Files
claudetools/wiki/clients/rednour.md

32 KiB

type, name, display_name, last_compiled, compiled_by, sources
type name display_name last_compiled compiled_by sources
client rednour Rednour Law Offices 2026-06-29 HOWARD-HOME/claude-main
clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
clients/rednour/reports/2026-06-01-carla-password-set.md
clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
clients/rednour/session-logs/2026-06-02-session.md
clients/rednour/session-logs/2026-06/2026-06-25-howard-nick-smb-share-and-mac-rmm.md
clients/rednour/session-logs/2026-06/2026-06-26-howard-nick-mac-rmm-rootcause.md
clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md
clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md
clients/rednour/session-logs/2026-06/2026-06-29-howard-carrie-win11-upgrade-applyimage.md
clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md
clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md
clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md
session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md

Rednour Law Offices

Profile

  • Business type: Law firm (Arizona)
  • Syncro Customer ID: 1224246
  • Contract type: Break-fix / time-and-materials (prepaid hours: 0)
  • Recurring line: ~$59.09/mo (small managed/hosting line)
  • Labor rate: (verify — recent labor invoices suggest ~$150-175/hr)
  • Managed asset count: 4 (per Syncro)
  • Active open tickets: None as of 2026-06-29
  • Primary historical ticket: Syncro #32343 (id 111409967) — M365 onboarding + email account changes. Status: Invoiced. URL: https://computerguru.syncromsp.com/tickets/111409967

Contacts

Name Role UPN / Email Object ID Notes
Carrie Rednour Owner / attorney; M365 Global Admin crednour@rednourlaw.com, sysadmin@rednourlaw.com a0fc8517-1c2a-4d72-b774-c0d5c929167a sysadmin@ is an alias on the same account; communicates via text with Mike directly
Carla Skinner Legal assistant / employee carla@rednourlaw.com 93074d1a-6db2-4794-8f7d-c84a619e4494 Renamed from Emma on 2026-05-31; emma@ + dgarcia@ + alee@ aliases retained by design (see below)
Nick Pafford Employee npafford@rednourlaw.com, nick@rednourlaw.com fe859088-bcbc-49dc-aaea-4c6e68f7d5bb nick@ added as alias on 2026-05-31; SMB share access set up 2026-06-25 (local nick on REDNOURCARRIEVI -> Documents); on an Apple Silicon Mac (GuruRMM enrollment pending — installer runs but agent does not enroll; fix staged)
receptionist Shared mailbox receptionist@rednourlaw.com No personal contact; 34 contacts in mailbox as of 2026-06-02 sweep

System recipient: DiscoverySearchMailbox (Exchange system object — not a user).

Nick's Mac (ScreenConnect name DUXs-Mac-Studio): Apple Mac Studio, Mac13,1, Apple M1 Max (arm64), macOS 26.5.1, serial F6QR2PN2R6. Confirm this is Nick's box before enrolling (name suggests a "Dux" user).

Infrastructure

Network

  • Topology: Workgroup (no on-prem AD, no domain join). All three enrolled machines report PartOfDomain=False.
  • LAN subnet: 192.168.10.0/24, default gateway 192.168.10.1.
  • ZeroTier: Present on REDNOURCARRIEVI (IP: 10.147.17.253 / fcfb:1c63:8659:2d21:d189::1). Not documented on other workstations.

Workstations (GuruRMM enrolled)

All three machines were enrolled by 2026-05-29. Onboarding diagnostic grade: RED across the board (foreign agents, patch gaps — see open items). As of 2026-06-29 the GuruRMM fleet shows them as FrontDeskReception, LegalAsst, rednourcarrievirt (agent display names may differ from Windows hostnames; rednourcarrievirt is the current network/SMB name for Carrie's box, formerly REDNOURCARRIEVI).

Hostname Model CPU RAM OS IP Agent ID Grade
FRONTDESKRECEPT Dell OptiPlex 3080 i5-10505 6c/12t 15.8 GB Win 11 Pro build 26200 192.168.10.115 04765560-3e8a-46e5-a507-c5f5f4ead6eb RED
LEGALASST Generic OEM AMD Ryzen 3 3200G 4c/4t 5.9 GB Win 10 Pro build 19045 192.168.10.213 18825ea7-df58-47bb-b492-822cb16fb5ec RED
REDNOURCARRIEVI (rednourcarrievirt) Generic OEM i3-9100 4c/4t 7.7 GB Win 10 Pro build 19045 192.168.10.194 8e4e2221-7e2a-4a6f-9eda-864568539961 RED

Common issues across all three at onboarding:

  • ScreenConnect (ConnectWise Control) running — prior MSP remote-access agent, not yet removed
  • Splashtop Streamer running — prior MSP remote-access agent, not yet removed
  • Syncro agent running — prior MSP agent, not yet removed
  • No backup agent detected on any workstation

LEGALASST additional:

  • Win 10 22H2 (build 19045) — EOL since 2025-10-14; no longer receives security patches
  • 43 days uptime at baseline; reboot pending
  • Local admins include stale accounts Ale and Emma (pre-rename artifact)
  • Active local account: emma; profile: C:\Users\Ale; OneDrive: carla@rednourlaw.com
  • Leftover SyncroLive.Agent.Runner still running as of 2026-06-29
  • AMD GPU driver 31.0.12027.9001 (2023-03-29); 7-Zip 26.02 installed 2026-06-29 at C:\Program Files\7-Zip\
  • Mapped drives (user emma): X: \\rednourcarrievirt\Time Matters Shared Files, Y: \\rednourcarrievirt\Timeslips, Z: \\rednourcarrievirt\Documents — Status OK as of 2026-06-29
  • SFC ran 2026-06-29, repaired corruption (0 unrepairable); repair pending reboot to load

REDNOURCARRIEVI (rednourcarrievirt) additional:

  • Win 10 22H2 (build 19045) — EOL since 2025-10-14
  • Defender real-time protection OFF + antimalware service not running at baseline (critical)
  • Datto RMM running — prior MSP agent, not yet removed
  • C: drive at 11.7% free (54.4 GB of 465.1 GB) at baseline
  • Last hotfix at baseline: KB5072653 (2025-12-20 — severely behind)
  • 151 installed programs, 19 non-MS scheduled tasks — elevated attack surface
  • RDP enabled without NLA at baseline
  • Time source: local CMOS clock (not NTP) at baseline

FRONTDESKRECEPT additional:

  • BitLocker off on OS volume
  • 2 pending Windows updates at baseline
  • Local admin account guru present (ACG account, expected)

File Shares (workgroup, peer-to-peer)

REDNOURCARRIEVI / rednourcarrievirt (192.168.10.194 LAN / 10.147.17.253 ZeroTier) hosts the firm's shared files as peer-to-peer SMB shares (no server, no AD):

  • Documents -> C:\Users\Carrie\Documents — the primary working share (also exposed redundantly as ShareName, same path). Mac/PC clients authenticate with a local Windows account on the box.
  • Local accounts with access to Documents: Carrie, emma (legacy local account, actively used — unrelated to the M365 Emma->Carla rename), localadmin, and nick (added 2026-06-25 for Nick Pafford; share Change + NTFS Modify; cred vaulted at clients/rednour/nick-smb-rednourcarrievi.sops.yaml).
  • Other shares present: Time Matters Shared Files, Timeslips, Program Files sage, Users, New folder. Security note: several are over-broad (Everyone=Full on Program Files/Users/Time Matters) — cleanup candidate.
  • Mac mount string: smb://192.168.10.194/Documents.

GuruRMM Site

  • Site name: Main Office
  • Site code: GREEN-FALCON-7214
  • Site UUID: c7f5787c-8e71-45b3-841f-fa52436f7d26
  • Client UUID: 85f7cff4-d4db-48a8-b477-b8788122a361
  • Enrollment key vault path: clients/rednour/gururmm-site-main.sops.yaml

Cloud / M365

  • Tenant domain: rednourlaw.com
  • Tenant ID: 4a4ca18a-f516-478b-99da-2e0722c5dc18
  • Onboarded to ComputerGuru MSP suite: 2026-05-31 (bootstrapped by Mike during Emma->Carla rename session)

MSP Service Principals

All five ComputerGuru SPs are fully consented as of 2026-05-31:

SP Name App ID SP Object ID Role(s) Assigned
Tenant Admin 709e6eed-0711-4875-9c44-2d3518c47063 671a2ace-be9e-440c-a7d6-5ff982e4500c Conditional Access Administrator
Security Investigator bfbc12a4-f0dd-4e12-b06d-997e7271e10c 704da463-7f4e-484c-b1da-40e447615d52 Exchange Administrator
Exchange Operator b43e7342-5b4b-492f-890f-bb5a4f7f40e9 59a68ba9-5e1e-4a56-92ae-507a9a669a79 Exchange Administrator
User Manager 64fac46b-8b44-41ad-93ee-7da03927576c dc3b79a2-638b-42fe-8ecb-51592db7d40f User Administrator + Authentication Administrator
Defender Add-on dbf8ad1a-54f4-4bb8-8a9e-ea5b9634635b 052da8aa-1ca5-4f60-b9c5-7aafcb74264b None

[WARNING] No MDE license in this tenant. Defender Add-on is consented but calling Defender ATP endpoints returns AADSTS650052. Skip the defender tier for all remediation work against this tenant.

Mailboxes

Display Name UPN Object ID Notes
Carla Skinner carla@rednourlaw.com 93074d1a-6db2-4794-8f7d-c84a619e4494 Renamed from Emma on 2026-05-31; aliases: emma@, dgarcia@, alee@, dgarcia@rednourlaw.onmicrosoft.com
Carrie Rednour crednour@rednourlaw.com a0fc8517-1c2a-4d72-b774-c0d5c929167a Global Admin; sysadmin@ is also hers
Nick Pafford npafford@rednourlaw.com fe859088-bcbc-49dc-aaea-4c6e68f7d5bb nick@ alias added 2026-05-31
receptionist receptionist@rednourlaw.com 34 contacts in mailbox
DiscoverySearchMailbox (system) Exchange system object

Carla's retained aliases: The mailbox mailNickname was historically dgarcia (prior employee Garcia -> passed to Emma -> now Carla). Both dgarcia@ and alee@ were kept by operator's explicit choice on 2026-05-31. The emma@ alias was kept so mail to emma@ continues to reach Carla. Revisit only if the firm requests decommissioning of these addresses.

Syncro

  • Customer: Rednour Law Offices, id 1224246
  • Contract type: Break-fix / T&M; prepaid hours: 0; recurring ~$59.09/mo
  • Managed asset count: 4
  • Primary ticket: #32343 (id 111409967), Status: Invoiced
    • 0.5h remote labor (line item 42654682, $75.00, non-taxable, attributed to Mike user_id 1735) — on the existing invoice
    • Comments: 415513323 (hidden/internal), 415514647 (customer-visible), 416427937 (internal — 2026-06-02 follow-up contact fix)
    • Additional onsite labor from 2026-06-25 SMB share work deferred by Howard; Syncro supports multiple invoices per ticket
  • [WARNING] Plaintext local-account passwords in Syncro customer notes (carrie, ale accounts). These are being vaulted separately — vault migration pending. Do not use Syncro notes as the authoritative credential source.

History

2026-05-29 — GuruRMM enrollment + onboarding baselines

Three workstations enrolled in GuruRMM site "Main Office": FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI. Onboarding diagnostic baselines captured (all graded RED). Prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM on Carrie's machine) still present — not yet removed.

2026-05-31 — M365 onboarding + Emma -> Carla rename

Syncro ticket #32343. Operator: Mike Swanson.

Tenant had never been fully onboarded to the ComputerGuru MSP suite — only Tenant Admin was consented, and Exchange Operator lacked Exchange Administrator role. Root cause surfaced as an HTTP 403 when attempting Get-Mailbox during the rename. Resolution: Mike clicked the Tenant Admin admin-consent URL as Global Admin (Carrie's account), then ran onboard-tenant.sh rednourlaw.com to consent the remaining four SPs and assign directory roles.

After Exchange role propagation (~60s), the rename was executed in three calls:

  1. Set-Mailbox via Exchange REST — updated EmailAddresses (carla@ as primary, emma@/dgarcia@/alee@ as aliases)
  2. Graph PATCH /users/{id} — updated UPN, displayName, mailNickname, givenName, surname
  3. POST /users/{id}/revokeSignInSessions — invalidated active tokens

Nick Pafford already existed as npafford@; smtp:nick@rednourlaw.com was added as an alias on his existing mailbox (no UPN change, no session revoke). Ticket set to Resolved; shared-drive access for Nick deferred.

2026-06-01 — Carla password set (client-directed)

Carla's account password set administratively via Graph User Manager app at client direction (forceChangePasswordNextSignIn: false, no session revocation). Password quality flagged to operator as weak (dictionary word + sequential digits) but applied as directed.

2026-06-02 — Stale pinned contact fix (Carrie's mailbox)

Carrie reported inbound mail from Carla still showed "Emma - Rednour Law". Server-side state was correct; root cause was a leftover pinned contact (IPF.Contact.MOC.QuickContacts) in Carrie's own mailbox mapping emma@rednourlaw.com -> display name "Emma - Rednour Law". Because emma@ is a live proxy alias on Carla's mailbox, Outlook resolved Carla's new mail to this stale pin.

Fix: deleted the pin via EWS (ExchangeImpersonation of crednour@rednourlaw.com using Exchange Operator SP full_access_as_app; DeleteItem with MoveToDeletedItems — recoverable). Graph contacts call (403) confirmed no Contacts.Read scope in any suite app; EWS was the correct path.

All four real-user mailboxes swept — only Carrie was affected:

Mailbox Contacts scanned Stale entries found
Carrie Rednour 237 (across 10 folders) 1 — deleted
Nick Pafford 0 (empty) none
receptionist 34 (across 10 folders) none
Carla Skinner 40 (across 9 folders) none

No time billed on this follow-up per Mike's standing rule (never log time without explicit minutes + labor type).

2026-06-25 — SMB share access for Nick Pafford + Mac RMM enrollment attempt

Operator: Howard Enos. Resolved the long-deferred shared-drive access for Nick. The "shared drive" turned out to be the Documents SMB share on REDNOURCARRIEVI (C:\Users\Carrie\Documents); identified via Get-SmbShare across all three GuruRMM-enrolled workstations. It was previously reached only through the local emma account.

Created a dedicated standard local account nick on REDNOURCARRIEVI (PasswordNeverExpires), granted share = Change and NTFS = Modify on the Documents folder. Credential vaulted at clients/rednour/nick-smb-rednourcarrievi.sops.yaml. Nick's Mac (Apple Silicon) was confirmed mounting smb://192.168.10.194/Documents (Finder Cmd+K, nick + keychain-saved password) and working onsite.

GuruRMM macOS enrollment FAILED on Nick's Apple Silicon Mac (site Main, GREEN-FALCON-7214). Server serves the agent fine (HTTP 200, 3.96 MB single-arch aarch64). Initial working hypothesis was that the served binary was unsigned (SIGKILL on Apple Silicon). Fix path flagged; deferred for further diagnosis.

Return visit pending: phone + printer setup at Rednour; may require running a new wire or installing a switch.

Operational note: PowerShell Set-Acl ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time. Resolution was to generate the password locally (injected via placeholder) and apply the NTFS ACE with icacls (no /T).

2026-06-26 — Mac RMM enrollment root-cause analysis (offline diagnosis)

Operator: Howard Enos (pre-staging before onsite visit). Nick's Mac was offline in ScreenConnect. All diagnosis done from the repo and the RMM server endpoints.

Disproved the "unsigned binary" hypothesis. Parsed the Mach-O load commands of the served arm64 binary directly: it carries an LC_CODE_SIGNATURE with the adhoc flag set (linker-inserted ad-hoc signature, identifier gururmm_agent-51a9f25b57c13649). An ad-hoc-signed arm64 binary satisfies Apple Silicon's AMFI and runs — the SIGKILL/unsigned theory was wrong. All six linked dylibs are stock system frameworks.

Real root cause found in source: The server's enrollment endpoint (server/src/api/enroll.rs, line 29) types EnrollRequest.site_id as uuid::Uuid — it requires a UUID. The macOS install script (/install/GREEN-FALCON-7214/macos) writes the site code string GREEN-FALCON-7214 into /usr/local/etc/gururmm/site.plist as site_id. The agent reads that and POSTs site_id: "GREEN-FALCON-7214" to /api/enroll, which fails UUID deserialization (HTTP 422) — enrollment retries forever, agent never connects. The "file not found" symptom Howard observed is a secondary effect: config.rs::default_config_path() has no macOS branch, so a manual gururmm-agent run with no readable plist falls back to the Linux path /etc/gururmm/config.toml (does not exist on macOS).

Correct site UUID for Rednour Main: c7f5787c-8e71-45b3-841f-fa52436f7d26 (confirmed via RMM API). The .pkg postinstall hardcodes d008c7d4-... which belongs to a different/test site — do not use.

Fix staged: a self-contained Terminal paste-block was delivered to Howard's Discord DMs that installs the agent, writes site.plist with the UUID (not the code), writes the LaunchDaemon, reloads, and verifies. Per Howard's instruction, the wiki, coord todo 6f2d22be, and Mike were NOT updated pending onsite verification.

2026-06-29 — Mac RMM install attempt (still not enrolling)

Operator: Howard Enos (onsite at Rednour). Provided Nick the macOS curl | sudo bash one-liner (/install/GREEN-FALCON-7214/macos). Verified the binary is arm64 Mach-O before handoff. Nick (or someone at the Mac) ran the installer and it reported success. Fleet checks repeated 3x — no macOS agent appeared under Rednour Law Offices. The install script ran the original (unpatched) path and wrote the site CODE (not UUID) to site.plist, so the agent retries enrollment forever without connecting. Howard is no longer onsite and does not have the user's Mac password.

Mike was flagged via Discord DM (message_id 1521264675965374656) that the macOS installer has an enrollment issue; asked whether he has another M1/Apple Silicon Mac to test. Next step: run foreground sudo /usr/local/bin/gururmm-agent on the Mac to capture the connect/enroll error, and overwrite site.plist with the UUID fix.

Install page note: The public install page /install/GREEN-FALCON-7214 shows only Windows and Linux download buttons — no Mac button. The macOS path is the curl | sudo bash one-liner at /install/GREEN-FALCON-7214/macos.

Operator: Howard Enos (reported via Carrie). The legal assistant's workstation LEGALASST (Carla Skinner's box; active local account emma, profile C:\Users\Ale, OneDrive carla@rednourlaw.com) repeatedly hung explorer when opening files. Diagnosed live over GuruRMM (agent 18825ea7-df58-47bb-b492-822cb16fb5ec).

  • explorer HANGS, not crashes — AppHang Event 1002 (no Event 1000 / faulting module); ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot.
  • Root cause: the built-in Windows Compressed Folders handler (explorer's zip-as-folder namespace). Symptom narrowed to opening .zip only (Word/PDF/folders fine), and the failing zip is local (desktop) — not OneDrive, not a network share. zipfldr.dll is intact + validly signed, so the hang is environmental, not a corrupt handler DLL.
  • Ruled out: Adobe shell extensions (blocked/tested via the Microsoft Shell Extensions\Blocked list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z -> \\rednourcarrievirt (Status OK, SMB healthy); .NET Runtime 1022 "profiling API attach" (201 events but no COR_PROFILER set — benign noise).
  • SFC (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a reboot to load.
  • Workaround: Howard installed 7-Zip 26.02 (C:\Program Files\7-Zip\7zFM.exe); it opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for .zip (and .7z/.rar, currently unassociated). .zip had no UserChoice; 7-Zip only registered a 7-Zip.iso ProgId on install.
  • Second issue (same machine): WordPerfect 5 "not enough free space" on save regardless of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value overflows -> false "disk full"). App-level; the OS upgrade will not fix it. Mitigate via DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs Windows) to be confirmed.
  • Plan: upgrade LEGALASST to Windows 11 — expected to resolve the zip-handler hang by rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local .zip with the built-in handler post-upgrade. If the hang persists, next lead is Defender archive-scan + cloud (MAPS) lookup stalling the shell.

All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an orphaned RMM diagnostic process killed) — the box was left clean.

2026-06-29 — Carrie's machine Win10 -> Win11 upgrade fails at SAFE_OS / APPLY_IMAGE

Operator: Howard Enos (diagnostic only; no remote action). The in-place Windows 10 -> 11 upgrade on Carrie's machine (REDNOURCARRIEVI / rednourcarrievirt) rolled back with 0x8007000D - 0x2000C — "The installation failed in the SAFE_OS phase with an error during APPLY_IMAGE operation."

Decoded: 0x8007000D = ERROR_INVALID_DATA; 0x2000C = failure in the SAFE_OS (offline WinPE) phase during the APPLY_IMAGE step — Setup choked while laying down the new image. This signature points at corrupt/incomplete setup media or download, a storage/disk issue, or interference from drivers/AV/attached externals — NOT a TPM/hardware-compatibility block (which fails earlier with a different message).

Remediation path provided (prioritized): (1) unplug all non-essential externals + temporarily disable third-party AV; (2) build fresh media via the Media Creation Tool and run setup.exe from a mounted ISO rather than the in-place download/Update Assistant; (3) clear the upgrade cache ($WINDOWS.~BT, $WINDOWS.~WS, SoftwareDistribution\Download) after stopping wuauserv/bits; (4) DISM RestoreHealth + SFC + chkdsk, confirm 20+ GB free; (5) update storage/chipset drivers (Intel RST / AMD RAID is a classic APPLY_IMAGE culprit).

Howard reported driver updates and OS repairs were already done. He will attempt the upgrade manually on-site tonight (2026-06-29) and loop back if it fails. GuruRMM is not working for Rednour, so this cannot be assisted remotely — it is a hands-on effort. If the next attempt fails, the actionable next step is to pull the first error from C:\$WINDOWS.~BT\Sources\Panther\setuperr.log around the APPLY_IMAGE step.

Patterns & Known Issues

  • EWS required for personal contact work. No app in the ComputerGuru suite holds Contacts.Read or Contacts.ReadWrite on Graph. Personal contact folder reads and modifications must go through EWS (full_access_as_app on the Exchange Operator SP with ExchangeImpersonation).
  • Security Investigator EXO token unreliable on this tenant. The investigator SP's EXO token (aud=outlook.office365.com) returned 401 on InvokeCommand during the 2026-06-02 session; the Exchange Operator SP token worked. Prefer Exchange Operator for EXO InvokeCommand on rednourlaw.com.
  • Stale-pin shadowing pattern: IPF.Contact.MOC.QuickContacts folder entries override the GAL for display-name resolution in Outlook/Teams. If any user reports a renamed sender still showing the old name, run the EWS contact-folder sweep against that user's mailbox.
  • emma@ alias is live by design. Mail to emma@rednourlaw.com routes to Carla Skinner. Do not remove unless the firm explicitly requests it.
  • No MDE license — skip Defender tier. Defender Add-on is consented but ATP endpoints 650052. Do not attempt Defender-tier calls for this tenant.
  • Prior MSP agents still installed. ScreenConnect, Splashtop, and Syncro on all workstations; Datto RMM on REDNOURCARRIEVI. Not yet remediated as of 2026-06-29.
  • macOS RMM agent installs but does not enroll (site code vs UUID bug). The macOS install script writes the site enrollment CODE (GREEN-FALCON-7214) into site.plist as site_id. The server's EnrollRequest.site_id is typed uuid::Uuid — posting the code string causes a 422 UUID deserialization error; the agent retries enrollment forever without connecting. Fix: overwrite site.plist with the site UUID c7f5787c-8e71-45b3-841f-fa52436f7d26 and reload the LaunchDaemon. The paste-block fix was delivered to Howard's Discord DMs (2026-06-26) but has not been applied to Nick's Mac (blocked: no onsite access + no Mac password as of 2026-06-29). Root code fix for Mike: either the install script should stamp the UUID (like the .pkg postinstall), or /api/enroll should accept a site code. Secondary: add a macOS branch to default_config_path() in agent/src/config.rs. Coord todo: 6f2d22be-e653-48c8-9f9b-0155420b315d (project gururmm).
  • LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL). No security updates since 2025-10-14. Plan OS upgrade to Win 11.
  • GuruRMM is not working for Rednour. As of 2026-06-29 remote management/remediation via GuruRMM is not usable for this client — any assist must be hands-on / on-site. (Scope verify: whether the agents are offline fleet-wide for Rednour or RMM is simply not a viable path for interactive feature-upgrade work. Note this contradicts earlier live-over-RMM diagnostics on LEGALASST — confirm current agent state before relying on RMM here.)
  • Win11 in-place upgrade on REDNOURCARRIEVI fails at SAFE_OS / APPLY_IMAGE (0x8007000D - 0x2000C). ERROR_INVALID_DATA while applying the image in the offline phase — points at media/download corruption, storage/disk, or driver/AV/external-device interference, NOT a hardware-compat block. Fix path: fresh ISO via Media Creation Tool + setup.exe from mounted ISO, externals unplugged, AV off, upgrade cache cleared, DISM/SFC/chkdsk done. If it recurs, pull the first error from C:\$WINDOWS.~BT\Sources\Panther\setuperr.log around APPLY_IMAGE. Drivers + repairs already done by Howard; manual attempt scheduled 2026-06-29 evening.
  • REDNOURCARRIEVI: Defender was off at onboarding. Confirm it has been re-enabled; it is a critical finding.
  • REDNOURCARRIEVI: RDP enabled without NLA at onboarding. Restrict RDP to VPN-only or require NLA.
  • LEGALASST: built-in Compressed Folders handler hangs explorer on .zip open. Local zips; Word/PDF fine. zipfldr.dll intact (environmental, not a corrupt DLL). AppHang Event 1002, no faulting module. Workaround = 7-Zip as default for .zip. Win11 upgrade planned to resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup stalling the shell. To test-disable any shell extension reversibly, add its CLSID to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked (delete to restore).
  • LEGALASST: WordPerfect 5 "not enough free space" on save despite verified free space and regardless of save location. Likely legacy free-space overflow on large-capacity volumes; OS upgrade will not fix it; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP version/edition.
  • .NET Runtime 1022 "profiling API attach" errors are noise unless a COR_PROFILER env var is actually set — do not chase them as a hang cause.
  • Plaintext local-account passwords in Syncro customer notes. Accounts carrie and ale appear in Syncro notes in plaintext — vault migration pending. Do not rely on Syncro notes as the authoritative credential store for these accounts.

Active Work / Open Items

Priority Action Owner Notes
P1 Re-enable Defender on REDNOURCARRIEVI Howard/Mike Was off at onboarding 2026-05-29; confirm current state
P1 Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) Mike/Howard Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only
P1 Upgrade LEGALASST to Windows 11 Mike/Howard Expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local .zip with the built-in handler post-upgrade
P1 Upgrade REDNOURCARRIEVI (Carrie's machine) to Windows 11 Howard Win 10 22H2 (EOL 2025-10-14). In-place upgrade fails at SAFE_OS / APPLY_IMAGE 0x8007000D - 0x2000C (ERROR_INVALID_DATA). Drivers + DISM/SFC/chkdsk already done. Manual attempt scheduled 2026-06-29 evening (fresh ISO, externals unplugged, AV off, cache cleared). RMM not usable for Rednour — hands-on only. If it fails, pull C:\$WINDOWS.~BT\Sources\Panther\setuperr.log around APPLY_IMAGE
P1 Restore/verify GuruRMM functionality for Rednour Howard/Mike 2026-06-29: RMM reported not working for this client — confirm scope (agents offline vs not a path for upgrades) and restore remote management
P2 Bill Carrie-machine / reception-upgrade work to Syncro #32368 Howard/Mike Ticket id 111999527, "New machine for Carrie as central hub/file share + reception upgrade" (created 2026-06-02, status Customer Reply). Bill when work complete — route through /syncro, do not free-hand
P1 Fix GuruRMM macOS agent enrollment on Nick's Apple Silicon Mac Howard/Mike Agent installs but does not enroll. Root cause: install script writes site CODE not UUID; server expects UUID. Fix = overwrite /usr/local/etc/gururmm/site.plist with site_id = c7f5787c-8e71-45b3-841f-fa52436f7d26 and reload LaunchDaemon. Paste-block delivered to Howard's Discord DMs (2026-06-26). Blocked: need onsite access + Mac password. Code fix for Mike: enroll.rs accept site code OR install script stamp UUID. Coord todo 6f2d22be
P1 Vault migration of plaintext local-account passwords in Syncro customer notes Howard/Mike Accounts carrie, ale; not yet vaulted
P2 LEGALASST: WordPerfect 5 "not enough free space" on save Howard 2026-06-29: error on save regardless of location; ample free space verified. Likely legacy free-space overflow on large volume; OS upgrade will NOT fix. Mitigate via DOSBox / SUBST small-capacity drive; confirm WP version/edition
INTERIM LEGALASST: set 7-Zip as default for .zip/.7z/.rar Howard 2026-06-29: 7-Zip 26.02 installed as workaround for the built-in zip-handler hang; set defaults via 7-Zip GUI (Tools -> Options -> System)
P2 Return visit: phone + printer setup at Rednour Howard 2026-06-25: pending; may require running a new wire / installing a switch
P2 Final invoice on Syncro #32343 Mike 0.5h remote labor (line item 42654682) sitting on Invoiced ticket; additional onsite labor from 2026-06-25 SMB share work deferred by Howard
P2 Address BitLocker gap on FRONTDESKRECEPT Mike/Howard OS volume unencrypted at onboarding
P2 Confirm Nick's Mac is actually DUXs-Mac-Studio Howard ScreenConnect shows this name; "Dux" username may indicate it's not Nick's machine — verify before enrolling
P3 Remove stale local admin accounts (Ale, Emma on LEGALASST) Howard Left from prior user assignment
P3 emma@ alias — revisit if firm wants it decommissioned Mike Retained by design; currently serves as Carla's legacy address
P3 Security cleanup: over-broad Everyone=Full SMB shares on REDNOURCARRIEVI Howard Time Matters Shared Files, Program Files sage, Users shares
P3 Fix REDNOURCARRIEVI RDP: require NLA or restrict to VPN Howard RDP open without NLA at onboarding
DONE Shared-drive access for Nick Pafford Howard 2026-06-25: created local nick account on REDNOURCARRIEVI; Documents share = Change + NTFS = Modify; cred vaulted clients/rednour/nick-smb-rednourcarrievi.sops.yaml; Nick's Apple Silicon Mac mounts smb://192.168.10.194/Documents
  • projects/gururmm — FRONTDESKRECEPT, LEGALASST, REDNOURCARRIEVI enrolled (site: Main Office); macOS enrollment code-vs-UUID bug (coord todo 6f2d22be)