sync: auto-sync from HOWARD-HOME at 2026-06-29 14:23:40

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-29 14:23:40
This commit is contained in:
2026-06-29 14:24:12 -07:00
parent 602c5e5bd6
commit 00af39d369
12 changed files with 2873 additions and 3 deletions

View File

@@ -0,0 +1,744 @@
{
"host": "DESKTOP-GG4LKSL",
"collected_at_utc": "2026-06-29T21:17:50Z",
"os": {
"caption": "Microsoft Windows 11 Pro",
"version": "10.0.26200",
"build": "26200",
"install_date": "2025-06-30T15:13:20Z",
"last_boot_utc": "2026-06-29T14:27:52Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2027-10-12",
"release": "Win11 25H2"
},
"pending_updates": 4,
"pending_reboot": false,
"uptime_days": 0.3,
"acg_managed_tools": "ScreenConnect / ConnectWise Control",
"hardware": {
"model": "HP Pavilion Gaming Desktop TG01-2xxx",
"manufacturer": "HP",
"bios_date": "2023-07-11",
"cpu_logical": 16,
"bios_version": "F.21",
"cpu_cores": 8,
"ram_gb": 31.8,
"serial": "4CE136C774",
"cpu": "11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz"
},
"third_party_av_active": false,
"os_build": "26200",
"secure_boot": false,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "QuickFinder Scheduler",
"value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2021\\Programs\\QFSCHD210.EXE\""
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "Seagate Backup+ BK",
"media_type": "Unspecified"
},
{
"health": "Healthy",
"model": "WD Green SN350 1TB 2G0C",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2025-06-30",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2026-06-29",
"name": "Localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2026-06-29",
"name": "owner",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 18,
"volumes": [
{
"drive": "D:",
"size_gb": 465.8,
"free_pct": 14.6,
"free_gb": 68.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.7,
"free_pct": 8.3,
"free_gb": 0.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.1,
"free_pct": 38.7,
"free_gb": 0
},
{
"drive": "C:",
"size_gb": 930.6,
"free_pct": 74.2,
"free_gb": 690.6
}
],
"network_adapters": [
{
"dhcp": false,
"description": "Intel(R) Wi-Fi 6 AX201 160MHz",
"gateway": [
"192.168.1.1"
],
"mac": "4C:44:5B:57:C8:D0",
"ip": [
"192.168.1.135",
"fe80::b290:dac4:8c2:f9d6"
],
"dns": [
null
]
}
],
"failed_autostart_services": [
{
"name": "GoogleUpdaterInternalService150.0.7863.0",
"display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "GoogleUpdaterService150.0.7863.0",
"display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "Intel(R) TPM Provisioning Service",
"display": "Intel(R) TPM Provisioning Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 1,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": false,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe",
"name": "Adobe Acrobat (64-bit)",
"version": "26.001.21691"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "149.0.4022.80"
},
{
"publisher": "Corel corporation",
"name": "Corel Update Manager",
"version": "2.14.630"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "149.0.7827.197"
},
{
"publisher": "",
"name": "HP LaserJet Professional P1100-P1560-P1600 Series",
"version": ""
},
{
"publisher": "Vantage Linguistics",
"name": "iSEEK AnswerWorks English Runtime",
"version": "010.000.0101"
},
{
"publisher": "Chaos Software Group, Inc.",
"name": "Legal Billing",
"version": ""
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft 365 Apps for business - en-us",
"version": "16.0.20026.20182"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "149.0.4022.98"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "149.0.4022.98"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.106.0603.0003"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "5.72.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86)",
"version": "7.1.00.00"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86) English",
"version": "7.1.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Control Panel 391.35",
"version": "391.35"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Container",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Container LS",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Session Container",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Watchdog Plugin",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Install Application",
"version": "2.1002.275.2323"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.20026.20076"
},
{
"publisher": "Intuit",
"name": "Quicken 2013",
"version": "22.1.12.7"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.3.11.9650"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.0.0.81"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM Content",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Redists",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Setup Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WPD format Props x64",
"version": "21.0"
},
{
"publisher": " Corel Corporation",
"name": "WordPerfect Office 2021 - Writing Tools",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 32-bit",
"version": "1.8"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 64-bit",
"version": "1.8"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"OpenSSH Users",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"User Mode Hardware Operators",
"Users"
],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows 11 Pro",
"description": "Windows(R) Operating System, OEM_DM channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "time1.aliyun.com",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5094126",
"installed_on": "2026-06-10T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "CorelUpdateHelperTask-6FE3C4EAF0EA6F48A355A006CED9B153",
"state": "Ready"
},
{
"path": "\\",
"name": "CorelUpdateHelperTaskCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "RtkAudUService64_BG",
"state": "Running"
},
{
"path": "\\",
"name": "ZoomUpdateTaskUser-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\GoogleSystem\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskSystem150.0.7863.0{187F8684-438D-4B52-A213-1183A437F60E}",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelperOnUnlock",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Daily",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Metrics",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
"name": "SoftLandingCreativeManagementTask",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
"name": "SoftLandingDeferralTask-{7f5041b8-2c64-40bd-a455-a605b3186491}",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": false,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": false,
"installed_software_count": 50,
"local_administrators": [
"DESKTOP-GG4LKSL\\Administrator",
"DESKTOP-GG4LKSL\\Localadmin",
"DESKTOP-GG4LKSL\\owner"
],
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "WORKGROUP",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "warning",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (3)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "DESKTOP-GG4LKSL\\Administrator\nDESKTOP-GG4LKSL\\Localadmin\nDESKTOP-GG4LKSL\\owner"
},
{
"id": "sec.patch.os_supported",
"category": "security",
"severity": "info",
"title": "OS build supported: Win11 25H2",
"detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.",
"evidence": "Microsoft Windows 11 Pro build 26200"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "4 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5094126",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5094126 installed 2026-06-10T07:00:00Z"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.disk_space.D",
"category": "health",
"severity": "warning",
"title": "Disk low: D: at 14.6% free",
"detail": "Less than 15 percent free. Plan cleanup or expansion.",
"evidence": "D: free 68.1 GB of 465.8 GB (14.6%)"
},
{
"id": "health.stability.some",
"category": "health",
"severity": "warning",
"title": "Stability events present in the last 14 days",
"detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.",
"evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "3 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=time1.aliyun.com"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

View File

@@ -0,0 +1,226 @@
# Onboarding Diagnostic Baseline - DESKTOP-GG4LKSL
- **Grade:** AMBER
- **Host:** DESKTOP-GG4LKSL
- **Client:** Michael Johnson (`michaeljohnson`)
- **Collected (UTC):** 2026-06-29T21:17:50Z
- **Agent ID:** 09c08484-2b51-404b-a294-6e39f498867c
- **Command ID:** 67f70181-51cd-470e-a9e2-edd2d53df135
- **Findings:** 0 critical / 5 warning / 13 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## WARNING (5)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 4 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4
```
### Disk low: D: at 14.6% free
- **Category:** health
- **ID:** `health.disk_space.D`
- Less than 15 percent free. Plan cleanup or expansion.
```
D: free 68.1 GB of 465.8 GB (14.6%)
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
```
## INFO (13)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
DESKTOP-GG4LKSL\Administrator
DESKTOP-GG4LKSL\Localadmin
DESKTOP-GG4LKSL\owner
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5094126
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5094126 installed 2026-06-10T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time1.aliyun.com
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** HP / HP Pavilion Gaming Desktop TG01-2xxx
- **Serial:** 4CE136C774
- **CPU:** 11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz (8 cores / 16 logical)
- **RAM (GB):** 31.8
- **BIOS:** F.21 (2023-07-11)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 0.3
- **Pending reboot:** false
- **Installed software count:** 50
- **Scheduled tasks (non-MS, enabled):** 18
- **Local administrators:** DESKTOP-GG4LKSL\Administrator, DESKTOP-GG4LKSL\Localadmin, DESKTOP-GG4LKSL\owner
### Fixed volumes
- D: - 68.1 GB free of 465.8 GB (14.6%)
- [unlabeled] - 0.1 GB free of 0.7 GB (8.3%)
- [unlabeled] - 0 GB free of 0.1 GB (38.7%)
- C: - 690.6 GB free of 930.6 GB (74.2%)
### Network adapters
- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.1.135, fe80::b290:dac4:8c2:f9d6 - DNS: - DHCP: false
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-GG4LKSL-20260629T211835.json` (immutable)._

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,254 @@
# Onboarding Diagnostic Baseline - MJ-PARALEGAL
- **Grade:** RED
- **Host:** MJ-PARALEGAL
- **Client:** Michael Johnson (`michaeljohnson`)
- **Collected (UTC):** 2026-06-29T21:17:55Z
- **Agent ID:** 4537ac34-e548-484c-b4e9-fd91e7f97a23
- **Command ID:** a3095ece-7fd3-4751-acc6-867a1b41507b
- **Findings:** 2 critical / 4 warning / 14 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## CRITICAL (2)
### Firewall disabled on profile(s): Private, Public
- **Category:** security
- **ID:** `sec.firewall.disabled`
- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.
```
Profile states: Private=False; Domain=True; Public=False
```
### Disk critically low: E: at 0% free
- **Category:** health
- **ID:** `health.disk_space.E`
- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.
```
E: free 0 GB of 255.6 GB (0%)
```
## WARNING (4)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 2 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### 6 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
AsusUpdateCheck (AsusUpdateCheck) = Stopped
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
IBMPMSVC (Lenovo PM Service) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
LPlatSvc (Lenovo Platform Service) = Stopped
```
## INFO (14)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=1 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.4.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
MJ-PARALEGAL\Administrator
MJ-PARALEGAL\localadmin
MJ-PARALEGAL\Paralegal
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5094126
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5094126 installed 2026-06-10T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x9
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** ASUS / System Product Name
- **Serial:** System Serial Number
- **CPU:** Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz (6 cores / 12 logical)
- **RAM (GB):** 15.8
- **BIOS:** 1620 (2021-07-09)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / true
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 0.3
- **Pending reboot:** false
- **Installed software count:** 98
- **Scheduled tasks (non-MS, enabled):** 24
- **Local administrators:** MJ-PARALEGAL\Administrator, MJ-PARALEGAL\localadmin, MJ-PARALEGAL\Paralegal
### Fixed volumes
- E: - 0 GB free of 255.6 GB (0%)
- [unlabeled] - 0.2 GB free of 1 GB (18.7%)
- D: - 0 GB free of 0 GB (75.5%)
- C: - 70 GB free of 464.2 GB (15.1%)
- [unlabeled] - 0.1 GB free of 0.1 GB (64%)
- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%)
### Network adapters
- Realtek PCIe GBE Family Controller - IP: 192.168.1.136, fe80::b20c:8d0b:48bf:1aea - DNS: 172.16.132.1 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `MJ-PARALEGAL-20260629T211845.json` (immutable)._

View File

@@ -0,0 +1,148 @@
# Rednour Law — LEGALASST explorer hang on .zip + WordPerfect 5 save error + Win11 plan
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Diagnosed an explorer.exe stability problem on **LEGALASST**, the legal assistant's
workstation at Rednour Law (Carla Skinner's box; active local account `emma`, profile
`C:\Users\Ale`, OneDrive `carla@rednourlaw.com`). Reported via Carrie Rednour: explorer
repeatedly hung/crashed when "opening files or messing with files." Work was driven over
GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`); the office subnet was initially
unreachable from HOWARD-HOME because Tailscale was stuck in `NoState`, which cleared on its
own shortly after.
Established via the Application event log that explorer was **hanging (AppHang Event 1002),
not crashing** — there were no Event 1000 / faulting-module records. Hangs were firing
several times per hour on 2026-06-29 and continued after a 10:52 reboot. The `.NET Runtime`
Event 1022 "profiling API attach" errors (201 of them) were ruled out as benign noise — no
`COR_PROFILER` env var is set, so nothing is being injected into explorer via that path.
Narrowed the cause by elimination. Blocked the Adobe shell extensions (Acrobat context-menu
+ CoreSync overlays) via the Microsoft "Blocked" CLSID list and restarted explorer — no
change, so Adobe was ruled out and reverted. Mapped drives X/Y/Z (→ `\\rednourcarrievirt`,
the cloned Carrie host) were healthy (`Status OK`, no SMBClient errors). The only
non-Microsoft DLLs actually loaded in explorer were the AMD Vega driver
(`amdihk64/atidxx64/aticfx64/atiuxp64`), but there were **zero display-driver TDR events**,
so the GPU driver was not crash-recovering. OneDrive sync was healthy and its overlay was not
even loaded. Howard then supplied the decisive clue: the hang happens **only when opening
`.zip` files**, Word/PDF open fine, and the failing zip is on the **local desktop** (not
OneDrive, not a network share). That isolated the fault to the **built-in Windows Compressed
Folders handler** (explorer's zip-as-folder namespace). `zipfldr.dll` is intact and validly
signed, so the hang is environmental, not a corrupt handler DLL.
Howard installed **7-Zip 26.02** as a workaround — it opens the same zips fine because it is
a standalone app that never invokes explorer's zip namespace. He will set 7-Zip as the
default for `.zip` (and `.7z`/`.rar`, currently unassociated) via the 7-Zip GUI. A second,
separate issue on the same machine was reported: saving from **WordPerfect 5** returns "not
enough free space" regardless of save location, despite Howard verifying ample free space.
The plan is to **upgrade LEGALASST to Windows 11**, which is expected to resolve the
zip-handler hang by rebuilding the shell/system files (and applies the pending SFC repair);
the team will test a local zip with the built-in handler after the upgrade. All diagnostic
changes were reverted and the box was left clean.
## Key Decisions
- Diagnosed live over GuruRMM rather than waiting for on-site access; used `user_session`
context for HKCU/OneDrive/shell-folder reads and SYSTEM context for HKLM/event-log reads.
- Used the Microsoft **Shell Extensions\Blocked** CLSID list (reversible) to test-disable
Adobe/7-Zip shell extensions instead of deleting registrations — clean revert path.
- Treated the `.NET 1022` errors as noise after confirming no `COR_PROFILER` was set, instead
of chasing the profiler-injection theory.
- Did **not** hand-write a per-user UserChoice association hash for `.zip` (hash-protected;
a wrong hash leaves a broken "how do you want to open this?" prompt). Howard opted to set
the default in the 7-Zip GUI; no DefaultAssociations policy was pushed.
- Concluded the Win11 in-place upgrade is the right fix for the zip-handler hang (rebuilds
shell/system files) rather than further low-level surgery on a Win10 22H2 EOL box.
## Problems Encountered
- **Office subnet unreachable from HOWARD-HOME** — Tailscale daemon RUNNING but backend stuck
in `NoState`; a service restart did not clear it, but it came up on its own shortly after.
- **Orphaned RMM diagnostic process** — the first diagnostic command timed out server-side at
120s (a `HKLM\...\Classes\*\shellex` wildcard scan), but the agent's child `powershell.exe`
(PID 1048) kept running on the endpoint for 10+ minutes, churning CPU. This was the
"PowerShell that's been running" Howard noticed. Killed it (SYSTEM context). Logged as
friction.
- **`$pid` reserved-variable collision** — used `$pid` as a variable in a remote script; `$PID`
is the automatic current-process-id variable, so the `.zip` ProgID read returned garbage
(16044). Re-ran with a non-reserved name. Logged as friction.
- **Mis-assumption corrected** — initially assumed LEGALASST was the cloned machine; Carrie's
machine was the one cloned (to host `rednourcarrievirt`), LEGALASST is the legal assistant's
(unchanged) box. Logged as a correction.
## Configuration Changes
Net change to the endpoint: **none** (all diagnostic changes reverted; box left clean). During
the session, on LEGALASST:
- Added then removed Adobe (4 CLSIDs) and 7-Zip shell-extension CLSIDs in
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (Blocked list now
empty).
- Restarted explorer.exe several times (user_session).
- Killed orphaned diagnostic process PID 1048.
- Howard installed 7-Zip 26.02 (standalone; he will set `.zip`/`.7z`/`.rar` defaults).
- Howard ran `sfc /scannow` — found and repaired corruption (0 unrepairable); repair pending
a reboot to load.
Repo: this session log; Rednour wiki record update pending (`/wiki-compile client:rednour`).
## Credentials & Secrets
None discovered, created, or rotated this session.
## Infrastructure & Servers
- **LEGALASST** — legal assistant workstation, Rednour Law "Main Office" site. Win 10 Pro 22H2
(build 19045, **EOL**), AMD Ryzen 3 3200G (Vega 8 iGPU), **5.9 GB RAM**, LAN 192.168.10.213.
GuruRMM agent `18825ea7-df58-47bb-b492-822cb16fb5ec`. Active local account `emma`, profile
`C:\Users\Ale`. OneDrive account `carla@rednourlaw.com`; Documents redirected to
`C:\Users\Ale\OneDrive - Rednour Law\Documents`. Leftover **SyncroLive.Agent.Runner** still
running.
- AMD GPU driver: 31.0.12027.9001 (2023-03-29). 7zFM.exe 26.02 at `C:\Program Files\7-Zip\`.
- `zipfldr.dll` = 10.0.19041.1, signature Valid (handler is intact).
- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y:
`\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — all `Status OK`.
- GuruRMM server `http://172.16.3.30:3001`; coord `http://172.16.3.30:8001`.
## Commands & Outputs
- Diagnostic dispatch pattern: `POST /api/agents/<id>/command` (powershell, `context`
system or user_session), poll `GET /api/commands/<id>`.
- Key reads: `Get-WinEvent` Application 1000/1002 + ProviderName 'Application Hang'/'.NET
Runtime'; explorer loaded modules filtered to non-Microsoft `CompanyName`;
`Get-SmbMapping`; `Get-MpComputerStatus`/`Get-MpPreference`; CBS.log `[SR]` parse.
- AppHang count = 10 in last 3h on 2026-06-29; latest 11:31:02 (post 10:52 reboot).
- `.zip` association: `HKCR\.zip` (default) = `CompressedFolder`, **no UserChoice**. 7-Zip
registered only a `7-Zip.iso` ProgId (no `7-Zip.zip`). `.7z`/`.rar` currently unassociated.
- SFC (CBS.log): "Verify and Repair Transaction completed... successfully repaired"; 0
"cannot repair" entries.
- Defender: RTP on, no active scan, signatures fresh, `DisableArchiveScanning=False`,
`MAPSReporting=2`, `SubmitSamplesConsent=1` (archive + cloud scanning on).
## Pending / Incomplete Tasks
1. **Howard:** set 7-Zip as default app for `.zip` (and `.7z`/`.rar`) via 7-Zip GUI
(Tools → Options → System).
2. **Upgrade LEGALASST to Windows 11** (expected to resolve the zip-handler hang; applies
the pending SFC repair). Pre-reqs: enable fTPM + Secure Boot in BIOS (Ryzen 3 3200G is
Win11-supported), bump RAM from 5.9 GB, remove the leftover Syncro agent. **Test a local
`.zip` with the built-in handler post-upgrade.**
3. **WordPerfect 5 "not enough free space" on save** — investigate. Leading hypothesis:
legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space
value overflows → false "disk full"). This is app-level and will **not** be fixed by the
OS upgrade; mitigate via DOSBox or directing saves to a SUBST'd small-capacity location.
Confirm exact WP version/edition (DOS 5.1 vs Windows).
4. **If the zip hang persists after the Win11 upgrade:** next lead is Defender archive-scan +
cloud (MAPS) lookup stalling the shell when the built-in handler streams zip entries.
5. Standing P1s (pre-existing): reboot to apply SFC repair; remove prior MSP agents.
## Reference Information
- GuruRMM agent id: `18825ea7-df58-47bb-b492-822cb16fb5ec` (LEGALASST).
- Rednour tenant: `rednourlaw.com` (`4a4ca18a-f516-478b-99da-2e0722c5dc18`); Syncro customer
`1224246`.
- Wiki: `wiki/clients/rednour.md`. Refresh: `/wiki-compile client:rednour --full`.
- Reversible shell-ext disable mechanism: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (add CLSID value to block; delete to restore).

View File

@@ -0,0 +1,119 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Resumed work on getting the GuruRMM agent installed on Nick Pafford's Mac at Rednour Law
Offices (Rednour's office). The client/site was already onboarded (2026-05-29), so the goal
this session was to hand Nick the correct macOS download/install link and confirm enrollment.
Pulled the Rednour Main site enrollment details from the vault (site_code GREEN-FALCON-7214)
and provided the public install page URL. On verification, the install **page**
(`/install/GREEN-FALCON-7214`) only exposes clickable buttons for Windows and Linux — there is
no Mac button. Confirmed instead that a macOS install path exists as a `curl | sudo bash`
one-liner at `/install/GREEN-FALCON-7214/macos`. Verified the script body (LaunchDaemon setup,
quarantine strip, site config for GREEN-FALCON-7214) and that the agent binary it downloads is a
Mach-O 64-bit arm64 executable (~3.96 MB), matching Nick's Apple Silicon Mac. Handed Nick the
Terminal one-liner plus his SMB share credential (from vault).
Nick (or whoever was at the Mac) ran the installer and it reported success. However, repeated
fleet checks (3x over the session) showed the agent NOT checking in — no macOS agent appears
under Rednour Law Offices. The three Rednour agents enrolled are all Windows
(FrontDeskReception, LegalAsst, rednourcarrievirt). The only Macs in the entire fleet are
Scileppi's Mac-mini-2 and Mike's MacBook Air — neither is Nick's. So the install succeeded
locally but the agent is not connecting/enrolling to the server.
Howard is no longer onsite and does not have the user's Mac password, so local diagnostics
(foreground run, launchctl check) can't be done right now. Work was deferred. Flagged Mike via
Discord DM that the Apple/macOS installer has an issue, that we're working it but lack the
user's password, and asked whether he has access to another M1/Apple Silicon Mac to test the
installer for repro.
## Key Decisions
- Handed Nick the macOS `curl | sudo bash` one-liner rather than the install page, since the
page has no Mac download button — only Windows/Linux. The `/macos` script path is the
supported macOS install route.
- Verified the downloaded binary architecture (arm64 Mach-O) before handing off, to rule out an
x86/arch mismatch on Nick's Apple Silicon Mac.
- Deferred diagnosis rather than guess: with no onsite access and no user password, the key
diagnostic (foreground `sudo /usr/local/bin/gururmm-agent` to see the connect error) can't be
run, so escalated to Mike and parked it.
- Used a person-targeted Discord DM to Mike (not a #bot-alerts post) since the ask was actionable
and directed at him specifically (needs an M1 to test).
## Problems Encountered
- **macOS agent installs but does not enroll.** Installer reports success on Nick's Apple
Silicon Mac, but no macOS agent shows under Rednour in the fleet after multiple checks.
Unresolved — deferred. Likely causes to check next: LaunchDaemon not actually started /
crashed on launch, Gatekeeper killing the unsigned binary despite quarantine strip, or
outbound connectivity to rmm.azcomputerguru.com blocked. Blocked on onsite access + user
password.
- **Install page has no Mac button** (Windows/Linux only). Worked around with the `/macos`
curl|bash one-liner, which is the real macOS install path.
## Configuration Changes
- None to the repo. No code changes. Vault entries were read-only this session (already
created in prior sessions).
## Credentials & Secrets
- Nick Pafford SMB share access (read this session, already vaulted):
- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`
- Username: `REDNOURCARRIEVI\nick`
- Password: `Kg5Qe2Kc3`
- Mac mount: `smb://192.168.10.194/Documents` (Finder Cmd+K)
- Share: `\\REDNOURCARRIEVI\Documents` -> `C:\Users\Carrie\Documents`, access Modify (rw)
- Local Windows account on Carrie Rednour's workstation (workgroup, no AD), PasswordNeverExpires,
created 2026-06-25 per Syncro #32343.
- GuruRMM Rednour Main site enrollment (already vaulted):
- Vault: `clients/rednour/gururmm-site-main.sops.yaml`
- site_id: `c7f5787c-8e71-45b3-841f-fa52436f7d26`
- site_code: `GREEN-FALCON-7214`
## Infrastructure & Servers
- GuruRMM server API: `http://172.16.3.30:3001` (auth via vault gururmm-server.sops.yaml).
- GuruRMM public install host: `https://rmm.azcomputerguru.com` (Cloudflare-fronted).
- Rednour workstation REDNOURCARRIEVI: `192.168.10.194` (LAN) / `10.147.17.253` (ZeroTier).
- Rednour Law Offices fleet (all Windows, online, v0.6.66): FrontDeskReception, LegalAsst,
rednourcarrievirt.
## Commands & Outputs
- macOS install one-liner handed to Nick:
`curl -fsSL https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos | sudo bash`
- Mac agent binary verification:
`curl .../install/GREEN-FALCON-7214/download/macos` -> HTTP 200, Mach-O 64-bit arm64
executable, ~3,960,397 bytes, filename `gururmm-agent-main`.
- Fleet check (no Rednour Mac present):
`curl -s "$RMM/api/agents" -H "Authorization: Bearer $TOKEN" | jq '... select rednour or macos'`
- Suggested local diagnostics for next session (need onsite/password):
- `sudo launchctl list | grep gururmm`
- `ls -l /usr/local/bin/gururmm-agent /usr/local/etc/gururmm/`
- `sudo /usr/local/bin/gururmm-agent` (foreground run to surface connect error)
- `curl -fsS -o /dev/null -w "%{http_code}" https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
## Pending / Incomplete Tasks
- **OPEN:** Nick's Mac GuruRMM agent not enrolling despite successful install. Deferred.
- Blocked on: not onsite + no user Mac password.
- Next steps: run foreground diagnostic on the Mac to capture the connect/enroll error; check
LaunchDaemon state and Gatekeeper; verify outbound to rmm.azcomputerguru.com.
- Mike asked (via DM) whether he has access to another M1/Apple Silicon Mac to test/repro the
macOS installer.
## Reference Information
- Install page: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214`
- macOS install script: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
- macOS agent binary: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/download/macos`
- MSI (Windows): `https://rmm.azcomputerguru.com/api/sites/c7f5787c-8e71-45b3-841f-fa52436f7d26/installer`
- Discord DM to Mike: message_id 1521264675965374656
- Syncro ticket (SMB access): #32343
- Related prior logs: `2026-06-25-howard-nick-smb-share-and-mac-rmm.md`,
`2026-06-26-howard-nick-mac-rmm-rootcause.md`