diff --git a/.bdcheck_GG4LKSL b/.bdcheck_GG4LKSL new file mode 100644 index 00000000..edf866e2 --- /dev/null +++ b/.bdcheck_GG4LKSL @@ -0,0 +1 @@ +23a8b2e8-c67f-4e70-b219-4a723dc1b957 diff --git a/.bdcheck_MJ-PARALEGAL b/.bdcheck_MJ-PARALEGAL new file mode 100644 index 00000000..405c5c53 --- /dev/null +++ b/.bdcheck_MJ-PARALEGAL @@ -0,0 +1 @@ +6dfebcb5-df2d-45fa-b1d6-22695d52895c diff --git a/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.json b/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.json new file mode 100644 index 00000000..64478f6d --- /dev/null +++ b/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.json @@ -0,0 +1,744 @@ +{ + "host": "DESKTOP-GG4LKSL", + "collected_at_utc": "2026-06-29T21:17:50Z", + "os": { + "caption": "Microsoft Windows 11 Pro", + "version": "10.0.26200", + "build": "26200", + "install_date": "2025-06-30T15:13:20Z", + "last_boot_utc": "2026-06-29T14:27:52Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2027-10-12", + "release": "Win11 25H2" + }, + "pending_updates": 4, + "pending_reboot": false, + "uptime_days": 0.3, + "acg_managed_tools": "ScreenConnect / ConnectWise Control", + "hardware": { + "model": "HP Pavilion Gaming Desktop TG01-2xxx", + "manufacturer": "HP", + "bios_date": "2023-07-11", + "cpu_logical": 16, + "bios_version": "F.21", + "cpu_cores": 8, + "ram_gb": 31.8, + "serial": "4CE136C774", + "cpu": "11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz" + }, + "third_party_av_active": false, + "os_build": "26200", + "secure_boot": false, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "QuickFinder Scheduler", + "value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2021\\Programs\\QFSCHD210.EXE\"" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "Seagate Backup+ BK", + "media_type": "Unspecified" + }, + { + "health": "Healthy", + "model": "WD Green SN350 1TB 2G0C", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2025-06-30", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-06-29", + "name": "Localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-29", + "name": "owner", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 18, + "volumes": [ + { + "drive": "D:", + "size_gb": 465.8, + "free_pct": 14.6, + "free_gb": 68.1 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.7, + "free_pct": 8.3, + "free_gb": 0.1 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 38.7, + "free_gb": 0 + }, + { + "drive": "C:", + "size_gb": 930.6, + "free_pct": 74.2, + "free_gb": 690.6 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "Intel(R) Wi-Fi 6 AX201 160MHz", + "gateway": [ + "192.168.1.1" + ], + "mac": "4C:44:5B:57:C8:D0", + "ip": [ + "192.168.1.135", + "fe80::b290:dac4:8c2:f9d6" + ], + "dns": [ + null + ] + } + ], + "failed_autostart_services": [ + { + "name": "GoogleUpdaterInternalService150.0.7863.0", + "display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "GoogleUpdaterService150.0.7863.0", + "display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "Intel(R) TPM Provisioning Service", + "display": "Intel(R) TPM Provisioning Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 1, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": false, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Adobe", + "name": "Adobe Acrobat (64-bit)", + "version": "26.001.21691" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "149.0.4022.80" + }, + { + "publisher": "Corel corporation", + "name": "Corel Update Manager", + "version": "2.14.630" + }, + { + "publisher": "Google LLC", + "name": "Google Chrome", + "version": "149.0.7827.197" + }, + { + "publisher": "", + "name": "HP LaserJet Professional P1100-P1560-P1600 Series", + "version": "" + }, + { + "publisher": "Vantage Linguistics", + "name": "iSEEK AnswerWorks English Runtime", + "version": "010.000.0101" + }, + { + "publisher": "Chaos Software Group, Inc.", + "name": "Legal Billing", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft 365 Apps for business - en-us", + "version": "16.0.20026.20182" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "149.0.4022.98" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "149.0.4022.98" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft OneDrive", + "version": "26.106.0603.0003" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "5.72.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86)", + "version": "7.1.00.00" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86) English", + "version": "7.1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Control Panel 391.35", + "version": "391.35" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container", + "version": "1.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container LS", + "version": "1.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Session Container", + "version": "1.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Watchdog Plugin", + "version": "1.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.275.2323" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.20026.20076" + }, + { + "publisher": "Intuit", + "name": "Quicken 2013", + "version": "22.1.12.7" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.3.11.9650" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021", + "version": "21.0.0.81" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Common Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Common Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - IPM", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - IPM Content", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Lightning Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Lightning Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Presentations Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Presentations Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Quattro Pro Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Quattro Pro Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Redists", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Setup Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WordPerfect Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WordPerfect Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WPD format Props x64", + "version": "21.0" + }, + { + "publisher": " Corel Corporation", + "name": "WordPerfect Office 2021 - Writing Tools", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 32-bit", + "version": "1.8" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 64-bit", + "version": "1.8" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "OpenSSH Users", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "User Mode Hardware Operators", + "Users" + ], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows 11 Pro", + "description": "Windows(R) Operating System, OEM_DM channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "time1.aliyun.com", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5094126", + "installed_on": "2026-06-10T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTask-6FE3C4EAF0EA6F48A355A006CED9B153", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTaskCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Per-Machine Standalone Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "RtkAudUService64_BG", + "state": "Running" + }, + { + "path": "\\", + "name": "ZoomUpdateTaskUser-S-1-5-21-176541868-3255397159-941698718-1002", + "state": "Ready" + }, + { + "path": "\\GoogleSystem\\GoogleUpdater\\", + "name": "GoogleUpdaterTaskSystem150.0.7863.0{187F8684-438D-4B52-A213-1183A437F60E}", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelperOnUnlock", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Daily", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Metrics", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\", + "name": "SoftLandingCreativeManagementTask", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\", + "name": "SoftLandingDeferralTask-{7f5041b8-2c64-40bd-a455-a605b3186491}", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": false, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": false, + "installed_software_count": 50, + "local_administrators": [ + "DESKTOP-GG4LKSL\\Administrator", + "DESKTOP-GG4LKSL\\Localadmin", + "DESKTOP-GG4LKSL\\owner" + ], + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "WORKGROUP", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "warning", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (3)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "DESKTOP-GG4LKSL\\Administrator\nDESKTOP-GG4LKSL\\Localadmin\nDESKTOP-GG4LKSL\\owner" + }, + { + "id": "sec.patch.os_supported", + "category": "security", + "severity": "info", + "title": "OS build supported: Win11 25H2", + "detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.", + "evidence": "Microsoft Windows 11 Pro build 26200" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "4 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5094126", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5094126 installed 2026-06-10T07:00:00Z" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.disk_space.D", + "category": "health", + "severity": "warning", + "title": "Disk low: D: at 14.6% free", + "detail": "Less than 15 percent free. Plan cleanup or expansion.", + "evidence": "D: free 68.1 GB of 465.8 GB (14.6%)" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "3 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped" + }, + { + "id": "health.domain.workgroup", + "category": "health", + "severity": "info", + "title": "Not domain-joined (workgroup)", + "detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.", + "evidence": "PartOfDomain=False; Domain=WORKGROUP" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=time1.aliyun.com" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.md b/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.md new file mode 100644 index 00000000..1156912b --- /dev/null +++ b/clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.md @@ -0,0 +1,226 @@ +# Onboarding Diagnostic Baseline - DESKTOP-GG4LKSL + +- **Grade:** AMBER +- **Host:** DESKTOP-GG4LKSL +- **Client:** Michael Johnson (`michaeljohnson`) +- **Collected (UTC):** 2026-06-29T21:17:50Z +- **Agent ID:** 09c08484-2b51-404b-a294-6e39f498867c +- **Command ID:** 67f70181-51cd-470e-a9e2-edd2d53df135 +- **Findings:** 0 critical / 5 warning / 13 info / 0 unknown + +- **OS:** Microsoft Windows 11 Pro (build 26200) + +--- + +## WARNING (5) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### 4 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4 +``` + +### Disk low: D: at 14.6% free +- **Category:** health +- **ID:** `health.disk_space.D` +- Less than 15 percent free. Plan cleanup or expansion. + +``` +D: free 68.1 GB of 465.8 GB (14.6%) +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### 3 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped +GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped +Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped +``` + + +## INFO (13) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (3) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +DESKTOP-GG4LKSL\Administrator +DESKTOP-GG4LKSL\Localadmin +DESKTOP-GG4LKSL\owner +``` + +### OS build supported: Win11 25H2 +- **Category:** security +- **ID:** `sec.patch.os_supported` +- Build 26200 (Win11 25H2) is in support until 2027-10-12. + +``` +Microsoft Windows 11 Pro build 26200 +``` + +### Last hotfix: KB5094126 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5094126 installed 2026-06-10T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Not domain-joined (workgroup) +- **Category:** health +- **ID:** `health.domain.workgroup` +- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. + +``` +PartOfDomain=False; Domain=WORKGROUP +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=time1.aliyun.com +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** HP / HP Pavilion Gaming Desktop TG01-2xxx +- **Serial:** 4CE136C774 +- **CPU:** 11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz (8 cores / 16 logical) +- **RAM (GB):** 31.8 +- **BIOS:** F.21 (2023-07-11) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** true / ? +- **Domain joined:** false (WORKGROUP) +- **OS activation licensed:** true +- **Uptime (days):** 0.3 +- **Pending reboot:** false +- **Installed software count:** 50 +- **Scheduled tasks (non-MS, enabled):** 18 +- **Local administrators:** DESKTOP-GG4LKSL\Administrator, DESKTOP-GG4LKSL\Localadmin, DESKTOP-GG4LKSL\owner + +### Fixed volumes + +- D: - 68.1 GB free of 465.8 GB (14.6%) +- [unlabeled] - 0.1 GB free of 0.7 GB (8.3%) +- [unlabeled] - 0 GB free of 0.1 GB (38.7%) +- C: - 690.6 GB free of 930.6 GB (74.2%) + +### Network adapters + +- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.1.135, fe80::b290:dac4:8c2:f9d6 - DNS: - DHCP: false + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-GG4LKSL-20260629T211835.json` (immutable)._ diff --git a/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.json b/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.json new file mode 100644 index 00000000..482d1ced --- /dev/null +++ b/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.json @@ -0,0 +1,1161 @@ +{ + "host": "MJ-PARALEGAL", + "collected_at_utc": "2026-06-29T21:17:55Z", + "os": { + "caption": "Microsoft Windows 11 Pro", + "version": "10.0.26200", + "build": "26200", + "install_date": "2025-12-27T20:49:47Z", + "last_boot_utc": "2026-06-29T14:26:49Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2027-10-12", + "release": "Win11 25H2" + }, + "pending_updates": 2, + "pending_reboot": false, + "uptime_days": 0.3, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "System Product Name", + "manufacturer": "ASUS", + "bios_date": "2021-07-09", + "cpu_logical": 12, + "bios_version": "1620", + "cpu_cores": 6, + "ram_gb": 15.8, + "serial": "System Serial Number", + "cpu": "Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz" + }, + "third_party_av_active": false, + "os_build": "26200", + "secure_boot": true, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "IgfxTray", + "value": "\"C:\\Windows\\system32\\igfxtray.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "HotKeysCmds", + "value": "\"C:\\Windows\\system32\\hkcmd.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Persistence", + "value": "\"C:\\Windows\\system32\\igfxpers.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RTHDVCPL", + "value": "\"C:\\Program Files\\Realtek\\Audio\\HDA\\RtkNGUI64.exe\" -s" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Box", + "value": "\"C:\\Program Files\\Box\\Box\\Box.exe\" -m" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "MFNetworkScannerSelector", + "value": "C:\\Program Files\\Canon\\Canon MF Network Scanner Selector\\CMFNSS6.EXE" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Logitech Download Assistant", + "value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ScanSnap Home Pfussmon", + "value": "C:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\pfuSSMon.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ScanSnap WIA Service Checker", + "value": "C:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\SSDriver\\fi5110\\SsWiaChecker.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SshCloudMonitor", + "value": "C:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\SshCloudMonitor.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SshRegister", + "value": "C:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\SshRegister.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "pfuSshMain", + "value": "\"C:\\Program Files (x86)\\PFU\\ScanSnap\\Home\\pfuSshMain.exe\" -backgroundstartup" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ScanSnap OnlineUpdate Watcher", + "value": "\"C:\\Program Files (x86)\\PFU\\ScanSnap\\Update\\SsUWatcher.exe\" -StartOS" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "QuickFinder Scheduler", + "value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2020\\Programs\\QFSCHD200.EXE\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "TeamsMachineInstaller", + "value": "C:\\Program Files\\Teams Installer\\Teams.exe --checkInstall --source=PROPLUS" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Canon Toner Status", + "value": "C:\\Program Files (x86)\\Canon\\OIPTonerStatus\\CnTnrStsTask.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Adobe CCXProcess", + "value": "C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud Experience\\CCXProcess.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "The Record Communicator Server", + "value": "C:\\Program Files (x86)\\FTR\\ForTheRecord\\TheRecordCommunicatorServer.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "(default)", + "value": "" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Adobe Creative Cloud", + "value": "\"C:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" --showwindow=false --onOSstartup=true" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "Crucial_CT275MX300SSD1", + "media_type": "SSD" + }, + { + "health": "Healthy", + "model": "CT500MX500SSD1", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2021-04-21", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-29", + "name": "Paralegal", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 24, + "volumes": [ + { + "drive": "E:", + "size_gb": 255.6, + "free_pct": 0, + "free_gb": 0 + }, + { + "drive": "[unlabeled]", + "size_gb": 1, + "free_pct": 18.7, + "free_gb": 0.2 + }, + { + "drive": "D:", + "size_gb": 0, + "free_pct": 75.5, + "free_gb": 0 + }, + { + "drive": "C:", + "size_gb": 464.2, + "free_pct": 15.1, + "free_gb": 70 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 64, + "free_gb": 0.1 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.5, + "free_pct": 16.6, + "free_gb": 0.1 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Realtek PCIe GBE Family Controller", + "gateway": [ + "192.168.1.1" + ], + "mac": "F0:2F:74:84:AF:3B", + "ip": [ + "192.168.1.136", + "fe80::b20c:8d0b:48bf:1aea" + ], + "dns": [ + "172.16.132.1" + ] + } + ], + "failed_autostart_services": [ + { + "name": "AsusUpdateCheck", + "display": "AsusUpdateCheck", + "state": "Stopped" + }, + { + "name": "GoogleUpdaterInternalService150.0.7863.0", + "display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "GoogleUpdaterService150.0.7863.0", + "display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "IBMPMSVC", + "display": "Lenovo PM Service", + "state": "Stopped" + }, + { + "name": "Intel(R) TPM Provisioning Service", + "display": "Intel(R) TPM Provisioning Service", + "state": "Stopped" + }, + { + "name": "LPlatSvc", + "display": "Lenovo Platform Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 1, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": false, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "ABBYY", + "name": "ABBYY FineReader for ScanSnap (TM) 5.5", + "version": "15.0.2261" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Acrobat", + "version": "26.001.21691" + }, + { + "publisher": "Adobe Systems", + "name": "Adobe Acrobat XI Standard", + "version": "11.0.12" + }, + { + "publisher": "Adobe Inc.", + "name": "Adobe Creative Cloud", + "version": "6.10.0.252.3" + }, + { + "publisher": "Adobe Inc.", + "name": "Adobe Genuine Service", + "version": "9.1.0.52" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "", + "name": "Arizona Child Support 7.0", + "version": "" + }, + { + "publisher": "EverMap Company, LLC.", + "name": "AutoRedact Plug-In, v. 1.9.12 (TRIAL VERSION)", + "version": "" + }, + { + "publisher": "Box, Inc.", + "name": "Box", + "version": "2.23.428" + }, + { + "publisher": "CANON INC.", + "name": "Canon D1600 Series", + "version": "6.2.0.0" + }, + { + "publisher": "CANON INC.", + "name": "Canon Laser Printer/Scanner/Fax Extended Survey Program", + "version": "2.2.13" + }, + { + "publisher": "CANON INC.", + "name": "Canon Laser Printer/Scanner/Fax Extended Survey Program", + "version": "2.2.13.40010" + }, + { + "publisher": "CANON INC.", + "name": "Canon MF Scan Utility", + "version": "1.5.0.0" + }, + { + "publisher": "Chronotron.com", + "name": "Chronotron Pro", + "version": "1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "149.0.4022.80" + }, + { + "publisher": "Corel corporation", + "name": "Corel Update Manager", + "version": "2.16.673" + }, + { + "publisher": "NCH Software", + "name": "Doxillion Document Converter", + "version": "5.33" + }, + { + "publisher": "EaseUS", + "name": "EaseUS Video Downloader 2.1.5", + "version": "" + }, + { + "publisher": "FTR Pty. Ltd.", + "name": "FTR Player", + "version": "7.7" + }, + { + "publisher": "Google LLC", + "name": "Google Chrome", + "version": "149.0.7827.197" + }, + { + "publisher": "Google LLC", + "name": "Google Update Helper", + "version": "1.3.36.51" + }, + { + "publisher": "WonderFox Soft, Inc.", + "name": "HD Video Converter Factory Pro 26.2", + "version": "26.2" + }, + { + "publisher": "Chaos Software Group, Inc.", + "name": "Legal Billing", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft 365 - en-us", + "version": "16.0.20131.20090" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft 365 Apps for business - en-us", + "version": "16.0.20131.20090" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "149.0.4022.98" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "149.0.4022.98" + }, + { + "publisher": "Microsoft", + "name": "Microsoft Teams Meeting Add-in for Microsoft Office", + "version": "1.25.28902" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86)", + "version": "7.1.00.00" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86) English", + "version": "7.1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664", + "version": "12.0.40664.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664", + "version": "12.0.40664.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "", + "name": "Microsoft Windows Media Video 9 VCM", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.20131.20044" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Localization Component", + "version": "16.0.14131.20278" + }, + { + "publisher": "NCH Software", + "name": "Pixillion Image Converter", + "version": "11.36" + }, + { + "publisher": "NCH Software", + "name": "Prism Video File Converter", + "version": "10.28" + }, + { + "publisher": "Realtek Semiconductor Corp.", + "name": "Realtek High Definition Audio Driver", + "version": "6.0.1.7841" + }, + { + "publisher": "PFU Limited", + "name": "ScanSnap Home", + "version": "2.0.31.1" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.3.11.9650" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.4.0" + }, + { + "publisher": "NCH Software", + "name": "Switch Sound File Converter", + "version": "12.17" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "TaxAct, Inc.", + "name": "TaxAct 2022 1040 Edition", + "version": "1.26" + }, + { + "publisher": "TaxAct, Inc.", + "name": "TaxAct 2023 1040 Edition", + "version": "1.31" + }, + { + "publisher": "Microsoft Corporation", + "name": "Teams Machine-Wide Installer", + "version": "1.4.0.32771" + }, + { + "publisher": "CANON INC.", + "name": "Toner Status", + "version": "1.6.0.0" + }, + { + "publisher": "Canon Inc.", + "name": "UFR II V4 Printer Driver Uninstaller", + "version": "7.1.2.0" + }, + { + "publisher": "Canon", + "name": "UFR II/LIPSLX/CARPS2 V4 Desktop Printer Extension", + "version": "7.1.2.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "VideoLAN", + "name": "VLC media player", + "version": "3.0.23" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows 11 Installation Assistant", + "version": "1.4.19041.6448" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows PC Health Check", + "version": "3.6.2204.08001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows PC Health Check", + "version": "4.0.2410.23001" + }, + { + "publisher": "win.rar GmbH", + "name": "WinRAR 7.22 (64-bit)", + "version": "7.22.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020", + "version": "20.0.0.200" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Common Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Common Files English", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Core", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - IPM", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - IPM Content", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Lightning Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Lightning Files English", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Oxford", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Presentations Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Presentations Files English", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Quattro Pro Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Quattro Pro Files English", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Redists", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - Setup Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - WordPerfect Files", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - WordPerfect Files English", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2020 - WPD format Props x64", + "version": "20.0" + }, + { + "publisher": " Corel Corporation", + "name": "WordPerfect Office 2020 - Writing Tools", + "version": "20.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 32-bit", + "version": "1.7" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 64-bit", + "version": "1.7" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "OpenSSH Users", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "User Mode Hardware Operators", + "Users" + ], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows 11 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "time.windows.com,0x9", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5094126", + "installed_on": "2026-06-10T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "Adobe-Genuine-Software-Integrity-Scheduler-1.0", + "state": "Ready" + }, + { + "path": "\\", + "name": "AdobeGCInvoker-1.0", + "state": "Ready" + }, + { + "path": "\\", + "name": "AdobeGCInvokerLogon", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTask-98B825090EE56E91CC34E8CB7D5FE42E", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTaskCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "Launch Adobe CCXProcess", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneBUpdate", + "state": "Running" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-3263960385-3520291270-397185974-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3263960385-3520291270-397185974-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3263960385-3520291270-397185974-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-3263960385-3520291270-397185974-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "User_Feed_Synchronization-{034A3298-1594-4C9F-8AEF-AAA615E4DEAE}", + "state": "Ready" + }, + { + "path": "\\", + "name": "ZoomUpdateTaskUser-S-1-5-21-3263960385-3520291270-397185974-1002", + "state": "Ready" + }, + { + "path": "\\Canon\\OIPPESP\\", + "name": "Canon OIP Product Extended Survey Program", + "state": "Ready" + }, + { + "path": "\\GoogleSystem\\GoogleUpdater\\", + "name": "GoogleUpdaterTaskSystem150.0.7863.0{6A48E663-A021-4E9B-A905-CFB1527DC215}", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Daily", + "state": "Ready" + }, + { + "path": "\\GoogleUserPEH\\", + "name": "RunPlatformExperienceHelper_Metrics", + "state": "Ready" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Background monitor", + "state": "Running" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Uninstall task", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-3263960385-3520291270-397185974-1002\\", + "name": "SoftLandingCreativeManagementTask", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-3263960385-3520291270-397185974-1002\\", + "name": "SoftLandingDeferralTask-{b99aea30-99e3-4398-b1b0-4df520ba0c98}", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": false, + "defender": { + "antispyware_signature_age": 1, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": false, + "installed_software_count": 98, + "local_administrators": [ + "MJ-PARALEGAL\\Administrator", + "MJ-PARALEGAL\\localadmin", + "MJ-PARALEGAL\\Paralegal" + ], + "firewall_profiles": { + "Private": false, + "Domain": true, + "Public": false + }, + "domain": "WORKGROUP", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=1 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.4.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.disabled", + "category": "security", + "severity": "critical", + "title": "Firewall disabled on profile(s): Private, Public", + "detail": "One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.", + "evidence": "Profile states: Private=False; Domain=True; Public=False" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "warning", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (3)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "MJ-PARALEGAL\\Administrator\nMJ-PARALEGAL\\localadmin\nMJ-PARALEGAL\\Paralegal" + }, + { + "id": "sec.patch.os_supported", + "category": "security", + "severity": "info", + "title": "OS build supported: Win11 25H2", + "detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.", + "evidence": "Microsoft Windows 11 Pro build 26200" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "2 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5094126", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5094126 installed 2026-06-10T07:00:00Z" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.disk_space.E", + "category": "health", + "severity": "critical", + "title": "Disk critically low: E: at 0% free", + "detail": "Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.", + "evidence": "E: free 0 GB of 255.6 GB (0%)" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "6 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "AsusUpdateCheck (AsusUpdateCheck) = Stopped\nGoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\nIBMPMSVC (Lenovo PM Service) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped\nLPlatSvc (Lenovo Platform Service) = Stopped" + }, + { + "id": "health.domain.workgroup", + "category": "health", + "severity": "info", + "title": "Not domain-joined (workgroup)", + "detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.", + "evidence": "PartOfDomain=False; Domain=WORKGROUP" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=time.windows.com,0x9" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.md b/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.md new file mode 100644 index 00000000..f9bbb4f5 --- /dev/null +++ b/clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.md @@ -0,0 +1,254 @@ +# Onboarding Diagnostic Baseline - MJ-PARALEGAL + +- **Grade:** RED +- **Host:** MJ-PARALEGAL +- **Client:** Michael Johnson (`michaeljohnson`) +- **Collected (UTC):** 2026-06-29T21:17:55Z +- **Agent ID:** 4537ac34-e548-484c-b4e9-fd91e7f97a23 +- **Command ID:** a3095ece-7fd3-4751-acc6-867a1b41507b +- **Findings:** 2 critical / 4 warning / 14 info / 0 unknown + +- **OS:** Microsoft Windows 11 Pro (build 26200) + +--- + +## CRITICAL (2) + +### Firewall disabled on profile(s): Private, Public +- **Category:** security +- **ID:** `sec.firewall.disabled` +- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles. + +``` +Profile states: Private=False; Domain=True; Public=False +``` + +### Disk critically low: E: at 0% free +- **Category:** health +- **ID:** `health.disk_space.E` +- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently. + +``` +E: free 0 GB of 255.6 GB (0%) +``` + + +## WARNING (4) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### 2 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2 +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### 6 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +AsusUpdateCheck (AsusUpdateCheck) = Stopped +GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped +GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped +IBMPMSVC (Lenovo PM Service) = Stopped +Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped +LPlatSvc (Lenovo Platform Service) = Stopped +``` + + +## INFO (14) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=1 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.4.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### Local administrators (3) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +MJ-PARALEGAL\Administrator +MJ-PARALEGAL\localadmin +MJ-PARALEGAL\Paralegal +``` + +### OS build supported: Win11 25H2 +- **Category:** security +- **ID:** `sec.patch.os_supported` +- Build 26200 (Win11 25H2) is in support until 2027-10-12. + +``` +Microsoft Windows 11 Pro build 26200 +``` + +### Last hotfix: KB5094126 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5094126 installed 2026-06-10T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Not domain-joined (workgroup) +- **Category:** health +- **ID:** `health.domain.workgroup` +- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. + +``` +PartOfDomain=False; Domain=WORKGROUP +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=time.windows.com,0x9 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** ASUS / System Product Name +- **Serial:** System Serial Number +- **CPU:** Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz (6 cores / 12 logical) +- **RAM (GB):** 15.8 +- **BIOS:** 1620 (2021-07-09) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** true / true +- **Domain joined:** false (WORKGROUP) +- **OS activation licensed:** true +- **Uptime (days):** 0.3 +- **Pending reboot:** false +- **Installed software count:** 98 +- **Scheduled tasks (non-MS, enabled):** 24 +- **Local administrators:** MJ-PARALEGAL\Administrator, MJ-PARALEGAL\localadmin, MJ-PARALEGAL\Paralegal + +### Fixed volumes + +- E: - 0 GB free of 255.6 GB (0%) +- [unlabeled] - 0.2 GB free of 1 GB (18.7%) +- D: - 0 GB free of 0 GB (75.5%) +- C: - 70 GB free of 464.2 GB (15.1%) +- [unlabeled] - 0.1 GB free of 0.1 GB (64%) +- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%) + +### Network adapters + +- Realtek PCIe GBE Family Controller - IP: 192.168.1.136, fe80::b20c:8d0b:48bf:1aea - DNS: 172.16.132.1 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `MJ-PARALEGAL-20260629T211845.json` (immutable)._ diff --git a/clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md b/clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md new file mode 100644 index 00000000..d4f51829 --- /dev/null +++ b/clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md @@ -0,0 +1,148 @@ +# Rednour Law — LEGALASST explorer hang on .zip + WordPerfect 5 save error + Win11 plan + +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Diagnosed an explorer.exe stability problem on **LEGALASST**, the legal assistant's +workstation at Rednour Law (Carla Skinner's box; active local account `emma`, profile +`C:\Users\Ale`, OneDrive `carla@rednourlaw.com`). Reported via Carrie Rednour: explorer +repeatedly hung/crashed when "opening files or messing with files." Work was driven over +GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`); the office subnet was initially +unreachable from HOWARD-HOME because Tailscale was stuck in `NoState`, which cleared on its +own shortly after. + +Established via the Application event log that explorer was **hanging (AppHang Event 1002), +not crashing** — there were no Event 1000 / faulting-module records. Hangs were firing +several times per hour on 2026-06-29 and continued after a 10:52 reboot. The `.NET Runtime` +Event 1022 "profiling API attach" errors (201 of them) were ruled out as benign noise — no +`COR_PROFILER` env var is set, so nothing is being injected into explorer via that path. + +Narrowed the cause by elimination. Blocked the Adobe shell extensions (Acrobat context-menu ++ CoreSync overlays) via the Microsoft "Blocked" CLSID list and restarted explorer — no +change, so Adobe was ruled out and reverted. Mapped drives X/Y/Z (→ `\\rednourcarrievirt`, +the cloned Carrie host) were healthy (`Status OK`, no SMBClient errors). The only +non-Microsoft DLLs actually loaded in explorer were the AMD Vega driver +(`amdihk64/atidxx64/aticfx64/atiuxp64`), but there were **zero display-driver TDR events**, +so the GPU driver was not crash-recovering. OneDrive sync was healthy and its overlay was not +even loaded. Howard then supplied the decisive clue: the hang happens **only when opening +`.zip` files**, Word/PDF open fine, and the failing zip is on the **local desktop** (not +OneDrive, not a network share). That isolated the fault to the **built-in Windows Compressed +Folders handler** (explorer's zip-as-folder namespace). `zipfldr.dll` is intact and validly +signed, so the hang is environmental, not a corrupt handler DLL. + +Howard installed **7-Zip 26.02** as a workaround — it opens the same zips fine because it is +a standalone app that never invokes explorer's zip namespace. He will set 7-Zip as the +default for `.zip` (and `.7z`/`.rar`, currently unassociated) via the 7-Zip GUI. A second, +separate issue on the same machine was reported: saving from **WordPerfect 5** returns "not +enough free space" regardless of save location, despite Howard verifying ample free space. +The plan is to **upgrade LEGALASST to Windows 11**, which is expected to resolve the +zip-handler hang by rebuilding the shell/system files (and applies the pending SFC repair); +the team will test a local zip with the built-in handler after the upgrade. All diagnostic +changes were reverted and the box was left clean. + +## Key Decisions + +- Diagnosed live over GuruRMM rather than waiting for on-site access; used `user_session` + context for HKCU/OneDrive/shell-folder reads and SYSTEM context for HKLM/event-log reads. +- Used the Microsoft **Shell Extensions\Blocked** CLSID list (reversible) to test-disable + Adobe/7-Zip shell extensions instead of deleting registrations — clean revert path. +- Treated the `.NET 1022` errors as noise after confirming no `COR_PROFILER` was set, instead + of chasing the profiler-injection theory. +- Did **not** hand-write a per-user UserChoice association hash for `.zip` (hash-protected; + a wrong hash leaves a broken "how do you want to open this?" prompt). Howard opted to set + the default in the 7-Zip GUI; no DefaultAssociations policy was pushed. +- Concluded the Win11 in-place upgrade is the right fix for the zip-handler hang (rebuilds + shell/system files) rather than further low-level surgery on a Win10 22H2 EOL box. + +## Problems Encountered + +- **Office subnet unreachable from HOWARD-HOME** — Tailscale daemon RUNNING but backend stuck + in `NoState`; a service restart did not clear it, but it came up on its own shortly after. +- **Orphaned RMM diagnostic process** — the first diagnostic command timed out server-side at + 120s (a `HKLM\...\Classes\*\shellex` wildcard scan), but the agent's child `powershell.exe` + (PID 1048) kept running on the endpoint for 10+ minutes, churning CPU. This was the + "PowerShell that's been running" Howard noticed. Killed it (SYSTEM context). Logged as + friction. +- **`$pid` reserved-variable collision** — used `$pid` as a variable in a remote script; `$PID` + is the automatic current-process-id variable, so the `.zip` ProgID read returned garbage + (16044). Re-ran with a non-reserved name. Logged as friction. +- **Mis-assumption corrected** — initially assumed LEGALASST was the cloned machine; Carrie's + machine was the one cloned (to host `rednourcarrievirt`), LEGALASST is the legal assistant's + (unchanged) box. Logged as a correction. + +## Configuration Changes + +Net change to the endpoint: **none** (all diagnostic changes reverted; box left clean). During +the session, on LEGALASST: +- Added then removed Adobe (4 CLSIDs) and 7-Zip shell-extension CLSIDs in + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (Blocked list now + empty). +- Restarted explorer.exe several times (user_session). +- Killed orphaned diagnostic process PID 1048. +- Howard installed 7-Zip 26.02 (standalone; he will set `.zip`/`.7z`/`.rar` defaults). +- Howard ran `sfc /scannow` — found and repaired corruption (0 unrepairable); repair pending + a reboot to load. + +Repo: this session log; Rednour wiki record update pending (`/wiki-compile client:rednour`). + +## Credentials & Secrets + +None discovered, created, or rotated this session. + +## Infrastructure & Servers + +- **LEGALASST** — legal assistant workstation, Rednour Law "Main Office" site. Win 10 Pro 22H2 + (build 19045, **EOL**), AMD Ryzen 3 3200G (Vega 8 iGPU), **5.9 GB RAM**, LAN 192.168.10.213. + GuruRMM agent `18825ea7-df58-47bb-b492-822cb16fb5ec`. Active local account `emma`, profile + `C:\Users\Ale`. OneDrive account `carla@rednourlaw.com`; Documents redirected to + `C:\Users\Ale\OneDrive - Rednour Law\Documents`. Leftover **SyncroLive.Agent.Runner** still + running. +- AMD GPU driver: 31.0.12027.9001 (2023-03-29). 7zFM.exe 26.02 at `C:\Program Files\7-Zip\`. +- `zipfldr.dll` = 10.0.19041.1, signature Valid (handler is intact). +- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y: + `\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — all `Status OK`. +- GuruRMM server `http://172.16.3.30:3001`; coord `http://172.16.3.30:8001`. + +## Commands & Outputs + +- Diagnostic dispatch pattern: `POST /api/agents//command` (powershell, `context` + system or user_session), poll `GET /api/commands/`. +- Key reads: `Get-WinEvent` Application 1000/1002 + ProviderName 'Application Hang'/'.NET + Runtime'; explorer loaded modules filtered to non-Microsoft `CompanyName`; + `Get-SmbMapping`; `Get-MpComputerStatus`/`Get-MpPreference`; CBS.log `[SR]` parse. +- AppHang count = 10 in last 3h on 2026-06-29; latest 11:31:02 (post 10:52 reboot). +- `.zip` association: `HKCR\.zip` (default) = `CompressedFolder`, **no UserChoice**. 7-Zip + registered only a `7-Zip.iso` ProgId (no `7-Zip.zip`). `.7z`/`.rar` currently unassociated. +- SFC (CBS.log): "Verify and Repair Transaction completed... successfully repaired"; 0 + "cannot repair" entries. +- Defender: RTP on, no active scan, signatures fresh, `DisableArchiveScanning=False`, + `MAPSReporting=2`, `SubmitSamplesConsent=1` (archive + cloud scanning on). + +## Pending / Incomplete Tasks + +1. **Howard:** set 7-Zip as default app for `.zip` (and `.7z`/`.rar`) via 7-Zip GUI + (Tools → Options → System). +2. **Upgrade LEGALASST to Windows 11** (expected to resolve the zip-handler hang; applies + the pending SFC repair). Pre-reqs: enable fTPM + Secure Boot in BIOS (Ryzen 3 3200G is + Win11-supported), bump RAM from 5.9 GB, remove the leftover Syncro agent. **Test a local + `.zip` with the built-in handler post-upgrade.** +3. **WordPerfect 5 "not enough free space" on save** — investigate. Leading hypothesis: + legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space + value overflows → false "disk full"). This is app-level and will **not** be fixed by the + OS upgrade; mitigate via DOSBox or directing saves to a SUBST'd small-capacity location. + Confirm exact WP version/edition (DOS 5.1 vs Windows). +4. **If the zip hang persists after the Win11 upgrade:** next lead is Defender archive-scan + + cloud (MAPS) lookup stalling the shell when the built-in handler streams zip entries. +5. Standing P1s (pre-existing): reboot to apply SFC repair; remove prior MSP agents. + +## Reference Information + +- GuruRMM agent id: `18825ea7-df58-47bb-b492-822cb16fb5ec` (LEGALASST). +- Rednour tenant: `rednourlaw.com` (`4a4ca18a-f516-478b-99da-2e0722c5dc18`); Syncro customer + `1224246`. +- Wiki: `wiki/clients/rednour.md`. Refresh: `/wiki-compile client:rednour --full`. +- Reversible shell-ext disable mechanism: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (add CLSID value to block; delete to restore). diff --git a/clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md b/clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md new file mode 100644 index 00000000..a8d75e76 --- /dev/null +++ b/clients/rednour/session-logs/2026-06/2026-06-29-howard-nick-mac-rmm-install-attempt.md @@ -0,0 +1,119 @@ +## User +- **User:** Howard Enos (howard) +- **Machine:** Howard-Home +- **Role:** tech + +## Session Summary + +Resumed work on getting the GuruRMM agent installed on Nick Pafford's Mac at Rednour Law +Offices (Rednour's office). The client/site was already onboarded (2026-05-29), so the goal +this session was to hand Nick the correct macOS download/install link and confirm enrollment. + +Pulled the Rednour Main site enrollment details from the vault (site_code GREEN-FALCON-7214) +and provided the public install page URL. On verification, the install **page** +(`/install/GREEN-FALCON-7214`) only exposes clickable buttons for Windows and Linux — there is +no Mac button. Confirmed instead that a macOS install path exists as a `curl | sudo bash` +one-liner at `/install/GREEN-FALCON-7214/macos`. Verified the script body (LaunchDaemon setup, +quarantine strip, site config for GREEN-FALCON-7214) and that the agent binary it downloads is a +Mach-O 64-bit arm64 executable (~3.96 MB), matching Nick's Apple Silicon Mac. Handed Nick the +Terminal one-liner plus his SMB share credential (from vault). + +Nick (or whoever was at the Mac) ran the installer and it reported success. However, repeated +fleet checks (3x over the session) showed the agent NOT checking in — no macOS agent appears +under Rednour Law Offices. The three Rednour agents enrolled are all Windows +(FrontDeskReception, LegalAsst, rednourcarrievirt). The only Macs in the entire fleet are +Scileppi's Mac-mini-2 and Mike's MacBook Air — neither is Nick's. So the install succeeded +locally but the agent is not connecting/enrolling to the server. + +Howard is no longer onsite and does not have the user's Mac password, so local diagnostics +(foreground run, launchctl check) can't be done right now. Work was deferred. Flagged Mike via +Discord DM that the Apple/macOS installer has an issue, that we're working it but lack the +user's password, and asked whether he has access to another M1/Apple Silicon Mac to test the +installer for repro. + +## Key Decisions + +- Handed Nick the macOS `curl | sudo bash` one-liner rather than the install page, since the + page has no Mac download button — only Windows/Linux. The `/macos` script path is the + supported macOS install route. +- Verified the downloaded binary architecture (arm64 Mach-O) before handing off, to rule out an + x86/arch mismatch on Nick's Apple Silicon Mac. +- Deferred diagnosis rather than guess: with no onsite access and no user password, the key + diagnostic (foreground `sudo /usr/local/bin/gururmm-agent` to see the connect error) can't be + run, so escalated to Mike and parked it. +- Used a person-targeted Discord DM to Mike (not a #bot-alerts post) since the ask was actionable + and directed at him specifically (needs an M1 to test). + +## Problems Encountered + +- **macOS agent installs but does not enroll.** Installer reports success on Nick's Apple + Silicon Mac, but no macOS agent shows under Rednour in the fleet after multiple checks. + Unresolved — deferred. Likely causes to check next: LaunchDaemon not actually started / + crashed on launch, Gatekeeper killing the unsigned binary despite quarantine strip, or + outbound connectivity to rmm.azcomputerguru.com blocked. Blocked on onsite access + user + password. +- **Install page has no Mac button** (Windows/Linux only). Worked around with the `/macos` + curl|bash one-liner, which is the real macOS install path. + +## Configuration Changes + +- None to the repo. No code changes. Vault entries were read-only this session (already + created in prior sessions). + +## Credentials & Secrets + +- Nick Pafford SMB share access (read this session, already vaulted): + - Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml` + - Username: `REDNOURCARRIEVI\nick` + - Password: `Kg5Qe2Kc3` + - Mac mount: `smb://192.168.10.194/Documents` (Finder Cmd+K) + - Share: `\\REDNOURCARRIEVI\Documents` -> `C:\Users\Carrie\Documents`, access Modify (rw) + - Local Windows account on Carrie Rednour's workstation (workgroup, no AD), PasswordNeverExpires, + created 2026-06-25 per Syncro #32343. +- GuruRMM Rednour Main site enrollment (already vaulted): + - Vault: `clients/rednour/gururmm-site-main.sops.yaml` + - site_id: `c7f5787c-8e71-45b3-841f-fa52436f7d26` + - site_code: `GREEN-FALCON-7214` + +## Infrastructure & Servers + +- GuruRMM server API: `http://172.16.3.30:3001` (auth via vault gururmm-server.sops.yaml). +- GuruRMM public install host: `https://rmm.azcomputerguru.com` (Cloudflare-fronted). +- Rednour workstation REDNOURCARRIEVI: `192.168.10.194` (LAN) / `10.147.17.253` (ZeroTier). +- Rednour Law Offices fleet (all Windows, online, v0.6.66): FrontDeskReception, LegalAsst, + rednourcarrievirt. + +## Commands & Outputs + +- macOS install one-liner handed to Nick: + `curl -fsSL https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos | sudo bash` +- Mac agent binary verification: + `curl .../install/GREEN-FALCON-7214/download/macos` -> HTTP 200, Mach-O 64-bit arm64 + executable, ~3,960,397 bytes, filename `gururmm-agent-main`. +- Fleet check (no Rednour Mac present): + `curl -s "$RMM/api/agents" -H "Authorization: Bearer $TOKEN" | jq '... select rednour or macos'` +- Suggested local diagnostics for next session (need onsite/password): + - `sudo launchctl list | grep gururmm` + - `ls -l /usr/local/bin/gururmm-agent /usr/local/etc/gururmm/` + - `sudo /usr/local/bin/gururmm-agent` (foreground run to surface connect error) + - `curl -fsS -o /dev/null -w "%{http_code}" https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos` + +## Pending / Incomplete Tasks + +- **OPEN:** Nick's Mac GuruRMM agent not enrolling despite successful install. Deferred. + - Blocked on: not onsite + no user Mac password. + - Next steps: run foreground diagnostic on the Mac to capture the connect/enroll error; check + LaunchDaemon state and Gatekeeper; verify outbound to rmm.azcomputerguru.com. +- Mike asked (via DM) whether he has access to another M1/Apple Silicon Mac to test/repro the + macOS installer. + +## Reference Information + +- Install page: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214` +- macOS install script: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos` +- macOS agent binary: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/download/macos` +- MSI (Windows): `https://rmm.azcomputerguru.com/api/sites/c7f5787c-8e71-45b3-841f-fa52436f7d26/installer` +- Discord DM to Mike: message_id 1521264675965374656 +- Syncro ticket (SMB access): #32343 +- Related prior logs: `2026-06-25-howard-nick-smb-share-and-mac-rmm.md`, + `2026-06-26-howard-nick-mac-rmm-rootcause.md` diff --git a/errorlog.md b/errorlog.md index f68400cb..0013dfd6 100644 --- a/errorlog.md +++ b/errorlog.md @@ -17,6 +17,7 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +<<<<<<< HEAD 2026-06-29 | GURU-5070 | remediation-tool/reset-password.sh | [friction] JIT de-elevation can never succeed: an app-only SP cannot remove its OWN Privileged Authentication Administrator assignment ('no privilege to remove self'). Every admin-account reset leaves standing PAA on the ComputerGuru Tenant Admin SP; requires a human Global Admin to remove. Likely also left PAA on birthbiologic.com (2026-06-08). [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f sp=fccda86c-77ca-4248-b876-b0cdba8605d4 role=PrivilegedAuthAdmin fix=PIM-or-second-principal-or-human-GA] 2026-06-29 | GURU-5070 | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f assignment=ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1 http=400] @@ -30,6 +31,23 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · 2026-06-29 | GURU-5070 | rmm/bash | [friction] passed ~20KB base64 inline via jq --arg in command line -> 'Argument list too long'; should stage data on the endpoint (it already had the CSV) or chunk-upload, never inline-pass large blobs [ctx: ref=CLAUDE.md windows-rules; host=ACG-DWP-X-BB] 2026-06-29 | GURU-5070 | migration/datto-to-sharepoint | 2026-06-26 SharePoint push corrupted files: byte array stringified ('$bytes') so each file written as space-separated DECIMAL TEXT instead of binary (xlsx '80 75 3 4...', pdf '37 80 68 70...'); format-agnostic, ~15 local + up to ~3298 cloud-only files modified 06-26; Datto source intact [ctx: client=birth-biologic host=ACG-DWP-X-BB vector=base64/stdout-capture-upload fix=use OneDrive-sync/SPMT or [IO.File]::WriteAllBytes] +======= +2026-06-29 | Howard-Home | cascades/SG-Caregivers | [correction] assumed adding Feller + Nyanzunda to SG-Caregivers per 6/4 worklist; correct is group = frontline caregivers ONLY, exclude admins/managers/admin-adjacent (Feller PA-remote, Nyanzunda MC admin asst) do NOT go in + +2026-06-29 | Howard-Home | rmm/coord | [friction] 172.16.3.30 unreachable from Howard-Home (RMM :3001 + coord :8001 dead; Cascades VPN up) — ACG-internal route down [ctx: ref=cascades-caregiver-group-task] + +2026-06-29 | Howard-Home | rmm/powershell | [friction] used $pid as a variable in remote PS script; $PID is a reserved automatic variable (current process id) so the .zip ProgID read was clobbered (showed 16044). Use a non-reserved name e.g. $zipProg [ctx: ref=feedback_windows_quote_stripping-style-PS-gotchas] + +2026-06-29 | Howard-Home | rmm/rednour-legalasst | [correction] assumed LEGALASST was the cloned machine; correct is that CARRIE'S machine was cloned (to host rednourcarrievirt) and LEGALASST is EMMA'S machine (not cloned). Emma's drives X/Y/Z were remapped today to ednourcarrievirt [ctx: client=rednour host=LEGALASST] + +2026-06-29 | Howard-Home | rmm-auth/tailscale | [friction] RMM+coord unreachable (http=000); tailscaled service RUNNING but backend stuck in NoState after restart -> 172.16.3.30 unping-able from HOWARD-HOME [ctx: ref=remote-diag fix=tailscale-relogin] + +2026-06-29 | Howard-Home | rmm-auth | RMM login failed (no token returned from /api/auth/login) [ctx: url=http://172.16.3.30:3001 resp=] + +2026-06-29 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM) + +2026-06-29 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM) +>>>>>>> a0d073f (sync: auto-sync from HOWARD-HOME at 2026-06-29 14:22:54) 2026-06-29 | Howard-Home | save/rmm-scratch | [friction] wrote RMM command-id scratch files (.netprobe_id, .stage_id, etc.) to repo root C:/claudetools; .netprobe_id got swept into a sync commit by git add -A and needed git rm. Use the session scratchpad dir for transient IDs, not the repo root. [ctx: ref=feedback_tmp_path_windows] diff --git a/wiki/clients/michaeljohnson.md b/wiki/clients/michaeljohnson.md new file mode 100644 index 00000000..c750404a --- /dev/null +++ b/wiki/clients/michaeljohnson.md @@ -0,0 +1,143 @@ +--- +type: client +name: michaeljohnson +display_name: Michael Johnson (Law Office) +last_compiled: 2026-06-29 +compiled_by: HOWARD-HOME/claude-main +sources: + - clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.md + - clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.md + - Syncro customer 152567 (ticket history + contact record) + - GuruRMM onboarding 2026-06-29 (client + site "Main", BRIGHT-RIVER-8998) +--- + +# Michael Johnson (Law Office) + +## Profile + +- **Business type:** Solo legal practice (Tucson, AZ) — *inferred* from the paralegal + workstation, WordPerfect + "Seabill" legal-billing software, and the recurring + shared-file / Outlook-calendar-sync work between Michael's and Crystal's machines. + Not formally stated in Syncro (no `business_name` on the record). +- **Syncro Customer ID:** 152567 (customer record created 2013-12-04 — long-standing client) +- **Billing model:** Break-fix / time-and-materials. **No prepaid block** (`prepay_hours = 0.0`, + live 2026-06-29). History is overwhelmingly emergency / onsite / remote one-off tickets. +- **Address:** 177 N Church, Tucson, AZ 85701 +- **GuruRMM onboarded:** 2026-06-29 (Howard) — client + site "Main"; both workstations enrolled same day. +- **Onboarding grade:** DESKTOP-GG4LKSL = **AMBER**; MJ-PARALEGAL = **RED**. + +## Contacts + +| Name | Role | Email / Phone | Notes | +|---|---|---|---| +| Michael Johnson | Owner / attorney | michaeljohnson311@gmail.com / 520-622-0065 | Primary Syncro contact; uses DESKTOP-GG4LKSL | +| Crystal (Krystal) | Paralegal / assistant | (no email on file) / 520-906-4672 | Uses MJ-PARALEGAL; most day-to-day tickets are hers | + +Email is on **Gmail / Google Workspace** (consumer/Workspace — not M365). Several past tickets +involve Google account storage/payment and Outlook talking to the Google calendar; mail is **not** +hosted or managed by ACG M365 tooling. + +## Infrastructure + +### Network + +- **Topology:** Workgroup, peer-to-peer (no on-prem AD, no domain join). Both machines report + `PartOfDomain=False` / `Domain=WORKGROUP`. +- **LAN subnet:** 192.168.1.0/24. +- Shared files are served peer-to-peer between the two workstations (consistent with the long + history of "can't access shared files" tickets) — exact share host/path **not yet mapped**. + +### Workstations (GuruRMM enrolled 2026-06-29, site "Main") + +| Hostname | User | Model | CPU | RAM | OS | IP | Agent ID | Grade | +|---|---|---|---|---|---|---|---|---| +| DESKTOP-GG4LKSL | Michael | HP Pavilion Gaming TG01-2xxx | i7-11700F 8c/16t | 31.8 GB | Win 11 Pro 25H2 (build 26200) | 192.168.1.135 (Wi-Fi) | 09c08484-2b51-404b-a294-6e39f498867c | AMBER | +| MJ-PARALEGAL | Crystal | ASUS (desktop, generic board) | i5-10400 6c/12t | 15.8 GB | Win 11 Pro 25H2 (build 26200) | 192.168.1.136 (wired) | 4537ac34-e548-484c-b4e9-fd91e7f97a23 | RED | + +Both on Win 11 25H2 (supported until 2027-10-12), OS activated, agent v0.6.75, Defender active & +current with Tamper Protection on, SMBv1 disabled, LAPS reg key present. Neither has a backup agent. +MJ-PARALEGAL was recently recovered + upgraded to Win11 (Syncro #31768). + +### RMM site / enrollment + +- **Client:** Michael Johnson · **Site:** Main · **Site code:** `BRIGHT-RIVER-8998` +- **Client ID:** `99022a2e-6b8f-472b-9269-6a746ef0970b` · **Site ID:** `94b5cb21-3d8e-484a-8ef3-8388b66417d2` +- **Install page:** https://rmm.azcomputerguru.com/install/BRIGHT-RIVER-8998 +- **Enrollment key vault path:** `clients/michaeljohnson/gururmm-site-main.sops.yaml` (also stamped `syncro_customer_id: 152567`) + +## Onboarding Findings (2026-06-29 baselines) + +### MJ-PARALEGAL — RED (2 critical / 4 warning) + +- **[CRITICAL] Firewall OFF on Private + Public profiles** (`Domain=True` only). Exposed to inbound / + lateral attacks on the local network. Re-enable all profiles. +- **[CRITICAL] E: drive 0% free** (0 GB of 255.6 GB). Risk of failed updates, crashes, corruption. + Find what is filling it (likely data / scanned docs) and clean up or expand urgently. +- [WARNING] BitLocker off on C: · 2 pending Windows updates · 1 unexpected shutdown in last 14 days · + 6 auto-start services stopped (Asus/Lenovo/Google updaters + Intel TPM provisioning — mostly benign, + but note Lenovo *and* Asus services on the same box suggests image/hardware churn). +- DNS server set to **172.16.132.1** on a 192.168.1.x LAN — anomalous (looks like a stale/foreign + resolver, possibly a leftover VPN/management DNS). Verify and correct to the local gateway/ISP DNS. +- Local admins: `Administrator`, `localadmin`, `Paralegal`. + +### DESKTOP-GG4LKSL — AMBER (0 critical / 5 warning) + +- [WARNING] BitLocker off on C: · 4 pending Windows updates · D: 14.6% free (68.1 GB of 465.8 GB) · + 1 unexpected shutdown in last 14 days · 3 auto-start services stopped (Google updaters + Intel TPM). +- Note: C: is the large/healthy volume (690 GB free of 930 GB); **D: is the low one** — confirm which + volume holds working data before cleanup. +- Windows Time source is **time1.aliyun.com** (Alibaba NTP) — unusual; reset to a standard pool + (`time.windows.com` / `pool.ntp.org`). +- Local admins: `Administrator`, `Localadmin`, `owner`. + +### Common to both +- No BitLocker (workgroup, no escrow target — would need manual key storage / vault). +- No backup agent on either machine — **no backup coverage confirmed.** For a law office this is the + biggest gap; confirm whether anything (cloud sync, manual) protects the working files. +- Defender-only AV, firewall (GG4LKSL all-on / PARALEGAL needs fixing), SMBv1 off — baseline security + otherwise reasonable. +- ACG remote tooling present and expected: ScreenConnect on both; Splashtop + Syncro agent additionally + on MJ-PARALEGAL. No competitor/foreign RMM agents detected. + +## Syncro + +- **Customer:** Michael Johnson, id `152567` (since 2013-12-04). Break-fix, no prepaid block. +- **Open ticket:** #32477 — *Onsite - Check machine connections and printers.* (New) +- **Recent relevant:** #31768 *Recovered Paralegal Machine and Win11 Upgrade* (Invoiced) — origin of the + current MJ-PARALEGAL build; #32329 *Calendar issues* (Resolved). +- **Recurring ticket themes** across ~50 tickets: printer setup/offline errors, Outlook<->Google + calendar sync between Michael & Crystal, "can't access shared files", mice failing after power + outages, WordPerfect/Seabill hangs, new-machine builds. + +## Patterns & Known Issues + +- **Two-person peer-to-peer office.** Everything is workgroup + shared files between Michael's and + Crystal's PCs. Shared-file and calendar-sync breakage is the single most common call — there is no + server, so a machine being down/offline breaks the other's access. +- **Mail is Google, not M365.** Do not reach for the ComputerGuru M365 remediation suite here — Outlook + is configured against a Google account. Google storage/billing has caused outages historically. +- **Power-outage sensitivity.** Multiple "mouse/peripheral dead after a power outage" and + "machines went down" tickets — no UPS protection documented; a UPS on each machine would cut repeat + emergency calls. +- **Backups unverified.** No backup agent on either workstation. For a legal practice's working files + this is the top risk to close. +- **MJ-PARALEGAL E: full + firewall off** are the two immediate must-fix items from onboarding. + +## Active Work / Open Items + +| Priority | Action | Owner | Notes | +|---|---|---|---| +| P1 | Re-enable firewall (Private + Public) on MJ-PARALEGAL | Howard | CRITICAL onboarding finding | +| P1 | Clear/expand E: on MJ-PARALEGAL (0% free) | Howard | CRITICAL; identify what's filling 255 GB | +| P1 | Establish/confirm backup coverage for both PCs | Howard/Mike | No backup agent on either; law-office data | +| P2 | Fix anomalous DNS (172.16.132.1) on MJ-PARALEGAL | Howard | Should be local gateway / ISP DNS | +| P2 | Onsite #32477 — check machine connections + printers | Howard | Open Syncro ticket | +| P2 | Install pending Windows updates (4 on GG4LKSL, 2 on PARALEGAL) | Howard | Next maintenance window | +| P3 | Free space on GG4LKSL D: (14.6%) | Howard | Confirm which volume holds data first | +| P3 | Reset GG4LKSL time source off Alibaba NTP | Howard | Use standard NTP pool | +| P3 | Evaluate UPS for both machines | Mike | Repeat post-outage peripheral failures | +| P3 | Consider BitLocker (with key escrow) | Howard | Both unencrypted; workgroup needs manual key storage | + +## Backlinks + +- [[projects/gururmm]] — DESKTOP-GG4LKSL + MJ-PARALEGAL enrolled (site: Main / BRIGHT-RIVER-8998) diff --git a/wiki/clients/rednour.md b/wiki/clients/rednour.md index 7fc092f4..8ffc10c4 100644 --- a/wiki/clients/rednour.md +++ b/wiki/clients/rednour.md @@ -2,13 +2,14 @@ type: client name: rednour display_name: Rednour Law Offices -last_compiled: 2026-06-02 -compiled_by: DESKTOP-0O8A1RL/claude-main +last_compiled: 2026-06-29 +compiled_by: HOWARD-HOME/claude-main sources: - clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md - clients/rednour/reports/2026-06-01-carla-password-set.md - clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md - clients/rednour/session-logs/2026-06-02-session.md + - clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md - session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md - clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md - clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md @@ -183,6 +184,44 @@ Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (Passwo Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time — generate passwords locally so they survive a timeout (logged to errorlog). +### 2026-06-29 — LEGALASST (legal assistant / "Emma") explorer hang on .zip + WordPerfect 5 save error; Win11 upgrade planned + +**Operator: Howard Enos** (reported via Carrie). The legal assistant's workstation +**LEGALASST** (Carla Skinner's box; active local account `emma`, profile `C:\Users\Ale`, +OneDrive `carla@rednourlaw.com`) repeatedly hung explorer when opening files. Diagnosed live +over GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`). + +- **explorer HANGS, not crashes** — AppHang Event 1002 (no Event 1000 / faulting module); + ~10 in 3h on 2026-06-29, continuing after a 10:52 reboot. +- **Root cause: the built-in Windows Compressed Folders handler** (explorer's zip-as-folder + namespace). Symptom narrowed to **opening `.zip` only** (Word/PDF/folders fine), and the + failing zip is **local (desktop)** — not OneDrive, not a network share. `zipfldr.dll` is + intact + validly signed, so the hang is environmental, not a corrupt handler DLL. +- **Ruled out:** Adobe shell extensions (blocked/tested via the Microsoft `Shell Extensions\ + Blocked` list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but + zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z → + `\\rednourcarrievirt` (Status OK, SMB healthy); `.NET Runtime 1022` "profiling API attach" + (201 events but no `COR_PROFILER` set — benign noise). +- **SFC** (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a + reboot to load. +- **Workaround:** Howard installed **7-Zip 26.02** (`C:\Program Files\7-Zip\7zFM.exe`); it + opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for + `.zip` (and `.7z`/`.rar`, currently unassociated). `.zip` had no UserChoice; 7-Zip only + registered a `7-Zip.iso` ProgId on install. +- **Second issue (same machine): WordPerfect 5 "not enough free space" on save** regardless + of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/ + DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value + overflows → false "disk full"). App-level; **the OS upgrade will not fix it**. Mitigate via + DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs + Windows) to be confirmed. +- **Plan: upgrade LEGALASST to Windows 11** — expected to resolve the zip-handler hang by + rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local + `.zip` with the *built-in* handler post-upgrade. If the hang persists, next lead is Defender + archive-scan + cloud (MAPS) lookup stalling the shell. + +All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an +orphaned RMM diagnostic process killed) — the box was left clean. + ## Patterns & Known Issues - **EWS required for personal contact work.** No app in the ComputerGuru suite holds `Contacts.Read` or `Contacts.ReadWrite` on Graph. Personal contact folder reads and modifications must go through EWS (`full_access_as_app` on the Exchange Operator SP with `ExchangeImpersonation`). @@ -194,6 +233,18 @@ Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Docum - **macOS RMM agent won't run on Apple Silicon if unsigned.** The site-code installer serves an unsigned aarch64 binary; Apple Silicon SIGKILLs unsigned Mach-O. Until the server publishes a signed/notarized build (`build-macos-signed.sh`), Apple Silicon Mac enrollment fails (blocks Nick's Mac; same root issue likely affects Scileppi's Mac). - **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build. - **REDNOURCARRIEVI: Defender was off at onboarding.** Confirm it has been re-enabled; it is a critical finding. +- **LEGALASST: built-in Compressed Folders handler hangs explorer on `.zip` open.** Local zips; + Word/PDF fine. `zipfldr.dll` intact (environmental, not a corrupt DLL). AppHang Event 1002, + no faulting module. Workaround = 7-Zip as default for `.zip`. Win11 upgrade planned to + resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup + stalling the shell. To test-disable any shell extension reversibly, add its CLSID to + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (delete to restore). +- **LEGALASST: WordPerfect 5 "not enough free space" on save** despite verified free space and + regardless of save location. Likely legacy free-space overflow on large-capacity volumes; + **OS upgrade will not fix it**; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP + version/edition. +- **`.NET Runtime 1022` "profiling API attach" errors are noise** unless a `COR_PROFILER` env + var is actually set — do not chase them as a hang cause. ## Active Work / Open Items @@ -202,6 +253,9 @@ Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Docum | P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state | | P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only | | P1 | Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS | Mike | Both on Win 10 22H2 (EOL 2025-10-14) | +| P1 | Upgrade LEGALASST to Windows 11 | Mike/Howard | 2026-06-29: expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local `.zip` with the built-in handler post-upgrade | +| P2 | LEGALASST: WordPerfect 5 "not enough free space" on save | Howard | 2026-06-29: error on save regardless of location; ample free space verified. Likely legacy free-space overflow on large volume; OS upgrade will NOT fix. Mitigate via DOSBox / SUBST small-capacity drive; confirm WP version/edition | +| INTERIM | LEGALASST: set 7-Zip as default for `.zip`/`.7z`/`.rar` | Howard | 2026-06-29: 7-Zip 26.02 installed as workaround for the built-in zip-handler hang; set defaults via 7-Zip GUI (Tools -> Options -> System) | | DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` | | P1 | Fix GuruRMM macOS agent install on Nick's Apple Silicon Mac | Howard/Mike | 2026-06-25 install failed. Likely cause: served aarch64 binary is **unsigned** -> Apple Silicon SIGKILLs it. Fix: serve the signed+notarized binary (`agent/build-macos-signed.sh`, Mike's Developer ID) or ad-hoc `codesign -s -` in the installer. Confirm with Mac log (`killed: 9`). Deferred (limited ScreenConnect session only) | | P2 | Return visit: phone + printer setup at Rednour | Howard | 2026-06-25: pending; may require running a new wire / installing a switch | diff --git a/wiki/index.md b/wiki/index.md index f945788e..671da9b6 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -1,6 +1,6 @@ # Wiki Index -Last updated: 2026-06-26 +Last updated: 2026-06-29 Compiled by: HOWARD-HOME/claude-main This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update. @@ -58,6 +58,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Universal Minerals International](clients/universal-minerals.md) | Minerals/commodities, Tucson AZ; Syncro 34844920; **break-fix, no prepaid/RMM**; CyndyOffice (HP Pavilion TP01, Win11 Home, QuickBooks Enterprise 22.0) intermittent hard-freeze (Kernel-Power 41, no dump = hardware/firmware) — BIOS F.38 + Fast Startup off + memtest passed 2026-06-10, PSU prime remaining suspect; QB messaging crash-loop repaired; ticket #32397 monitoring; temporary diagnostic RMM agent removed same-day | 2026-06-10 | | [Putt Land Surveying](clients/putt-land-surveying.md) | Land surveying firm; Syncro 7180175; managed services $223.92/mo; 7 devices; M365 direct (8 mailboxes, cloud-only, 2x Basic + 5x Premium); **DNS wipe 2026-06-09** — all records deleted (MX, SPF, autodiscover, A), email+website down; GoDaddy domain in client's own account (no ACG control); ticket #32404 Waiting on Customer; remediation tools onboarded 2026-06-10 | 2026-06-10 | | [Gonzvar Tax Services](clients/gonzvar-tax-services.md) | Tax services firm; Syncro 1830740 ("Gonzvar Tax Service", break-fix, ~$175/hr); 6 machines in GuruRMM (GTS.local AD, 2 servers + 4 workstations); open security findings from 2026-06-06 onboarding baseline; QuickBooks RemoteApp + Tailscale VPN pending | 2026-06-12 | +| [Michael Johnson (Law Office)](clients/michaeljohnson.md) | Solo legal practice (inferred — WordPerfect/Seabill, paralegal), Tucson AZ; Syncro 152567 (since 2013), break-fix, no prepaid; mail on Google (not M365); 2-person peer-to-peer workgroup (Michael + Crystal); GuruRMM onboarded 2026-06-29 (site Main, BRIGHT-RIVER-8998) — DESKTOP-GG4LKSL (AMBER) + MJ-PARALEGAL (RED: firewall off + E: 0% free); no backup agent on either; open #32477 onsite printers | 2026-06-29 | | [Tohono O'odham Nation DoIT](clients/tohono-oodham-doit.md) | Tribal government IT dept; Syncro 33069069; Starlink reseller client — 2x Check Point 1550 field sites on Starlink Roam (CGNAT); break-fix $175/hr; VPN design (IPsec vs Tailscale) pending | 2026-05-27 | | [Tucson Golden Corral](clients/tucson-golden-corral.md) | Restaurant (Tucson AZ); Syncro 3859123; prepaid block 12.75 hrs; email on Neptune Exchange; WS2016 single-box DC/RDS/Hyper-V/SQL + Sage 100 ERP (TGC-SERVER colocated at ACG main office); architecture concerns outstanding | 2026-05-26 | | [Russo Law Firm](clients/russo-law.md) | Tucson law practice; Syncro 23331699; managed $543.50/mo (GPS+AV+backup+Seafile hosting+Office) + OIT phone $45.44/mo; 12 prepaid hrs; M365 rrs-law.com (~3 seats, admin guru@ vaulted); **active pre-sales 2026-06: wants to move ~6.5 TB from Seafile to SharePoint — full live move ~$1,120/mo (~$13.4K/yr), recommend hybrid (SP Online working set + Seafile bulk); phone meeting pending, client not yet responded** | 2026-06-15 |