounts deleted, OU structure cleaned, UPNs migrated to cascadestucson.com, Homes share created, Folder Redirection GPO deployed (registry workaround), first domain joins.
2026-04-14	Sandra Fish global admin revoked. ALIS SSO confirmed. Business Premium proposal created.
2026-04-16	Breach checks: Megan Hiatt (credential stuffing, not breached; password reset). John Trozzi (clean). Crystal Rodriguez phish. /remediation-tool skill built.
2026-04-17	Howard onsite: folder redirect Sharon Edwards diagnosis. John Trozzi WiFi (TP-Link + UniFi roaming instability).
2026-04-25	Entra Connect installed on CS-SERVER (staging mode). 7 deleted mailboxes restored for HIPAA. Dual-WAN discovered.
2026-04-28-29	CA policy reconciliation. Audit retention architecture (ACG-billed, LAW 90d + Storage 6yr). Break-glass design (2 accounts, YubiKeys). Caregiver pilot scope corrected (phased only).
2026-04-30	CA rollout (Report-only mode): 3 caregiver policies created. SDM bootstrap.
2026-05-01	Howard billed 33.5 hrs against prepaid block on Entra project ticket #32214 ($0 invoice).
2026-05-07-08	SDM phone provisioning. SDM token success. ALIS SSO app registration values captured to vault.
2026-05-14-16	Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic.
2026-05-18	Billing review. 39.5 hrs remaining before session. 7 hrs billed separately.
2026-05-20	Canva email delivery resolved (canva.com domains added to EOP).
2026-05-21	Crystal Rodriguez folder redirect confirmed working. Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work initially.
2026-05-22	Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred.
2026-05-14	Entra Connect exited staging mode — actively syncing. CA pilot re-pointed to SG-Caregivers.
2026-05-23	Lauren Hasselman folder redirect complete. Megan Hiatt (Marketing) confirmed in AD, domain join pending.
2026-05-24	RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket.
2026-05-26	Access control vendor meeting onsite (ticket #32324). 0.5h Howard + 0.5h Mike billed against prepaid block. Block at 28.0h. Remote diagnosis of UniFi controller confirmed impossible (no Tailscale route, GuruRMM WebSocket-only, pfSense SSH blocked).
2026-06-03	ALIS AADSTS65001 diagnosed and resolved: granted tenant-wide admin consent (AllPrincipals User.Read) on ALIS SP e1cae4ad. Caregiver device allow-list CA policy created in report-only (CSC - Caregivers: allow-listed devices only (REPORT-ONLY), id 1b7fd025). Allow-list = CSC- phones + 5 tagged devices (NURSESTATION-PC, Laptop2, LAPTOP-8P7HDSEI, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8). Cutover pending laptop Intune enrollment + validation. Three existing enforced caregiver CA policies left untouched.
2026-06-04	Three same-day tickets: #32381 Tamra scanner (0.5h onsite), #32382 Megan file access (1.5h onsite), #32383 Chris Knight bill.com/BOK email delivery (1.5h remote). Chris Knight mailbox investigation: full EXO/EOP/quarantine/message trace analysis — no tenant config issues found. No Inky in tenant (confirmed). bill.com delivering to other users; zero delivery to chris.knight/c.knight in 90 days. Root cause: wrong address in bill.com/BOK backends + SendGrid suppression on bill.com side. BOK resolved by correcting email in portal (delivery within minutes). bill.com fix requires support call. Resolved externally by Howard; no tenant config changes needed. EXO access token auth method documented (cert not in BEAST cert store). Prepay block: 17.25 → 15.75 hrs.
2026-06-05	NURSESTATION-PC localadmin login-screen issue: SpecialAccounts\UserList hide (localadmin=0) — removed via RMM (agent f5a89784); account was already enabled + admin. Vault hygiene: sysadmin@ GA password vaulted (clients/cascades-tucson/m365-sysadmin.sops.yaml); voice MFA scoped group "MFA - Voice Call Scoped (sysadmin)" (304f941e) created; alternateMobile updated to +1 520-585-1310 (Howard). Caregiver test rig built: SG-Caregivers-DeviceTest (db5849ec, full rule set), Cascades - Caregiver Devices (02c6f698, static), SG-Intune-Enrollment (13d94f6e), pilot.test@cascadestucson.com (d26e0e5a, ephemeral). Hybrid Entra Join enabled in Entra Connect (SCP ConfigureSCP.ps1; OU=Caregiver Devices added to sync scope). NURSESTATION re-domain-joined (Win11 25H2) + hybrid-registered as trustType: ServerAd, new deviceId d3bf931f-f128-4261-8398-b46c34a4b342 (object de199a15). Caregiver access model proven end-to-end on desktop: pilot.test + NURSESTATION — ALIS via silent SSO, CA off-network block + device allow-list holding. CA 53003 on extensionAttribute1 tag lag (>70 min); resolved by adding deviceId directly to allow-list rule (immediate). Windows Hello does NOT auto-provision on hybrid-joined machines (WillNotProvision: PolicyEnabled NO). GPO CSC - Caregiver Workstation ({3B5CD9A6-A278-4676-A9FD-9396D21A8261}, User config GPP): 3 desktop shortcuts (ALIS, LinkRx, Helpany) + 6 \\CS-SERVER\ printers with location-based default (Nurses for SG-PC-MainTower, MCMedTech for SG-PC-MemoryCare, computer-context ILT) + LegacyDefaultPrinterMode=1 — built, linked at OU=Caregivers, security-filtered to SG-Caregivers-Test (pilot.test only), validated on NURSESTATION. GPO CSC - Caregiver Device Lockdown ({E6174988-2721-4D96-ADF5-F5BB44E92769}, computer-only): startup script (lock 3 min / auto sign-out 15 min / 90s warning / never sleep) + psscripts.ini in SYSVOL — deployed + linked at OU=Caregiver Devices (takes effect on next NURSESTATION reboot). Intune enrollment blocked tenant-wide (INTUNE_A: PendingInput on newly-licensed accounts); MS case open; GPO path used instead. Ticket #32303 billing reconciliation: work summary posted as customer-visible resolution note (comment 417582473); 7.0h onsite line item (42750851) + invoice #67782 ($0.00 prepaid); prepay block 15.75 → 8.75 hrs; ticket status → Invoiced.
2026-06-08	Chris Knight workstation setup (onsite). Discovered his AD account chris.knight already existed (created 2026-05-27, OU=Administrative) but was incomplete; finished it to match Lauren Hasselman — New-HomeFolder, added to SG-FolderRedirect, set mail, reset AD password to Cascades2026! (change-at-logon cleared). Confirmed mailbox is cloud-only/unsynced (so are Lauren/Ashley/Meredith/Zachary/Alma — Entra Connect include-list is Caregivers+Groups+Caregiver Devices only; OU=Administrative NOT in scope). Machine DESKTOP-N5G1ROO domain-joined + GuruRMM-enrolled (agent 205025ee...), Office installed, Chris logged in. MAJOR: root-caused why folder redirection has failed on every machine — the FR GPO's targets were in a misnamed fdeploy1.ini; Windows reads fdeploy.ini (absent) → empty path → silent no-op → manual registry workaround every time. Fixed by writing a correct fdeploy.ini to GPO {512B43A4} + version bump 917506→983042 (GPT.INI + AD versionNumber); backup at C:\Windows\Temp\frfix-20260608-161144. LE GPO found completely empty too. CS-SERVER live RMM agent is now c39f1de7-... (was 6766e973). Billed 1.0h onsite (computer setup, ticket #111216087).
2026-06-08	ASSISTNURSE-PC reinstalled (Win10→Win11). Howard did a clean Windows 11 install (machine was Win10 19045; in-place upgrade attempts failed, clean install the only option) using our key, then reinstalled the RMM agent. Claude (RMM): deleted the stale pre-reinstall agent 88891eb8 (Win10, offline) — HTTP 204; kept the new agent 62d108d6 (Assistnurse-pc, Win11 Pro for Workstations 24H2, v0.6.57, online). Deployed 3 caregiver app shortcuts as .url files to C:\Users\Public\Desktop (machine-wide) matching the team's GPP definitions: ALIS https://cascadestucson.alisonline.com/Login, LinkRx https://pharmcare.linkrxnow.com/Login.aspx, Helpany https://app.safe-living.com/login. Heads-up: reinstall = new Entra device object → needs re-join + re-tag CSCCaregiverDevice (+ clean old Entra record) at caregiver cutover. Billing for the 1.0h onsite reinstall: billed on #32303 (drew 57.75→56.75; implied by subsequent balance chain).
2026-06-08	Edge UNC download bug diagnosed (no fix applied). Ashley Jensen (DESKTOP-U2DHAP0) and Lois Lane (DESKTOP-KQSL232) both on Edge 149.0.4022.52 could not open Office files (.xlsx, .docx) from the Edge download panel when Downloads is redirected via folder redirection to \\cs-server\homes\<user>\Downloads. Root cause: Chromium 149 regression (issue 519243472) in LaunchShellExecuteViaExplorer — prepends \\?\ to UNC paths without converting to \\?\UNC\, producing malformed paths. PDF and text files unaffected (different launch path). Fix options documented in Patterns section; fix path decision left to Howard. Fleet-wide exposure for any Cascades user with Downloads folder-redirected to the Homes share on Edge 149.
2026-06-09	Accounting scan-to-folder built + billing reconciliation. Created D:\Shares\Accounting + \Scans on CS-SERVER (NTFS locked to lauren.hasselman/chris.knight/zachary.nelson = Modify, no Everyone; svc-scan = Modify on \Scans only), shared as \\CS-SERVER\AcctDept (named AcctDept because a Canon MF455DW printer share already owns "Accounting" — restored that share after a grant collision). New vaulted AD service account svc-scan for the Brother's SMB auth. Brother MFC-L8900CDW (10.0.20.220) Scan-to-Network profile → \\192.168.2.254\AcctDept\Scans (NTLMv2, cascades\svc-scan); test scan confirmed. Found pfSense blocks main-LAN→VLAN-20 (can't reach VLAN-20 printer WBM from CS-SERVER; printer→server:445 open). Persistent drive maps to the share: Chris (Y:), Zachary on ACCT2-PC (Y:), Lauren (X:). Also reconciled crashed-session billing: #32330 (Chris Knight computer) was already invoiced (#67790) — fixed status Resolved→Invoiced; live prepay confirmed 57.75h (prior 7.75 was pre-top-up). Updated machine inventory (ASSISTNURSE-PC reinstall, caregiver device table) in this wiki.
2026-06-10	Meredith Kuhn locked Word doc — stale owner files on cascadesDS. Five orphaned Word ~$ owner files dated 2024 in \\cascadesds\Public\Company Web Docs\Staff Trainings\ caused false "locked for editing" messages on training documents with no active session. Diagnosed and deleted all 5 via RMM in Meredith's user_session on ASSISTMAN-PC (agent cf86fa5e) — CS-SERVER SYSTEM cannot authenticate to cascadesDS (workgroup/Kerberos mismatch). Howard's post-reboot check on the Synology confirmed no live handles. Ticket #32403 (id 112502876), 0.5h remote, invoice $0.00 prepaid, block 56.75→56.25.
2026-06-12	Created shared mailboxes grievances@ + Surveys@ and delegated to Meredith & Ashley. grievances@cascadestucson.com and Surveys@cascadestucson.com created as SharedMailbox (cloud-only, no license consumed), each delegated to Meredith Kuhn and Ashley Jensen with FullAccess (auto-mapping) + SendAs. Work done via ComputerGuru Exchange Operator MSP app cert auth (EXO module v3.10.0 installed on Howard-Home for this session). All 8 permission grants verified post-creation. Ticket #32417 (id 112597225), 0.5h remote, invoice #1650665832 $0.00 prepaid, block 56.25→55.75; ticket Invoiced.

---

Compilation Notes

Session logs read: 28 root session logs + client-specific logs in clients/cascades-tucson/session-logs/ (through 2026-06-12 shared-mailbox session) + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-06-12.

Client folder: clients/cascades-tucson/ (NOT clients/cascades/ — that directory does not exist).

Open items flagged as unverified:

• Break-glass accounts + YubiKeys — confirmed not created as of 2026-05-27; YubiKey arrival unconfirmed
• Audit retention infra — approved 2026-04-29, not yet built
• dunedolly21@gmail.com guest invite — confirm with Lauren
• Windows MDM auto-enroll scope — confirm in portal (Entra → Devices → Mobility → Microsoft Intune → MDM user scope)
• #32381 / #32382 ticket details (Tamra scanner, Megan file access) — referenced in 2026-06-04 session log reference table only; full ticket details not documented in session logs
• #32370 — confirmed [New]/open in Syncro 2026-06-13 (eFax/scanner onsite, not yet scheduled)
• Edge UNC download bug fix path — no fix applied as of 2026-06-08; decision pending Howard
• ALIS BAA with Medtelligent — not yet verified; confirm with Meredith
• JD Martin (jd.martin@cascadestucson.com) — confirmed Syncro contact; role not yet documented

Resolved since last compile (2026-06-05 → 2026-06-13):

• New tiered remediation app suite — confirmed consented 2026-04-21 (all 6 apps active)
• DMARC — confirmed upgraded to p=quarantine;pct=100
• ALIS AADSTS65001 sign-in failures — resolved 2026-06-03 by granting admin consent
• Chris Knight bill.com / BOK email delivery (#32383) — Resolved (confirmed live 2026-06-13); BOK corrected in portal 2026-06-04, bill.com fixed sender-side (support + SendGrid suppression clear)
• CSC - Caregiver Device Lockdown GPO — deployed 2026-06-05 (was blocked/pending in prior compile)
• Hybrid Entra Join on NURSESTATION-PC — proven 2026-06-05; Intune-to-GPO pivot complete; full caregiver desktop access model validated end-to-end
• Ticket #32303 billing — 7.0h billed 2026-06-05, invoice #67782 ($0.00 prepaid); ASSISTNURSE-PC reinstall 1.0h billed on same ticket (implied by balance chain 57.75→56.75); ticket Invoiced
• Folder redirection root cause found and fixed (2026-06-08): fdeploy.ini written to GPO {512B43A4}; native FR now works for new users
• Stale Word owner files on cascadesDS cleared (2026-06-10): 5 orphaned ~$ files deleted via RMM ASSISTMAN-PC session; ticket #32403 Invoiced
• Shared mailboxes grievances@ + Surveys@ created and delegated (2026-06-12): ticket #32417 Invoiced; prepay block now 55.75h (confirmed live pull 2026-06-13)

Backlinks

• projects/gururmm — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled