azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-02 18:44:13

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-02 18:44:13
This commit is contained in:
Mike Swanson
2026-06-02 18:44:18 -07:00
parent 251adf3558
commit 0413df8459
20 changed files with 9588 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.claude/scripts/run-onboarding-diagnostic.sh
View File

@@ -259,7 +259,8 @@ PS
echo "[OK] Uploaded chunk $IDX/$N_CHUNKS"
done
echo "[INFO] Decoding and executing probe on endpoint (timeout 240s)..."
EXEC_TIMEOUT="${DIAG_EXEC_TIMEOUT:-240}"
echo "[INFO] Decoding and executing probe on endpoint (timeout ${EXEC_TIMEOUT}s)..."
# Final command: decode base64 file -> .ps1, run it, then clean up both temp files.
RUN_SCRIPT="$WORK_DIR/runcmd.ps1"
@@ -278,7 +279,7 @@ try {
}
PS
RESULT="$(dispatch_one "$RUN_SCRIPT" 240)" || { echo "[ERROR] Probe execution dispatch failed" >&2; exit 1; }
RESULT="$(dispatch_one "$RUN_SCRIPT" "$EXEC_TIMEOUT")" || { echo "[ERROR] Probe execution dispatch failed" >&2; exit 1; }
CMD_ID="$(cat "$WORK_DIR/last_cmd_id" 2>/dev/null || echo unknown)"
FINAL_STATUS="$(echo "$RESULT" | jq -r '.status // empty')"

972
clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.json Normal file
View File

@@ -0,0 +1,972 @@
{
"host": "DESKTOP-PMML1JC",
"collected_at_utc": "2026-06-03T00:39:57Z",
"os": {
"caption": "Microsoft Windows 11 Pro",
"version": "10.0.26200",
"build": "26200",
"install_date": "2025-03-03T05:24:23Z",
"last_boot_utc": "2026-05-27T09:37:09Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2027-10-12",
"release": "Win11 25H2"
},
"pending_updates": 2,
"pending_reboot": true,
"uptime_days": 6.6,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "81Y8",
"manufacturer": "LENOVO",
"bios_date": "2022-11-15",
"cpu_logical": 12,
"bios_version": "EFCN58WW",
"cpu_cores": 6,
"ram_gb": 31.9,
"serial": "PF2G2VPV",
"cpu": "Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz"
},
"local_administrators": [
"Administrator",
"localadmin",
"Richard"
],
"os_build": "26200",
"secure_boot": true,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "RtkAudUService",
"value": "\"C:\\WINDOWS\\System32\\RtkAudUService64.exe\" -background"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "AdobeAAMUpdater-1.0",
"value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Acrobat Assistant 8.0",
"value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "EEventManager",
"value": "\"C:\\Program Files (x86)\\Epson Software\\Event Manager\\EEventManager.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}",
"value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.96\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Update Binary",
"value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Standalone Update Binary",
"value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "WDC WD10SPSX-08A6W",
"media_type": "HDD"
},
{
"health": "Healthy",
"model": "WDC WDS100T2B0C-00PXH0",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2021-11-18",
"name": "Richard",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 23,
"volumes": [
{
"drive": "[unlabeled]",
"size_gb": 0.1,
"free_pct": 64,
"free_gb": 0.1
},
{
"drive": "D:",
"size_gb": 931.5,
"free_pct": 100,
"free_gb": 931.3
},
{
"drive": "C:",
"size_gb": 930.3,
"free_pct": 68.2,
"free_gb": 634.3
},
{
"drive": "[unlabeled]",
"size_gb": 1.1,
"free_pct": 10,
"free_gb": 0.1
}
],
"network_adapters": [
{
"dhcp": false,
"description": "OpenVPN Data Channel Offload",
"gateway": [
null
],
"mac": "",
"ip": [
"10.100.0.2",
"fe80::564:408d:e02a:124a"
],
"dns": [
"103.86.96.100",
"103.86.99.100"
]
},
{
"dhcp": true,
"description": "Intel(R) Wi-Fi 6 AX201 160MHz",
"gateway": [
"192.168.0.1"
],
"mac": "68:3E:26:B5:93:6B",
"ip": [
"192.168.0.5",
"fe80::7eb3:304d:8df9:2e0f"
],
"dns": [
"192.168.0.1",
"205.171.2.25"
]
},
{
"dhcp": false,
"description": "NordLynx Tunnel",
"gateway": [
null
],
"mac": "",
"ip": [
"10.5.0.2",
"fe80::564:408d:e02a:124a"
],
"dns": [
null
]
}
],
"failed_autostart_services": [
{
"name": "Intel(R) TPM Provisioning Service",
"display": "Intel(R) TPM Provisioning Service",
"state": "Stopped"
},
{
"name": "IntelAudioService",
"display": "Intel(R) Audio Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 3,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": false,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "3DEXPERIENCE Marketplace for SOLIDWORKS",
"version": "6.29.743"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Acrobat DC",
"version": "15.009.20077"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Autodesk",
"name": "AutoCAD Mechanical 2004",
"version": "7.0.42.8"
},
{
"publisher": "Autodesk, Inc.",
"name": "Autodesk Express Viewer",
"version": "3.1"
},
{
"publisher": "Apple Inc.",
"name": "Bonjour",
"version": "3.0.0.10"
},
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "148.0.3967.70"
},
{
"publisher": "Epson America, Inc.",
"name": "Epson ES Series User?s Guide",
"version": "1.0"
},
{
"publisher": "Seiko Epson Corporation",
"name": "Epson Event Manager",
"version": "3.11.0053"
},
{
"publisher": "Seiko Epson Corporation",
"name": "Epson Scan 2",
"version": ""
},
{
"publisher": "Seiko Epson Corporation",
"name": "Epson Scan OCR Component Pro",
"version": "1.0.10"
},
{
"publisher": "Seiko Epson Corporation",
"name": "Epson ScanSmart",
"version": "3.7.1"
},
{
"publisher": "Seiko Epson Corporation",
"name": "Epson Software Updater",
"version": "5.0.2"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft .NET Host - 8.0.8 (x64)",
"version": "64.32.18380"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft .NET Host FX Resolver - 8.0.8 (x64)",
"version": "64.32.18380"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft .NET Runtime - 8.0.8 (x64)",
"version": "64.32.18380"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft 365 Apps for business - en-us",
"version": "16.0.20026.20112"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.084.0504.0007"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "5.72.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x64)",
"version": "7.1.00.00"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x64) English",
"version": "7.1.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Windows Desktop Runtime - 8.0.8 (x64)",
"version": "64.32.18376"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Windows Desktop Runtime - 8.0.8 (x64)",
"version": "8.0.8.33916"
},
{
"publisher": "Mozilla",
"name": "Mozilla Firefox (x64 en-US)",
"version": "151.0.2"
},
{
"publisher": "Mozilla",
"name": "Mozilla Maintenance Service",
"version": "151.0.2"
},
{
"publisher": "Nord Security",
"name": "NordUpdater",
"version": "1.5.0.1028"
},
{
"publisher": "Nord Security",
"name": "NordVPN",
"version": "8.3.6.0"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Graphics Driver 517.00",
"version": "517.00"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Install Application",
"version": "2.1002.370.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.20026.20076"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS 2020 SP05",
"version": "28.150.0078"
},
{
"publisher": "SolidWorks Corporation",
"name": "SOLIDWORKS 2020 SP05",
"version": "28.5.0.78"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS CAM 2020 SP05",
"version": "28.50.0078"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Composer Player 2020 SP05",
"version": "28.50.0078"
},
{
"publisher": "Dassault Syst?mes SolidWorks Corp",
"name": "SOLIDWORKS eDrawings 2020 SP05",
"version": "28.50.0012"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS File Utilities 2020 SP05",
"version": "28.50.0078"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Visualize 2020 SP05",
"version": "28.50.0078"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.2.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Microsoft Corporation",
"name": "Teams Machine-Wide Installer",
"version": "1.4.0.22976"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for x64-based Windows Systems (KB5001716)",
"version": "8.94.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows PC Health Check",
"version": "3.2.2110.14001"
},
{
"publisher": "WireGuard LLC",
"name": "WireGuard",
"version": "0.5.3"
},
{
"publisher": "Microsoft",
"name": "WPTx64",
"version": "8.100.26866"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"OpenSSH Users",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"User Mode Hardware Operators",
"Users"
],
"battery": {
"estimated_charge_remaining": "100",
"status": "2",
"present": true
},
"third_party_av_active": false,
"activation": {
"edition": "Microsoft Windows 11 Pro",
"description": "Windows(R) Operating System, RETAIL channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "Free-running System Clock",
"chassis_types": [
10
],
"last_hotfix": {
"hotfix_id": "KB5089573",
"installed_on": "2026-05-27T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "CCleanerCrashReporting",
"state": "Ready"
},
{
"path": "\\",
"name": "EPSON ES-50 Update",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1116",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-4044652462-3973564329-339036029-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1116",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-4044652462-3973564329-339036029-1001",
"state": "Ready"
},
{
"path": "\\HardDiskSentinel\\",
"name": "Hard Disk Sentinel_richard",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\",
"name": "Lenovo iM Controller Monitor",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\",
"name": "Lenovo iM Controller Scheduled Maintenance",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\Plugins\\",
"name": "LenovoSystemUpdatePlugin_WeeklyTask",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\TimeBasedEvents\\",
"name": "01e15cc2-18a7-45be-bf24-142c08f2bc0f",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\TimeBasedEvents\\",
"name": "3d63669f-2af1-4405-b424-15880ab6649b",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\TimeBasedEvents\\",
"name": "6a05589d-b7b5-4241-9561-d4eb4e7554ed",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\TimeBasedEvents\\",
"name": "891b2b33-e75f-43ac-a4d1-b456e771024f",
"state": "Ready"
},
{
"path": "\\Lenovo\\ImController\\TimeBasedEvents\\",
"name": "9d043f8d-9f68-46de-8e94-e65d03313647",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-1116 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-1051390473-2587535097-844096240-1116\\",
"name": "SoftLandingCreativeManagementTask",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-1051390473-2587535097-844096240-1116\\",
"name": "SoftLandingDeferralTask-{b2ec7b7e-7f02-4337-ba65-bc1fc879d10b}",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": true,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": true,
"installed_software_count": 73,
"secure_channel_ok": false,
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "ucryo.local",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "critical",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (3)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "Administrator\nlocaladmin\nRichard"
},
{
"id": "sec.patch.os_supported",
"category": "security",
"severity": "info",
"title": "OS build supported: Win11 25H2",
"detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.",
"evidence": "Microsoft Windows 11 Pro build 26200"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "2 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5089573",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5089573 installed 2026-05-27T07:00:00Z"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.stability.recurring",
"category": "health",
"severity": "critical",
"title": "Recurring stability events in the last 14 days",
"detail": "Three or more of one event class (unexpected shutdown, BSOD, or disk error) in 14 days indicates a hardware or driver problem. Investigate memory, disk, PSU, and drivers.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=3"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "2 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped\nIntelAudioService (Intel(R) Audio Service) = Stopped"
},
{
"id": "health.domain.secure_channel_broken",
"category": "health",
"severity": "critical",
"title": "Domain secure channel is BROKEN",
"detail": "Test-ComputerSecureChannel returned false. The machine trust relationship with the domain is broken (Group Policy, Kerberos, and domain logon will fail). Repair with Test-ComputerSecureChannel -Repair or rejoin.",
"evidence": "PartOfDomain=True; Test-ComputerSecureChannel=False; Domain=ucryo.local"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=Free-running System Clock"
},
{
"id": "health.battery.present",
"category": "health",
"severity": "info",
"title": "Battery present",
"detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)",
"evidence": "EstimatedChargeRemaining=100%; BatteryStatus=2"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

259
clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md Normal file
View File

@@ -0,0 +1,259 @@
# Onboarding Diagnostic Baseline - DESKTOP-PMML1JC
- **Grade:** RED
- **Host:** DESKTOP-PMML1JC
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:39:57Z
- **Agent ID:** 286cf717-86ac-4985-b0a6-0254fba0dfdb
- **Command ID:** a8871fc1-4667-4d2f-8a12-784747b820cc
- **Findings:** 3 critical / 3 warning / 15 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## CRITICAL (3)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### Recurring stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.recurring`
- Three or more of one event class (unexpected shutdown, BSOD, or disk error) in 14 days indicates a hardware or driver problem. Investigate memory, disk, PSU, and drivers.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=3
```
### Domain secure channel is BROKEN
- **Category:** health
- **ID:** `health.domain.secure_channel_broken`
- Test-ComputerSecureChannel returned false. The machine trust relationship with the domain is broken (Group Policy, Kerberos, and domain logon will fail). Repair with Test-ComputerSecureChannel -Repair or rejoin.
```
PartOfDomain=True; Test-ComputerSecureChannel=False; Domain=ucryo.local
```
## WARNING (3)
### 2 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
IntelAudioService (Intel(R) Audio Service) = Stopped
```
## INFO (15)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
Administrator
localadmin
Richard
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5089573
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5089573 installed 2026-05-27T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=Free-running System Clock
```
### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)
```
EstimatedChargeRemaining=100%; BatteryStatus=2
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 81Y8
- **Serial:** PF2G2VPV
- **CPU:** Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz (6 cores / 12 logical)
- **RAM (GB):** 31.9
- **BIOS:** EFCN58WW (2022-11-15)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** true / true
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 6.6
- **Pending reboot:** true
- **Installed software count:** 73
- **Scheduled tasks (non-MS, enabled):** 23
- **Local administrators:** Administrator, localadmin, Richard
### Fixed volumes
- [unlabeled] - 0.1 GB free of 0.1 GB (64%)
- D: - 931.3 GB free of 931.5 GB (100%)
- C: - 634.3 GB free of 930.3 GB (68.2%)
- [unlabeled] - 0.1 GB free of 1.1 GB (10%)
### Network adapters
- OpenVPN Data Channel Offload - IP: 10.100.0.2, fe80::564:408d:e02a:124a - DNS: 103.86.96.100, 103.86.99.100 - DHCP: false
- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.0.5, fe80::7eb3:304d:8df9:2e0f - DNS: 192.168.0.1, 205.171.2.25 - DHCP: true
- NordLynx Tunnel - IP: 10.5.0.2, fe80::564:408d:e02a:124a - DNS: - DHCP: false
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-PMML1JC-20260603T004601.json` (immutable)._

774
clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.json Normal file
View File

@@ -0,0 +1,774 @@
{
"host": "GROMIT",
"collected_at_utc": "2026-06-03T00:46:10Z",
"os": {
"caption": "Microsoft Windows 10 Pro",
"version": "10.0.19045",
"build": "19045",
"install_date": "2023-12-28T16:25:22Z",
"last_boot_utc": "2026-05-04T17:29:14Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2025-10-14",
"release": "Win10 22H2"
},
"pending_updates": 9,
"pending_reboot": true,
"uptime_days": 29.3,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "20FRS1RQ00",
"manufacturer": "LENOVO",
"bios_date": "2017-03-08",
"cpu_logical": 4,
"bios_version": "N1FET50W (1.24 )",
"cpu_cores": 2,
"ram_gb": 15.4,
"serial": "R90KPJJF",
"cpu": "Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz"
},
"local_administrators": [
"GROMIT\\Administrator",
"GROMIT\\localadmin",
"GROMIT\\owner",
"UCRYO\\Domain Admins"
],
"os_build": "19045",
"secure_boot": null,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "AdobeAAMUpdater-1.0",
"value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Logitech Download Assistant",
"value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "ControlCenter4",
"value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "BrStsMon00",
"value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Acrobat Assistant 8.0",
"value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}",
"value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.96\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon"
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "SanDisk SD7SN6S-128G-1006",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2019-12-26",
"name": "owner",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2020-08-12",
"name": "QBDataServiceUser24",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2020-12-21",
"name": "QBDataServiceUser30",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 24,
"volumes": [
{
"drive": "[System Reserved]",
"size_gb": 0.6,
"free_pct": 94.4,
"free_gb": 0.5
},
{
"drive": "C:",
"size_gb": 118.1,
"free_pct": 25.7,
"free_gb": 30.3
},
{
"drive": "[unlabeled]",
"size_gb": 0.6,
"free_pct": 13.3,
"free_gb": 0.1
}
],
"network_adapters": [
{
"dhcp": true,
"description": "Intel(R) Dual Band Wireless-AC 8260",
"gateway": [
"172.29.0.1"
],
"mac": "44:85:00:BF:40:96",
"ip": [
"172.29.0.125",
"fe80::9f6b:2b36:fadb:5993"
],
"dns": [
"172.29.0.5",
"8.8.8.8"
]
}
],
"failed_autostart_services": [
{
"name": "gpsvc",
"display": "Group Policy Client",
"state": "Stopped"
},
{
"name": "LPlatSvc",
"display": "Lenovo Platform Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": true,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Acrobat DC",
"version": "15.009.20077"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Brother Industries, Ltd.",
"name": "Brother MFL-Pro Suite MFC-9130CW",
"version": "1.0.1.0"
},
{
"publisher": "Conexant Systems",
"name": "Conexant SmartAudio",
"version": "6.0.277.0"
},
{
"publisher": "Dolby Laboratories, Inc.",
"name": "Dolby Audio X2 Windows API SDK",
"version": "0.8.8.90"
},
{
"publisher": "Dolby Laboratories, Inc.",
"name": "Dolby Audio X2 Windows APP",
"version": "0.8.5.74"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Office Professional Plus 2019 - en-us",
"version": "16.0.19127.20302"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "3.74.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.61001"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.61000"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
"version": "9.0.30729"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026",
"version": "14.0.23026.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.23026",
"version": "14.0.23026"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.23026",
"version": "14.0.23026"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810",
"version": "14.40.33810.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810",
"version": "14.40.33810"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810",
"version": "14.40.33810"
},
{
"publisher": "Mozilla",
"name": "Mozilla Firefox (x64 en-US)",
"version": "151.0.2"
},
{
"publisher": "Mozilla",
"name": "Mozilla Maintenance Service",
"version": "151.0.2"
},
{
"publisher": "Mozilla",
"name": "Mozilla Thunderbird (x86 en-US)",
"version": "149.0.2"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.19127.20154"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Licensing Component",
"version": "16.0.19029.20136"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Localization Component",
"version": "16.0.14026.20246"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks",
"version": "30.0.4017.3000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Premier: Mfg and Whsle Edition 2020",
"version": "30.0.4006.3000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Runtime Redistributable",
"version": "1.00.0000"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.2.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Intuit Inc.",
"name": "TurboTax 2024",
"version": "024.000.0365"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for Windows 10 for x64-based Systems (KB5001716)",
"version": "8.94.0.0"
},
{
"publisher": "Wacom Technology Corp.",
"name": "Wacom Pen",
"version": "7.3.4-33"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"Users"
],
"battery": {
"present": false
},
"third_party_av_active": false,
"activation": {
"edition": "Microsoft Windows 10 Pro",
"description": "Windows(R) Operating System, OEM_DM channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "UC2-SERVER.ucryo.local",
"chassis_types": [
31
],
"last_hotfix": {
"hotfix_id": "KB5037768",
"installed_on": "2024-05-18T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "G2MUpdateTask-S-1-5-21-1051390473-2587535097-844096240-2629",
"state": "Ready"
},
{
"path": "\\",
"name": "G2MUploadTask-S-1-5-21-1051390473-2587535097-844096240-2629",
"state": "Ready"
},
{
"path": "\\",
"name": "Lenovo Power Management Driver PnP Task",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2629Core{09E81947-80DA-47E1-B3D7-965B834A0334}",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2629UA{DE8AD6FA-99F4-4B46-83FF-AB79F9777AA7}",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-2629",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1116",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1117",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2615",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2629",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2634",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2649",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2651",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-3327184043-4248725150-2357155321-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-2629",
"state": "Ready"
},
{
"path": "\\Lenovo\\Power Manager\\",
"name": "Background monitor",
"state": "Running"
},
{
"path": "\\Lenovo\\Power Manager\\",
"name": "Uninstall task",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-2629 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Default Browser Agent 308046B0AF4A39CB",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": true,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": false,
"installed_software_count": 40,
"secure_channel_ok": true,
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "ucryo.local",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "warning",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (4)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "GROMIT\\Administrator\nGROMIT\\localadmin\nGROMIT\\owner\nUCRYO\\Domain Admins"
},
{
"id": "sec.patch.os_eol",
"category": "security",
"severity": "critical",
"title": "OS build is end-of-life: Win10 22H2",
"detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.",
"evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "9 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 9"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5037768",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5037768 installed 2024-05-18T07:00:00Z"
},
{
"id": "sec.exposure.rdp_on",
"category": "security",
"severity": "warning",
"title": "RDP is enabled",
"detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.",
"evidence": "fDenyTSConnections=0; UserAuthentication=1"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.stability.clean",
"category": "health",
"severity": "info",
"title": "No stability events in the last 14 days",
"detail": "No unexpected shutdowns, BSODs, or disk errors logged.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "2 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "gpsvc (Group Policy Client) = Stopped\nLPlatSvc (Lenovo Platform Service) = Stopped"
},
{
"id": "health.domain.secure_channel_ok",
"category": "health",
"severity": "info",
"title": "Domain secure channel healthy",
"detail": "Machine trust relationship with the domain is intact.",
"evidence": "Domain=ucryo.local"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=UC2-SERVER.ucryo.local"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

257
clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md Normal file
View File

@@ -0,0 +1,257 @@
# Onboarding Diagnostic Baseline - GROMIT
- **Grade:** RED
- **Host:** GROMIT
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:46:10Z
- **Agent ID:** 20da3f2f-6bef-4d8c-b6fa-141d47a01d52
- **Command ID:** 77775791-1c4b-4921-8c69-2c83afac1620
- **Findings:** 1 critical / 5 warning / 15 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (1)
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
## WARNING (5)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 9 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 9
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
gpsvc (Group Policy Client) = Stopped
LPlatSvc (Lenovo Platform Service) = Stopped
```
## INFO (15)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
GROMIT\Administrator
GROMIT\localadmin
GROMIT\owner
UCRYO\Domain Admins
```
### Last hotfix: KB5037768
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5037768 installed 2024-05-18T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Domain secure channel healthy
- **Category:** health
- **ID:** `health.domain.secure_channel_ok`
- Machine trust relationship with the domain is intact.
```
Domain=ucryo.local
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=UC2-SERVER.ucryo.local
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 20FRS1RQ00
- **Serial:** R90KPJJF
- **CPU:** Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (2 cores / 4 logical)
- **RAM (GB):** 15.4
- **BIOS:** N1FET50W (1.24 ) (2017-03-08)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / ?
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 29.3
- **Pending reboot:** true
- **Installed software count:** 40
- **Scheduled tasks (non-MS, enabled):** 24
- **Local administrators:** GROMIT\Administrator, GROMIT\localadmin, GROMIT\owner, UCRYO\Domain Admins
### Fixed volumes
- [System Reserved] - 0.5 GB free of 0.6 GB (94.4%)
- C: - 30.3 GB free of 118.1 GB (25.7%)
- [unlabeled] - 0.1 GB free of 0.6 GB (13.3%)
### Network adapters
- Intel(R) Dual Band Wireless-AC 8260 - IP: 172.29.0.125, fe80::9f6b:2b36:fadb:5993 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `GROMIT-20260603T004715.json` (immutable)._

1157
clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.json Normal file
View File

File diff suppressed because it is too large Load Diff

268
clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md Normal file
View File

@@ -0,0 +1,268 @@
# Onboarding Diagnostic Baseline - HOBBES
- **Grade:** RED
- **Host:** HOBBES
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:47:28Z
- **Agent ID:** a336deb1-6d09-4ade-b2c3-0b258664f4bd
- **Command ID:** c9af21ee-ad06-4e61-bdff-36bd7146de27
- **Findings:** 2 critical / 5 warning / 15 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (2)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
## WARNING (5)
### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 1 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
gpsvc (Group Policy Client) = Stopped
```
## INFO (15)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Software Updater 1.5.6.23
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
service: SSUService (Splashtop Software Updater Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
HOBBES\Administrator
HOBBES\localadmin
HOBBES\paul
UCRYO\Domain Admins
```
### Last hotfix: KB5072653
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5072653 installed 2025-11-18T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Domain secure channel healthy
- **Category:** health
- **ID:** `health.domain.secure_channel_ok`
- Machine trust relationship with the domain is intact.
```
Domain=ucryo.local
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=UC2-SERVER.ucryo.local
```
### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)
```
EstimatedChargeRemaining=224%; BatteryStatus=2
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** Dell Inc. / Precision M4800
- **Serial:** CTWRT32
- **CPU:** Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz (4 cores / 8 logical)
- **RAM (GB):** 15.9
- **BIOS:** A16 (2015-12-01)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** ? / true
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 0.2
- **Pending reboot:** true
- **Installed software count:** 117
- **Scheduled tasks (non-MS, enabled):** 19
- **Local administrators:** HOBBES\Administrator, HOBBES\localadmin, HOBBES\paul, UCRYO\Domain Admins
### Fixed volumes
- [unlabeled] - 0.1 GB free of 0.5 GB (15.4%)
- C: - 748.2 GB free of 931 GB (80.4%)
- [unlabeled] - 0.1 GB free of 0.1 GB (72%)
- [Recovery] - 0.5 GB free of 0.5 GB (97.4%)
### Network adapters
- Intel(R) Ethernet Connection I217-LM - IP: 172.29.0.137, fe80::529a:39b9:465d:500b - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `HOBBES-20260603T004835.json` (immutable)._

1126
clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.json Normal file
View File

File diff suppressed because it is too large Load Diff

275
clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md Normal file
View File

@@ -0,0 +1,275 @@
# Onboarding Diagnostic Baseline - HOBORG
- **Grade:** RED
- **Host:** HOBORG
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:48:48Z
- **Agent ID:** 89ee0a5d-49f2-4334-8e49-eaafa389e9ec
- **Command ID:** fa21ce79-d1f7-4fbd-badf-443e1a1d3c31
- **Findings:** 3 critical / 5 warning / 15 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (3)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
### Disk not healthy: TOSHIBA THNSNJ512GDNU A (Warning)
- **Category:** health
- **ID:** `health.disk_smart.toshiba_thnsnj512gdnu_a`
- A physical disk reports a non-Healthy SMART/health status. Imminent failure risk. Back up immediately and plan replacement.
```
HealthStatus=Warning; Wear=100; ReadErrorsTotal=0; Temperature=41
```
## WARNING (5)
### Third-party AV present: Sentinel Agent
- **Category:** security
- **ID:** `sec.av_products.third_party`
- A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.
```
Registered AV: Windows Defender, Sentinel Agent
```
### 3 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 3
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
LPlatSvc (Lenovo Platform Service) = Stopped
SynaHlp (Synaptics helper service) = Stopped
```
## INFO (15)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
HOBORG\Administrator
HOBORG\localadmin
HOBORG\Owner
UCRYO\Domain Admins
```
### Last hotfix: KB5072653
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5072653 installed 2025-11-18T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Domain secure channel healthy
- **Category:** health
- **ID:** `health.domain.secure_channel_ok`
- Machine trust relationship with the domain is intact.
```
Domain=ucryo.local
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=UC2-SERVER.ucryo.local
```
### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)
```
EstimatedChargeRemaining=99%; BatteryStatus=2
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 20ENCTO1WW
- **Serial:** PC0LBN9T
- **CPU:** Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (4 cores / 8 logical)
- **RAM (GB):** 31.4
- **BIOS:** N1EET81W (1.54 ) (2018-11-14)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** true / ?
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 18.2
- **Pending reboot:** true
- **Installed software count:** 108
- **Scheduled tasks (non-MS, enabled):** 24
- **Local administrators:** HOBORG\Administrator, HOBORG\localadmin, HOBORG\Owner, UCRYO\Domain Admins
### Fixed volumes
- [System Reserved] - 0.5 GB free of 0.6 GB (94.4%)
- C: - 149.5 GB free of 475.8 GB (31.4%)
- [unlabeled] - 0.1 GB free of 0.6 GB (13.9%)
### Network adapters
- Realtek USB GbE Family Controller - IP: 172.29.0.128, fe80::344c:f8cc:8fca:b4ed - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `HOBORG-20260603T005101.json` (immutable)._

960
clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.json Normal file
View File

@@ -0,0 +1,960 @@
{
"host": "KIRBY",
"collected_at_utc": "2026-06-03T00:35:40Z",
"os": {
"caption": "Microsoft Windows 10 Pro",
"version": "10.0.19045",
"build": "19045",
"install_date": "2022-07-23T08:06:56Z",
"last_boot_utc": "2026-04-28T17:03:48Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2025-10-14",
"release": "Win10 22H2"
},
"pending_updates": 4,
"pending_reboot": true,
"uptime_days": 35.3,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "82K8",
"manufacturer": "LENOVO",
"bios_date": "2023-11-17",
"cpu_logical": 16,
"bios_version": "HACN42WW",
"cpu_cores": 8,
"ram_gb": 31.4,
"serial": "PF40739R",
"cpu": "AMD Ryzen 7 5800H with Radeon Graphics "
},
"local_administrators": [
"KIRBY\\Administrator",
"KIRBY\\localadmin",
"KIRBY\\paul",
"UCRYO\\Domain Admins"
],
"os_build": "19045",
"secure_boot": true,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\Windows\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "RtkAudUService",
"value": "\"C:\\Windows\\System32\\DriverStore\\FileRepository\\realtekservice.inf_amd64_0a6e841b98282717\\RtkAudUService64.exe\" -background"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "AdobeAAMUpdater-1.0",
"value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Logitech Download Assistant",
"value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "LogiOptions",
"value": "C:\\Program Files\\Logitech\\LogiOptions\\LogiOptions.exe /noui"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Acrobat Assistant 8.0",
"value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "(default)",
"value": ""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "ControlCenter4",
"value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "BrStsMon00",
"value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Update Binary",
"value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Standalone Update Binary",
"value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "SKHynix_HFS512GDE9X084N",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2022-07-22",
"name": "paul",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 15,
"volumes": [
{
"drive": "C:",
"size_gb": 474.4,
"free_pct": 59.6,
"free_gb": 282.7
},
{
"drive": "[WINRE_DRV]",
"size_gb": 2,
"free_pct": 56.5,
"free_gb": 1.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.1,
"free_pct": 72,
"free_gb": 0.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.5,
"free_pct": 16.6,
"free_gb": 0.1
}
],
"network_adapters": [
{
"dhcp": true,
"description": "MediaTek Wi-Fi 6 MT7921 Wireless LAN Card",
"gateway": [
"172.29.0.1"
],
"mac": "88:94:EB:1B:F0:DD",
"ip": [
"172.29.0.148",
"fe80::d7aa:6bcd:882c:e640"
],
"dns": [
"172.29.0.5",
"8.8.8.8"
]
}
],
"failed_autostart_services": null,
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": true,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "3DEXPERIENCE Exchange for SOLIDWORKS",
"version": "34.11.0011"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "3DEXPERIENCE Marketplace for SOLIDWORKS",
"version": "6.32.1051"
},
{
"publisher": "Atlas Business Solutions, Inc.",
"name": "ABS PDF Install",
"version": "4.2.2"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Acrobat DC",
"version": "15.009.20077"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Apple Inc.",
"name": "Bonjour",
"version": "3.0.0.10"
},
{
"publisher": "Brother Industries, Ltd.",
"name": "Brother MFL-Pro Suite MFC-9130CW",
"version": "1.0.1.0"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "CEF for SOLIDWORKS Applications",
"version": "142.0.34576.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "148.0.3967.70"
},
{
"publisher": "Logi",
"name": "Logi Bolt",
"version": "1.01.415.0"
},
{
"publisher": "Logitech",
"name": "Logitech Options",
"version": "9.40.86"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "148.0.3967.96"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Office Professional Plus 2019 - en-us",
"version": "16.0.19127.20302"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.084.0504.0007"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "3.74.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x64)",
"version": "7.1.11.28"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x64) English",
"version": "7.1.11.28"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.61001"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.61000"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
"version": "9.0.30729"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34438",
"version": "14.42.34438.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34438",
"version": "14.42.34438.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34438",
"version": "14.42.34438"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34438",
"version": "14.42.34438"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34438",
"version": "14.42.34438"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438",
"version": "14.42.34438"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support",
"version": "14.0.23829"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2019",
"version": "16.0.31110"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2019 x64 Hosting Support",
"version": "16.0.31110"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2019 x86 Hosting Support",
"version": "16.0.31110"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2022",
"version": "17.0.33529"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2022 x64 Hosting Support",
"version": "17.0.33529"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio Tools for Applications 2022 x86 Hosting Support",
"version": "17.0.33529"
},
{
"publisher": "Mozilla",
"name": "Mozilla Firefox (x64 en-US)",
"version": "151.0.3"
},
{
"publisher": "Mozilla",
"name": "Mozilla Maintenance Service",
"version": "151.0.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Graphics Driver 527.99",
"version": "527.99"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Install Application",
"version": "2.1002.382.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.19127.20154"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Licensing Component",
"version": "16.0.19029.20184"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks",
"version": "30.0.4017.3000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Premier: Mfg and Whsle Edition 2020",
"version": "30.0.4006.3000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Runtime Redistributable",
"version": "1.00.0000"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "SolidWorks Corporation",
"name": "SOLIDWORKS 2024 SP01",
"version": "32.1.0.123"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS 2024 SP01",
"version": "32.110.0123"
},
{
"publisher": "SolidWorks Corporation",
"name": "SOLIDWORKS 2026 SP01.1",
"version": "34.1.1.11"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS 2026 SP01.1",
"version": "34.111.0011"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS CAM 2024 SP01",
"version": "32.10.0123"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Composer Player 2024 SP01",
"version": "32.10.0123"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Composer Player 2026 SP01.1",
"version": "34.11.0011"
},
{
"publisher": "Dassault Syst?mes SolidWorks Corp",
"name": "SOLIDWORKS eDrawings 2024 SP01",
"version": "32.10.0076"
},
{
"publisher": "Dassault Syst?mes SolidWorks Corp",
"name": "SOLIDWORKS eDrawings 2026 SP01.1",
"version": "34.11.0001"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS File Utilities 2024 SP01",
"version": "32.10.0123"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS File Utilities 2026 SP01.1",
"version": "34.11.0011"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Login Manager",
"version": "25.50.34500.0"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS Visualize 2024 SP01",
"version": "32.10.0123"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.2.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for x64-based Windows Systems (KB5001716)",
"version": "8.94.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows PC Health Check",
"version": "3.6.2204.08001"
},
{
"publisher": "Microsoft",
"name": "WPTx64",
"version": "8.100.26866"
},
{
"publisher": "Yubico AB",
"name": "Yubico Authenticator",
"version": "7.0.0"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"Users"
],
"battery": {
"estimated_charge_remaining": "94",
"status": "2",
"present": true
},
"third_party_av_active": false,
"activation": {
"edition": "Microsoft Windows 10 Pro",
"description": "Windows(R) Operating System, RETAIL channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "UC2-SERVER.ucryo.local",
"chassis_types": [
10
],
"last_hotfix": {
"hotfix_id": "KB5072653",
"installed_on": "2025-11-20T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1115",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-3167958784-13707620-2457732989-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1115",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1117",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-3167958784-13707620-2457732989-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "ZoomUpdateTaskUser-S-1-5-21-1051390473-2587535097-844096240-1115",
"state": "Ready"
},
{
"path": "\\GoogleUser\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskUser149.0.7814.0{E499484E-3F36-4644-8060-31171C0E93F1}",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-1115 308046B0AF4A39CB",
"state": "Ready"
},
{
"path": "\\Mozilla\\",
"name": "Firefox Default Browser Agent 308046B0AF4A39CB",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": true,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": true,
"installed_software_count": 82,
"secure_channel_ok": true,
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "ucryo.local",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "critical",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (4)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "KIRBY\\Administrator\nKIRBY\\localadmin\nKIRBY\\paul\nUCRYO\\Domain Admins"
},
{
"id": "sec.patch.os_eol",
"category": "security",
"severity": "critical",
"title": "OS build is end-of-life: Win10 22H2",
"detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.",
"evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "4 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5072653",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5072653 installed 2025-11-20T07:00:00Z"
},
{
"id": "sec.exposure.rdp_on",
"category": "security",
"severity": "warning",
"title": "RDP is enabled",
"detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.",
"evidence": "fDenyTSConnections=0; UserAuthentication=1"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.stability.clean",
"category": "health",
"severity": "info",
"title": "No stability events in the last 14 days",
"detail": "No unexpected shutdowns, BSODs, or disk errors logged.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.reboot_uptime.long_uptime",
"category": "health",
"severity": "warning",
"title": "Uptime is 35.3 days",
"detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.",
"evidence": "LastBootUpTime=2026-04-28 10:03:48Z"
},
{
"id": "health.failed_services.ok",
"category": "health",
"severity": "info",
"title": "All auto-start services running",
"detail": "No automatic-start services found stopped (excluding known trigger-start/update services).",
"evidence": "Win32_Service StartMode=Auto State!=Running -> none significant"
},
{
"id": "health.domain.secure_channel_ok",
"category": "health",
"severity": "info",
"title": "Domain secure channel healthy",
"detail": "Machine trust relationship with the domain is intact.",
"evidence": "Domain=ucryo.local"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=UC2-SERVER.ucryo.local"
},
{
"id": "health.battery.present",
"category": "health",
"severity": "info",
"title": "Battery present",
"detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)",
"evidence": "EstimatedChargeRemaining=94%; BatteryStatus=2"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

275
clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md Normal file
View File

@@ -0,0 +1,275 @@
# Onboarding Diagnostic Baseline - KIRBY
- **Grade:** RED
- **Host:** KIRBY
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:35:40Z
- **Agent ID:** 82f16929-ec3c-434b-81f9-84b63e0af56d
- **Command ID:** b7cf0191-c81c-414f-9a3b-0fe2d0205552
- **Findings:** 2 critical / 4 warning / 17 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (2)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
## WARNING (4)
### 4 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### Uptime is 35.3 days
- **Category:** health
- **ID:** `health.reboot_uptime.long_uptime`
- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.
```
LastBootUpTime=2026-04-28 10:03:48Z
```
## INFO (17)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
KIRBY\Administrator
KIRBY\localadmin
KIRBY\paul
UCRYO\Domain Admins
```
### Last hotfix: KB5072653
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5072653 installed 2025-11-20T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### All auto-start services running
- **Category:** health
- **ID:** `health.failed_services.ok`
- No automatic-start services found stopped (excluding known trigger-start/update services).
```
Win32_Service StartMode=Auto State!=Running -> none significant
```
### Domain secure channel healthy
- **Category:** health
- **ID:** `health.domain.secure_channel_ok`
- Machine trust relationship with the domain is intact.
```
Domain=ucryo.local
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=UC2-SERVER.ucryo.local
```
### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)
```
EstimatedChargeRemaining=94%; BatteryStatus=2
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 82K8
- **Serial:** PF40739R
- **CPU:** AMD Ryzen 7 5800H with Radeon Graphics (8 cores / 16 logical)
- **RAM (GB):** 31.4
- **BIOS:** HACN42WW (2023-11-17)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** true / true
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 35.3
- **Pending reboot:** true
- **Installed software count:** 82
- **Scheduled tasks (non-MS, enabled):** 15
- **Local administrators:** KIRBY\Administrator, KIRBY\localadmin, KIRBY\paul, UCRYO\Domain Admins
### Fixed volumes
- C: - 282.7 GB free of 474.4 GB (59.6%)
- [WINRE_DRV] - 1.1 GB free of 2 GB (56.5%)
- [unlabeled] - 0.1 GB free of 0.1 GB (72%)
- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%)
### Network adapters
- MediaTek Wi-Fi 6 MT7921 Wireless LAN Card - IP: 172.29.0.148, fe80::d7aa:6bcd:882c:e640 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `KIRBY-20260603T003656.json` (immutable)._

1108
clients/ucryo/onboarding-baselines/LILO-20260603T005456.json Normal file
View File

File diff suppressed because it is too large Load Diff

278
clients/ucryo/onboarding-baselines/LILO-20260603T005456.md Normal file
View File

@@ -0,0 +1,278 @@
# Onboarding Diagnostic Baseline - LILO
- **Grade:** RED
- **Host:** LILO
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:52:27Z
- **Agent ID:** 5d0bdfc0-cb58-496f-b9bd-d585eb643d85
- **Command ID:** c3002dde-bb3b-4ce5-b54c-e8ea4714a071
- **Findings:** 2 critical / 5 warning / 16 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (2)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
## WARNING (5)
### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### Uptime is 82.3 days
- **Category:** health
- **ID:** `health.reboot_uptime.long_uptime`
- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.
```
LastBootUpTime=2026-03-12 10:25:21Z
```
### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
gpsvc (Group Policy Client) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
LPlatSvc (Lenovo Platform Service) = Stopped
```
## INFO (16)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (5)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
LILO\Administrator
LILO\localadmin
LILO\me
LILO\paul
UCRYO\Domain Admins
```
### Last hotfix: KB5072653
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5072653 installed 2025-11-18T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Domain secure channel healthy
- **Category:** health
- **ID:** `health.domain.secure_channel_ok`
- Machine trust relationship with the domain is intact.
```
Domain=ucryo.local
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=UC2-SERVER.ucryo.local
```
### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)
```
EstimatedChargeRemaining=99%; BatteryStatus=2
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 20EQS12M00
- **Serial:** PC0G9X3B
- **CPU:** Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz (4 cores / 8 logical)
- **RAM (GB):** 31.8
- **BIOS:** N1EETA2W (1.75 ) (2024-03-18)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** true / true
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 82.3
- **Pending reboot:** true
- **Installed software count:** 105
- **Scheduled tasks (non-MS, enabled):** 21
- **Local administrators:** LILO\Administrator, LILO\localadmin, LILO\me, LILO\paul, UCRYO\Domain Admins
### Fixed volumes
- [unlabeled] - 0.1 GB free of 0.6 GB (13.8%)
- [Recovery] - 0.5 GB free of 0.5 GB (97.4%)
- [unlabeled] - 0.1 GB free of 0.1 GB (72%)
- C: - 679.3 GB free of 930.3 GB (73%)
### Network adapters
- Intel(R) Dual Band Wireless-AC 8260 - IP: 172.29.0.129, fe80::a46c:9046:12ba:7f13 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LILO-20260603T005456.json` (immutable)._

577
clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.json Normal file
View File

@@ -0,0 +1,577 @@
{
"host": "UC2-SERVER",
"collected_at_utc": "2026-06-03T00:41:48Z",
"os": {
"caption": "Microsoft Windows Server 2012 R2 Essentials",
"version": "6.3.9600",
"build": "9600",
"install_date": "2016-05-27T08:40:20Z",
"last_boot_utc": "2026-04-27T12:16:28Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": null,
"defender": {
"available": false
},
"pending_updates": 0,
"pending_reboot": true,
"uptime_days": 36.5,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "Virtual Machine",
"manufacturer": "Microsoft Corporation",
"bios_date": "2012-05-23",
"cpu_logical": 6,
"bios_version": "090006 ",
"cpu_cores": 6,
"ram_gb": 18,
"serial": "4644-9206-3161-7423-6607-4293-62",
"cpu": "Intel(R) Xeon(R) CPU E5450 @ 3.00GHz"
},
"local_administrators": [
"Accounting",
"Administrator",
"arthur",
"Domain Admins",
"Enterprise Admins",
"greg",
"kirby",
"localadmin",
"paul",
"richard",
"VPND",
"William"
],
"os_build": "9600",
"secure_boot": null,
"backup_agents": null,
"autoruns_run_keys": [],
"physical_disks": [
{
"health": "Healthy",
"model": "PhysicalDisk0",
"media_type": "UnSpecified"
},
{
"health": "Healthy",
"model": "PhysicalDisk1",
"media_type": "UnSpecified"
}
],
"scheduled_tasks_count": 8,
"volumes": [
{
"drive": "\u0000:",
"size_gb": 0.3,
"free_pct": 20.6,
"free_gb": 0.1
},
{
"drive": "E:",
"size_gb": 931.5,
"free_pct": 39,
"free_gb": 363.3
},
{
"drive": "C:",
"size_gb": 499.7,
"free_pct": 74.8,
"free_gb": 374
}
],
"network_adapters": [
{
"dhcp": false,
"description": "Microsoft Hyper-V Network Adapter",
"gateway": [
"172.29.0.1"
],
"mac": "00:15:5D:00:04:01",
"ip": [
"172.29.0.5",
"fe80::ed92:3fe4:fb92:fef6"
],
"dns": [
"172.29.0.5",
"8.8.8.8"
]
}
],
"failed_autostart_services": [
{
"name": "CertSvc",
"display": "Active Directory Certificate Services",
"state": "Stopped"
},
{
"name": "IISADMIN",
"display": "IIS Admin Service",
"state": "Stopped"
},
{
"name": "ShellHWDetection",
"display": "Shell Hardware Detection",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": true,
"laps_present": false,
"rdp_enabled": true,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Flash Player 11 ActiveX",
"version": "11.3.300.268"
},
{
"publisher": "Piriform",
"name": "Defraggler",
"version": "2.22"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "109.0.5414.168"
},
{
"publisher": "Google Inc.",
"name": "Google Update Helper",
"version": "1.3.25.5"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Silverlight",
"version": "5.1.50918.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.61001"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
"version": "9.0.30729"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212",
"version": "14.0.24212.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.24212",
"version": "14.0.24212"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.24212",
"version": "14.0.24212"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112",
"version": "14.44.35112.1"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112",
"version": "14.44.35112"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112",
"version": "14.44.35112"
},
{
"publisher": "Arizona Computer Guru",
"name": "Online Backup 8.6",
"version": "8.6"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks",
"version": "24.0.4003.2403"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks",
"version": "30.0.4006.3000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Runtime Redistributable",
"version": "1.00.0000"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Server 2014",
"version": "24.0.4003.2403"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Server 2020",
"version": "30.0.4006.3000"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Dassault Systemes SolidWorks Corp",
"name": "SOLIDWORKS SolidNetWork License Manager",
"version": "27.30.0052"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.5.8.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.0.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Helios",
"name": "TextPad 8",
"version": "8.0.2"
},
{
"publisher": "win.rar GmbH",
"name": "WinRAR 7.22 (64-bit)",
"version": "7.22.0"
},
{
"publisher": "Antibody Software",
"name": "WizTree v4.31",
"version": "4.31"
},
{
"publisher": "Fresh Software",
"name": "X-NetStat Pro 5.63",
"version": "5.63"
}
],
"tpm": {
"enabled": false,
"ready": false,
"present": false
},
"local_groups": [],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows Server 2012 R2 Essentials",
"description": "Windows(R) Operating System, OEM_COA_NSLP channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "VM IC Time Synchronization Provider",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5031003",
"installed_on": "2026-06-02T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Flash Player Updater",
"state": "Ready"
},
{
"path": "\\",
"name": "GoogleUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "GoogleUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1108",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1117",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-500",
"state": "Ready"
},
{
"path": "\\",
"name": "ShadowCopyVolume{a863bf0a-2533-11e6-80bd-806e6f6e6963}",
"state": "Ready"
},
{
"path": "\\",
"name": "ShadowCopyVolume{bc8958b8-23e3-11e6-80b4-806e6f6e6963}",
"state": "Ready"
}
],
"antivirus_products": [],
"domain_joined": true,
"local_users": [],
"bitlocker": {
"available": false,
"os_volume": "C:"
},
"is_laptop": false,
"installed_software_count": 39,
"secure_channel_ok": null,
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "ucryo.local",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.unavailable",
"category": "security",
"severity": "warning",
"title": "Defender status unavailable",
"detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).",
"evidence": "Get-MpComputerStatus returned null"
},
{
"id": "sec.av_products.none_registered",
"category": "security",
"severity": "info",
"title": "No AV products registered in Security Center",
"detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.",
"evidence": "root\\SecurityCenter2 AntiVirusProduct: none"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Streamer 3.5.8.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nprogram: Syncro 1.0.0.0\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unavailable",
"category": "security",
"severity": "unknown",
"title": "BitLocker status unavailable",
"detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).",
"evidence": "MountPoint=C:, Get-BitLockerVolume returned null"
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (12)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "Accounting\nAdministrator\narthur\nDomain Admins\nEnterprise Admins\ngreg\nkirby\nlocaladmin\npaul\nrichard\nVPND\nWilliam"
},
{
"id": "sec.patch.os_build_unknown",
"category": "security",
"severity": "unknown",
"title": "OS build not in EOL map: 9600",
"detail": "The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.",
"evidence": "Microsoft Windows Server 2012 R2 Essentials build 9600"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5031003",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5031003 installed 2026-06-02T07:00:00Z"
},
{
"id": "sec.exposure.rdp_on",
"category": "security",
"severity": "warning",
"title": "RDP is enabled",
"detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.",
"evidence": "fDenyTSConnections=0; UserAuthentication=1"
},
{
"id": "sec.exposure.smb1",
"category": "security",
"severity": "critical",
"title": "SMBv1 is ENABLED",
"detail": "SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.",
"evidence": "Get-SmbServerConfiguration EnableSMB1Protocol=True"
},
{
"id": "sec.exposure.no_laps",
"category": "security",
"severity": "info",
"title": "LAPS not detected",
"detail": "No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.",
"evidence": "No LAPS registry keys, CSE, or service found"
},
{
"id": "health.stability.clean",
"category": "health",
"severity": "info",
"title": "No stability events in the last 14 days",
"detail": "No unexpected shutdowns, BSODs, or disk errors logged.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "CBS RebootPending; WU RebootRequired; PendingFileRenameOperations"
},
{
"id": "health.reboot_uptime.long_uptime",
"category": "health",
"severity": "warning",
"title": "Uptime is 36.5 days",
"detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.",
"evidence": "LastBootUpTime=2026-04-27 05:16:28Z"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "3 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "CertSvc (Active Directory Certificate Services) = Stopped\nIISADMIN (IIS Admin Service) = Stopped\nShellHWDetection (Shell Hardware Detection) = Stopped"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=VM IC Time Synchronization Provider"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

BIN
clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md Normal file
View File

Binary file not shown.

681
clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.json Normal file
View File

@@ -0,0 +1,681 @@
{
"host": "WIN-709JUVCJ2DQ",
"collected_at_utc": "2026-06-03T00:43:19Z",
"os": {
"caption": "Microsoft Windows Server 2012 R2 Essentials",
"version": "6.3.9600",
"build": "9600",
"install_date": "2016-05-20T01:24:32Z",
"last_boot_utc": "2026-04-27T12:14:06Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": null,
"defender": {
"available": false
},
"pending_updates": 0,
"pending_reboot": false,
"uptime_days": 36.5,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "PowerEdge 2950",
"manufacturer": "Dell Inc.",
"bios_date": "2008-04-29",
"cpu_logical": 4,
"bios_version": "2.3.1",
"cpu_cores": 4,
"ram_gb": 32,
"serial": "762F0G1",
"cpu": "Intel(R) Xeon(R) CPU E5450 @ 3.00GHz"
},
"os_build": "9600",
"secure_boot": null,
"backup_agents": [
{
"label": "Veeam",
"service": "VeeamBackupSvc",
"state": "Stopped"
},
{
"label": "Veeam",
"service": "VeeamCatalogSvc",
"state": "Stopped"
},
{
"label": "Veeam",
"service": "VeeamCloudSvc",
"state": "Stopped"
},
{
"label": "Veeam",
"service": "VeeamDeploySvc",
"state": "Running"
},
{
"label": "Veeam",
"service": "VeeamHvIntegrationSvc",
"state": "Running"
},
{
"label": "Veeam",
"service": "VeeamMountSvc",
"state": "Stopped"
},
{
"label": "Veeam",
"service": "VeeamNFSSvc",
"state": "Running"
},
{
"label": "Veeam",
"service": "VeeamTransportSvc",
"state": "Running"
}
],
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "VirtualCloneDrive",
"value": "\"C:\\Program Files (x86)\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "PhysicalDisk0",
"media_type": "UnSpecified"
},
{
"health": "Healthy",
"model": "PhysicalDisk1",
"media_type": "UnSpecified"
},
{
"health": "Healthy",
"model": "PhysicalDisk2",
"media_type": "UnSpecified"
}
],
"scheduled_tasks_count": 6,
"volumes": [
{
"drive": "\u0000:",
"size_gb": 0.3,
"free_pct": 20.6,
"free_gb": 0.1
},
{
"drive": "F:",
"size_gb": 1395.7,
"free_pct": 33.3,
"free_gb": 464.8
},
{
"drive": "M:",
"size_gb": 4657.5,
"free_pct": 94.8,
"free_gb": 4417.1
},
{
"drive": "C:",
"size_gb": 878.6,
"free_pct": 95.4,
"free_gb": 837.8
},
{
"drive": "E:",
"size_gb": 983.6,
"free_pct": 4.1,
"free_gb": 40.4
}
],
"network_adapters": [
{
"dhcp": false,
"description": "Hyper-V Virtual Ethernet Adapter #2",
"gateway": [
"172.29.0.1"
],
"mac": "00:1E:C9:3E:75:52",
"ip": [
"172.29.0.4",
"fe80::a8c1:e232:97d6:976"
],
"dns": [
"8.8.8.8",
"4.4.8.8"
]
}
],
"failed_autostart_services": [
{
"name": "VeeamBackupSvc",
"display": "Veeam Backup Service",
"state": "Stopped"
},
{
"name": "VeeamCatalogSvc",
"display": "Veeam Guest Catalog Service",
"state": "Stopped"
},
{
"name": "VeeamCloudSvc",
"display": "Veeam Cloud Connect Service",
"state": "Stopped"
},
{
"name": "VeeamMountSvc",
"display": "Veeam Mount Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": true,
"laps_present": false,
"rdp_enabled": true,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Microsoft",
"name": "D3DX10",
"version": "15.4.2368.0902"
},
{
"publisher": "Google Inc.",
"name": "Google Update Helper",
"version": "1.3.25.5"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Application Error Reporting",
"version": "12.0.6015.5000"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Silverlight",
"version": "5.1.50918.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2008 R2 (64-bit)",
"version": ""
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2008 R2 Native Client",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2008 R2 RsFx Driver",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2008 R2 Setup (English)",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2008 Setup Support Files ",
"version": "10.1.2731.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2012 Management Objects (x64)",
"version": "11.0.2100.60"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server Browser",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server VSS Writer",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Sync Framework 2.0 Core Components (x64) ENU ",
"version": "2.0.1578.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Sync Framework 2.0 Provider Services (x64) ENU ",
"version": "2.0.1578.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft System CLR Types for SQL Server 2012 (x64)",
"version": "11.0.2100.60"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Movie Maker",
"version": "16.4.3528.0331"
},
{
"publisher": "Microsoft",
"name": "MSVCRT110",
"version": "16.4.1108.0727"
},
{
"publisher": "Microsoft Corporation",
"name": "Photo Gallery",
"version": "16.4.3528.0331"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Microsoft Corporation",
"name": "Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit)",
"version": "10.51.2500.0"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Software Updater",
"version": "1.5.6.19"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.5.0.2"
},
{
"publisher": "Microsoft Corporation",
"name": "SQL Server 2008 R2 SP1 Common Files",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "SQL Server 2008 R2 SP1 Database Engine Services",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "SQL Server 2008 R2 SP1 Database Engine Shared",
"version": "10.51.2500.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Sql Server Customer Experience Improvement Program",
"version": "10.50.1600.1"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Microsoft",
"name": "SyncToy 2.1 (x64)",
"version": "2.1.0"
},
{
"publisher": "Helios",
"name": "TextPad 8",
"version": "8.0.2"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup & Replication",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup & Replication Console",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup & Replication Server",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup Catalog",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup Transport",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Backup vPowerNFS",
"version": "9.0.0.902"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Explorer for Microsoft Active Directory",
"version": "9.0.0.1307"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Explorer for Microsoft Exchange",
"version": "9.0.0.1307"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Explorer for Microsoft SharePoint",
"version": "9.0.0.1307"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Explorer for Microsoft SQL Server",
"version": "9.0.0.1307"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Explorer for Oracle",
"version": "9.0.0.1307"
},
{
"publisher": "Veeam Software AG",
"name": "Veeam Hyper-V Integration",
"version": "9.0.0.902"
},
{
"publisher": "videowinsoft.com",
"name": "Video Win Movie Maker 2016",
"version": ""
},
{
"publisher": "Elaborate Bytes",
"name": "VirtualCloneDrive",
"version": "5.5.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows Live Installer",
"version": "16.4.3528.0331"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows Live Photo Common",
"version": "16.4.3528.0331"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows Live SOXE",
"version": "16.4.3528.0331"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows Live UX Platform",
"version": "16.4.3528.0331"
}
],
"tpm": {
"enabled": false,
"ready": false,
"present": false
},
"local_groups": [],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows Server 2012 R2 Essentials",
"description": "Windows(R) Operating System, OEM_COA_NSLP channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "The following error occurred: The service has not been started. (0x80070426)",
"chassis_types": [
23
],
"last_hotfix": {
"hotfix_id": "KB5031003",
"installed_on": "2023-10-12T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "GoogleUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "GoogleUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-1007",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-1008",
"state": "Ready"
},
{
"path": "\\",
"name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-500",
"state": "Ready"
},
{
"path": "\\",
"name": "VeeamZIP Monday",
"state": "Ready"
}
],
"antivirus_products": [],
"domain_joined": false,
"local_users": [],
"bitlocker": {
"available": false,
"os_volume": "C:"
},
"is_laptop": false,
"installed_software_count": 48,
"local_administrators": [
"Administrator",
"Guru",
"Jacobs",
"localadmin",
"paul"
],
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "WORKGROUP",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.unavailable",
"category": "security",
"severity": "warning",
"title": "Defender status unavailable",
"detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).",
"evidence": "Get-MpComputerStatus returned null"
},
{
"id": "sec.av_products.none_registered",
"category": "security",
"severity": "info",
"title": "No AV products registered in Security Center",
"detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.",
"evidence": "root\\SecurityCenter2 AntiVirusProduct: none"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Software Updater 1.5.6.19\nprogram: Splashtop Streamer 3.5.0.2\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running\nservice: SSUService (Splashtop Software Updater Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unavailable",
"category": "security",
"severity": "unknown",
"title": "BitLocker status unavailable",
"detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).",
"evidence": "MountPoint=C:, Get-BitLockerVolume returned null"
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (5)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "Administrator\nGuru\nJacobs\nlocaladmin\npaul"
},
{
"id": "sec.patch.os_build_unknown",
"category": "security",
"severity": "unknown",
"title": "OS build not in EOL map: 9600",
"detail": "The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.",
"evidence": "Microsoft Windows Server 2012 R2 Essentials build 9600"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5031003",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5031003 installed 2023-10-12T07:00:00Z"
},
{
"id": "sec.exposure.rdp_on",
"category": "security",
"severity": "warning",
"title": "RDP is enabled",
"detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.",
"evidence": "fDenyTSConnections=0; UserAuthentication=1"
},
{
"id": "sec.exposure.smb1",
"category": "security",
"severity": "critical",
"title": "SMBv1 is ENABLED",
"detail": "SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.",
"evidence": "Get-SmbServerConfiguration EnableSMB1Protocol=True"
},
{
"id": "sec.exposure.no_laps",
"category": "security",
"severity": "info",
"title": "LAPS not detected",
"detail": "No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.",
"evidence": "No LAPS registry keys, CSE, or service found"
},
{
"id": "health.disk_space.E",
"category": "health",
"severity": "critical",
"title": "Disk critically low: E: at 4.1% free",
"detail": "Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.",
"evidence": "E: free 40.4 GB of 983.6 GB (4.1%)"
},
{
"id": "health.stability.clean",
"category": "health",
"severity": "info",
"title": "No stability events in the last 14 days",
"detail": "No unexpected shutdowns, BSODs, or disk errors logged.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.long_uptime",
"category": "health",
"severity": "warning",
"title": "Uptime is 36.5 days",
"detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.",
"evidence": "LastBootUpTime=2026-04-27 05:14:06Z"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "4 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "VeeamBackupSvc (Veeam Backup Service) = Stopped\nVeeamCatalogSvc (Veeam Guest Catalog Service) = Stopped\nVeeamCloudSvc (Veeam Cloud Connect Service) = Stopped\nVeeamMountSvc (Veeam Mount Service) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=The following error occurred: The service has not been started. (0x80070426)"
},
{
"id": "health.backup.present",
"category": "health",
"severity": "info",
"title": "Backup agent installed and running",
"detail": "A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).",
"evidence": "Veeam: VeeamBackupSvc = Stopped\nVeeam: VeeamCatalogSvc = Stopped\nVeeam: VeeamCloudSvc = Stopped\nVeeam: VeeamDeploySvc = Running\nVeeam: VeeamHvIntegrationSvc = Running\nVeeam: VeeamMountSvc = Stopped\nVeeam: VeeamNFSSvc = Running\nVeeam: VeeamTransportSvc = Running"
}
]
}

274
clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md Normal file
View File

@@ -0,0 +1,274 @@
# Onboarding Diagnostic Baseline - WIN-709JUVCJ2DQ
- **Grade:** RED
- **Host:** WIN-709JUVCJ2DQ
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:43:19Z
- **Agent ID:** b7311d8a-6c5e-4aa5-9abf-79212d344009
- **Command ID:** 48bd8684-226b-448f-af5f-9d9db61dd01c
- **Findings:** 2 critical / 4 warning / 13 info / 2 unknown
- **OS:** Microsoft Windows Server 2012 R2 Essentials (build 9600)
---
## CRITICAL (2)
### SMBv1 is ENABLED
- **Category:** security
- **ID:** `sec.exposure.smb1`
- SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.
```
Get-SmbServerConfiguration EnableSMB1Protocol=True
```
### Disk critically low: E: at 4.1% free
- **Category:** health
- **ID:** `health.disk_space.E`
- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.
```
E: free 40.4 GB of 983.6 GB (4.1%)
```
## WARNING (4)
### Defender status unavailable
- **Category:** security
- **ID:** `sec.defender.unavailable`
- Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).
```
Get-MpComputerStatus returned null
```
### RDP is enabled
- **Category:** security
- **ID:** `sec.exposure.rdp_on`
- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.
```
fDenyTSConnections=0; UserAuthentication=1
```
### Uptime is 36.5 days
- **Category:** health
- **ID:** `health.reboot_uptime.long_uptime`
- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.
```
LastBootUpTime=2026-04-27 05:14:06Z
```
### 4 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
VeeamBackupSvc (Veeam Backup Service) = Stopped
VeeamCatalogSvc (Veeam Guest Catalog Service) = Stopped
VeeamCloudSvc (Veeam Cloud Connect Service) = Stopped
VeeamMountSvc (Veeam Mount Service) = Stopped
```
## INFO (13)
### No AV products registered in Security Center
- **Category:** security
- **ID:** `sec.av_products.none_registered`
- SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.
```
root\SecurityCenter2 AntiVirusProduct: none
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Software Updater 1.5.6.19
program: Splashtop Streamer 3.5.0.2
service: SplashtopRemoteService (Splashtop? Remote Service) Running
service: SSUService (Splashtop Software Updater Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (5)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
Administrator
Guru
Jacobs
localadmin
paul
```
### Last hotfix: KB5031003
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5031003 installed 2023-10-12T07:00:00Z
```
### LAPS not detected
- **Category:** security
- **ID:** `sec.exposure.no_laps`
- No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.
```
No LAPS registry keys, CSE, or service found
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=The following error occurred: The service has not been started. (0x80070426)
```
### Backup agent installed and running
- **Category:** health
- **ID:** `health.backup.present`
- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).
```
Veeam: VeeamBackupSvc = Stopped
Veeam: VeeamCatalogSvc = Stopped
Veeam: VeeamCloudSvc = Stopped
Veeam: VeeamDeploySvc = Running
Veeam: VeeamHvIntegrationSvc = Running
Veeam: VeeamMountSvc = Stopped
Veeam: VeeamNFSSvc = Running
Veeam: VeeamTransportSvc = Running
```
## UNKNOWN (2)
### BitLocker status unavailable
- **Category:** security
- **ID:** `sec.bitlocker.unavailable`
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
```
MountPoint=C:, Get-BitLockerVolume returned null
```
### OS build not in EOL map: 9600
- **Category:** security
- **ID:** `sec.patch.os_build_unknown`
- The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.
```
Microsoft Windows Server 2012 R2 Essentials build 9600
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** Dell Inc. / PowerEdge 2950
- **Serial:** 762F0G1
- **CPU:** Intel(R) Xeon(R) CPU E5450 @ 3.00GHz (4 cores / 4 logical)
- **RAM (GB):** 32
- **BIOS:** 2.3.1 (2008-04-29)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 36.5
- **Pending reboot:** false
- **Installed software count:** 48
- **Scheduled tasks (non-MS, enabled):** 6
- **Local administrators:** Administrator, Guru, Jacobs, localadmin, paul
### Fixed volumes
- : - 0.1 GB free of 0.3 GB (20.6%)
- F: - 464.8 GB free of 1395.7 GB (33.3%)
- M: - 4417.1 GB free of 4657.5 GB (94.8%)
- C: - 837.8 GB free of 878.6 GB (95.4%)
- E: - 40.4 GB free of 983.6 GB (4.1%)
### Network adapters
- Hyper-V Virtual Ethernet Adapter #2 - IP: 172.29.0.4, fe80::a8c1:e232:97d6:976 - DNS: 8.8.8.8, 4.4.8.8 - DHCP: false
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `WIN-709JUVCJ2DQ-20260603T004420.json` (immutable)._

107
clients/ucryo/session-logs/2026-06-02-session.md Normal file
View File

@@ -0,0 +1,107 @@
# Universal Cryogenics (UCRYO) — Session 2026-06-02
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
## Session Summary
Onboarded a new client, Universal Cryogenics (shortname UCRYO), into GuruRMM with a single site "Main" (site_code LIGHT-WOLF-2305), vaulting the one-time agent enrollment key. Over the session eight Windows agents enrolled under the site: the domain controller UC2-SERVER, the Hyper-V/Veeam backup host WIN-709JUVCJ2DQ, and six workstations (DESKTOP-PMML1JC, KIRBY, gromit, hobbes, hoborg, lilo).
Investigated reported "remnants of a previous cryptolocker infection" on UC2-SERVER. Read-only recon identified a December 2019 TrickBot infection: a hidden SYSTEM scheduled task "System Health Application" (boot + every 12 min) pointing at a launcher EXE that was already gone, plus the TrickBot module/config folder under the SYSTEM profile. The task had been failing every run with 0x80070002 (FILE_NOT_FOUND). Quarantined the module folder, deleted the task, removed the folder, and verified. Swept the second server clean. Flagged the real outstanding risk: TrickBot ran pwgrab64 (credential theft) on a domain controller in 2019, so domain credentials/KRBTGT were exposed then — confirmation of a post-incident reset is the open item. Confirmed no free Ryuk decryptor exists or is forthcoming. A reported "crypto" folder of held encrypted data could not be located on either server; the user concluded it was misremembered.
Ran the onboarding health/security diagnostic across all eight boxes. A first parallel run had 7 of 8 agents return "interrupted" (agent restarted mid-probe under concurrent load); a gentler sequential re-run completed all eight. All graded RED (typical SMB fleet: missing BitLocker, EOL OS builds, pending patches, RDP enabled). Required a one-line change to the diagnostic runner to make the per-probe exec timeout overridable.
Filed a GuruRMM bug (#39) for the agent spawning duplicate system-tray icons (5 gururmm-tray.exe processes on GURU-5070, no single-instance guard). Diagnosed and fixed a Backblaze-bound backup failure on UC2-SERVER's MSP360 plan: the agent was failing TLS to Backblaze because the 64-bit .NET TLS keys were unset on Server 2012 R2; added the keys, restarted services, and confirmed uploads resumed. Established via a controlled comparison (Seth-PC on Win11 with identical missing keys but zero TLS errors) that the issue is legacy-OS-specific, so did not mass-apply the fix to modern boxes. Traced the mspbackups console "disagreement" to a combination of a stalled session never reporting a terminal result and an outdated agent degrading dashboard status reporting. Finally, produced SPEC-024 for a ScreenConnect auto-deploy GuruRMM module and committed it.
## Key Decisions
- **Client slug `ucryo`, client code `UCRYO`.** Used the user-provided shortname as the GuruRMM client `code` and lowercase as the vault slug, matching existing per-client vault conventions.
- **Read-before-write on the DC.** All TrickBot investigation was read-only; cleanup (quarantine + task delete + folder removal) was gated on explicit user confirmation given UC2-SERVER is a domain controller.
- **Quarantine-then-remove** rather than outright delete, preserving the TrickBot modules at C:\Quarantine\syshealth-trickbot-20260602-170235 for IR record.
- **Sequential diagnostic re-run** after the parallel run caused agent interruptions — isolated the cause as concurrent-load contention (not an agent-stability bug), since the gentle pass completed cleanly.
- **Did NOT mass-apply the .NET TLS fix** to the 9 RMM-reachable MSP360 boxes. The sweep proved they are all modern OS (2016/2019/2022/Win10) where .NET already negotiates TLS 1.2 by default; the missing keys are benign there. Restarting backup services on healthy production servers across multiple clients was not justified.
- **TLS root cause is legacy-OS-specific.** Confirmed by controlled comparison: Seth-PC (Win11) has the identical missing keys but 0 secure-channel errors, vs UC2-SERVER (2012 R2) which had many. The fix is only needed on 2012 R2 / Win7-8 era boxes.
- **Session log placed under `clients/ucryo/`** (primary subject = UCRYO onboarding/infra). GuruRMM bug #39 and SPEC-024 are GuruRMM-scoped cross-references; the fleet-wide MSP360 TLS/agent-version findings are noted but are not UCRYO-specific.
- **ScreenConnect spec modeled on the existing MSPBackups integration** pattern, with the labeled installer URL built server-side (labels = ScreenConnect c0..c7 custom properties applied at download time).
## Problems Encountered
- **PowerShell parser error** (`An empty pipe element is not allowed`) from piping a `foreach(){}` statement directly into `Sort-Object`/`Format-Table`. Aborted whole probes silently (empty stdout). Fixed by collecting into a variable first, then piping.
- **Empty Defender section** on the recon — expected: Server 2012 R2 does not ship the Defender AV PowerShell cmdlets.
- **Diagnostic probe timeout (240s)** on UC2-SERVER (slow 2012 R2, installed-software enumeration). Made the runner's exec timeout overridable via `DIAG_EXEC_TIMEOUT` env var (default unchanged at 240) and used 480s for servers.
- **7/8 diagnostic agents "interrupted"** on the parallel run (agent restarted mid-probe under load). Resolved by re-running sequentially — all completed.
- **MSP360 monitoring API field/enum guessing.** Initial jq used wrong field names (Result/LastBackup null); correct fields are Status/ErrorMessage/FilesCopied/BuildVersion etc. Calibrated the Status enum empirically across 66 records.
- **Coord todos POST schema mismatch** — endpoint requires `text`, `created_by_user`, `created_by_machine` (not title/description); todo creation returned null and was not reliably persisted. Follow-up captured in this log instead.
- **Over-generalized the TLS hypothesis** to the Tucson Coin Win11 boxes from the shared "Status 3 stuck" symptom; corrected after the user pointed out they are Win11 and endpoint evidence showed 0 secure-channel errors. The stuck-Status-3 signature is not TLS-specific.
## Configuration Changes
**Created:**
- `clients/ucryo/gururmm-site-main.sops.yaml` (vault repo) — UCRYO Main site GuruRMM enrollment key (SOPS-encrypted).
- `clients/ucryo/onboarding-baselines/*.{json,md}` — 8 immutable diagnostic baselines (UC2-SERVER, WIN-709JUVCJ2DQ, DESKTOP-PMML1JC, KIRBY, gromit, hobbes, hoborg, lilo), timestamped 20260603T00xxxx UTC.
- `projects/msp-tools/guru-rmm/docs/specs/SPEC-024-screenconnect-auto-deploy.md` — ScreenConnect auto-deploy module spec (committed gururmm 1e24b71).
**Modified:**
- `.claude/scripts/run-onboarding-diagnostic.sh` — added `EXEC_TIMEOUT="${DIAG_EXEC_TIMEOUT:-240}"` and used it for the probe-exec dispatch (was hardcoded 240).
- `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` — added Integration Features → "Remote Access Tools (Auto-Deploy)" subsection linking SPEC-024.
**On endpoint UC2-SERVER (Server 2012 R2):**
- Added DWORD `SchUseStrongCrypto=1` and `SystemDefaultTlsVersions=1` to BOTH `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319` and `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319`.
- Restarted services "Online Backup Service" and "Online Backup Service Remote Management".
- Deleted scheduled task "System Health Application"; removed `C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\`; quarantine copy at `C:\Quarantine\syshealth-trickbot-20260602-170235\`.
**GitHub/Gitea:**
- gururmm#39 — bug: duplicate system-tray icons (no single-instance guard).
## Credentials & Secrets
- **UCRYO GuruRMM enrollment key** — vaulted at `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url).
- **MSP360 Managed Backup Service API** — vault `msp-tools/msp360-api.sops.yaml`. Base URL `https://api.mspbackups.com`; login `kY9PvDdWki` (password vaulted). Auth: `POST /api/Provider/Login` (body `{"UserName","Password"}`) → `access_token`; then `GET /api/Monitoring` with Bearer token.
- **GuruRMM admin API** — vault `infrastructure/gururmm-server.sops.yaml` (credentials.gururmm-api.admin-email / admin-password). Base `http://172.16.3.30:3001`.
- **ScreenConnect instance (ACG)** — relay host `instance-kgc7jt-relay.screenconnect.com`, port 443, instance GUID `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` (observed in UC2-SERVER client launch string; public key `k` also in that string). Not high-sensitivity but record for SPEC-024 implementation.
## Infrastructure & Servers
**Universal Cryogenics — domain `ucryo.local`**
- **UC2-SERVER** — Windows Server 2012 R2 Essentials (build 9600), domain controller (AD DS, DNS, DHCP, WSUS, AD CS installed). Drives C: (500GB) and E: (931GB, shares: OFFICE DOCS, Projects, QB2020, UCDATA, x-files; Offsite Archive). MSP360 plan "Ucryo Files" (user richard@ucryo.com). RMM agent id `64cff183-429c-44bf-aebd-55386417a494`.
- **WIN-709JUVCJ2DQ** — Windows Server 2012 R2 Essentials, Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts). Drives C:/E: Hyper-V/V-Hard-Disks / F: Hyper-Data-Disks / M: 4.7TB MWF-Backup. RMM agent id `b7311d8a-6c5e-4aa5-9abf-79212d344009`. UC2-SERVER is likely a guest VM on this host.
- Workstations: DESKTOP-PMML1JC, KIRBY (Win10 Pro 19045 laptop), gromit, hobbes, hoborg, lilo — all GuruRMM v0.6.54.
- Management stack present (legit): Syncro, ScreenConnect, Splashtop, ACG Online Backup (MSP360), GuruRMM.
**GuruRMM site:** client_id `f954f150-3605-4ef7-82e7-6b942883cb00`, site Main, site_id `345e59d2-ca30-4b9c-b703-c19915b47753`, site_code **LIGHT-WOLF-2305**.
**Other (fleet/cross-client):**
- Seth-PC — Windows 11 Home (build 26200), client "Tucson Coin and Autograph". RMM agent id `4267e35a-cd14-424d-ab82-3da4f9baa0dc`. MSP360 build 8.6.0.290.
- MSP360 fleet: 47 computers; newest deployed build 8.6.0.290 (34 boxes, still flagged outdated by console); oldest 4.4.2.221 (2 boxes).
## Commands & Outputs
- TrickBot task: `schtasks /query /tn "System Health Application" /xml` → hidden, RunLevel HighestAvailable, UserId SYSTEM, BootTrigger + 12-min repetition; Last Result `-2147024894` (0x80070002 FILE_NOT_FOUND).
- TrickBot modules confirmed: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64` + `dinj`/`dpost`/`sinj` configs + `settings.ini` under `...systemprofile\AppData\Roaming\syshealth\`.
- Backup failure (UC2 plan log `5a44fc46-...log`): `LightWebException: The request was aborted: Could not create SSL/TLS secure channel.` against `api001.backblazeb2.com`. First secure-channel error 2025-10-15; intermittent thru May; hard-failing 2026-06-02.
- Post-fix verify: `cbb plan -r "Ucryo Files"` → "Plan is started"; `secure-channel errors in last 5 min: 0`; `Scanned 474.9 GB ... Uploaded 2.15 GB`.
- MSP360 Status enum (empirical): 0=completed/idle, 1=Success, 2=Warning, 3=Running(in-progress), 4=Scheduled/never-run, 7=completed-with-errors. Counters (FilesCopied/DataCopied/Duration) populate only at session completion, not during a run.
- Tray bug evidence (GURU-5070): 5 × `gururmm-tray.exe` PIDs (26224, 11424, 14524, 15928, 4076) with distinct StartTimes spanning 2 days; 2 × `gururmm-agent.exe` (expected: agent + watchdog).
## Pending / Incomplete Tasks
- **UCRYO 2019 incident — confirm domain credential / KRBTGT reset.** TrickBot pwgrab64 ran on the DC in 2019; verify with client/records whether a full post-incident reset was done. If not, this is the primary residual risk.
- **AD2** (ACG internal) TLS key check is queued — agent was offline; re-check when it reconnects. It is the only RMM-reachable box that might be legacy OS.
- **Tucson Coin agent update** — Seth-PC + DESKTOP-P36LUUN: update the outdated MSP360 agent (clears the grey dashboard indicator). Do it AFTER the current first-full completes (avoid restarting the ~20GB upload). Now that Seth-PC is RMM-enabled it can be driven via RMM.
- **Fleet MSP360 agent-update pass** — 47 boxes lagging; prioritize the 4.4.2.221 / 7.8.x / 7.9.x stragglers. Worklist (client+host+build) can be pulled from the MSP360 API.
- **GuruRMM bug #39** (tray icons) — awaiting triage/fix; repo has zero labels (offered to create a `bug` label).
- **SPEC-024 open questions** — instance GUID per-node?, slot-name auto-fetch?, per-OS existing-client detection strings, force_relabel semantics, Linux installer variant, which fields fill remaining c-slots (no tags model in GuruRMM yet).
- **All 8 UCRYO boxes graded RED** — remediation backlog: BitLocker (KIRBY laptop unencrypted), Win10 22H2 EOL, pending patches, RDP exposure review.
## Reference Information
- GuruRMM API: `http://172.16.3.30:3001` · Coord API: `http://172.16.3.30:8001/api/coord`
- UCRYO installer page: `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` · MSI: `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer`
- MSP360 API: `https://api.mspbackups.com` (`/api/Provider/Login`, `/api/Monitoring`)
- UC2-SERVER MSP360 plan id: `5a44fc46-ca94-4095-a645-889eaf754389` ("Ucryo Files", richard@ucryo.com)
- gururmm#39: `https://git.azcomputerguru.com/azcomputerguru/gururmm/issues/39`
- SPEC-024: `projects/msp-tools/guru-rmm/docs/specs/SPEC-024-screenconnect-auto-deploy.md` (gururmm commit `1e24b71`)
- ScreenConnect ClientSetup build URL form: `https://<instance>.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=<c0>..&c=<c7>` (c0..c7 = 8 custom org properties, applied at download time)
- TLS fix (legacy Windows + Backblaze): set `SchUseStrongCrypto=1` + `SystemDefaultTlsVersions=1` (DWORD) under both `.NETFramework\v4.0.30319` and `WOW6432Node\...\v4.0.30319`, restart Online Backup services. Only needed on 2012 R2 / Win7-8; modern OS unaffected.

235
wiki/clients/ucryo.md Normal file
View File

@@ -0,0 +1,235 @@
---
type: client
name: ucryo
display_name: Universal Cryogenics
last_compiled: 2026-06-02
compiled_by: GURU-5070/claude-main
sources:
- clients/ucryo/session-logs/2026-06-02-session.md
- clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md
- clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md
- clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md
- clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md
- clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md
- clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md
- clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md
- clients/ucryo/onboarding-baselines/LILO-20260603T005456.md
backlinks:
- projects/gururmm
---
# Universal Cryogenics
Industrial cryogenics company. ACG onboarded 2026-06-02. Domain: `ucryo.local`. Client shortname / code: UCRYO. Two Windows Server 2012 R2 Essentials hosts (one DC, one Hyper-V/Veeam backup host) plus six domain-joined Windows workstations. All 8 agents graded RED on initial diagnostic. Active security history: December 2019 TrickBot infection on the domain controller, remediated 2026-06-02 with one critical open item remaining (KRBTGT/domain credential reset confirmation).
---
## Profile
- **Client code:** UCRYO
- **Domain:** ucryo.local
- **MSP360 backup contact:** richard@ucryo.com
- **Key contacts:** richard@ucryo.com (billing/backup contact — identity verify)
- **Management stack (ACG-deployed):** GuruRMM, ScreenConnect (instance `instance-kgc7jt-relay.screenconnect.com`), Splashtop Streamer, Syncro
---
## Infrastructure
### Servers
| Host | OS | Role | Agent ID | Notes |
|---|---|---|---|---|
| UC2-SERVER | Windows Server 2012 R2 Essentials (build 9600) | Domain Controller (AD DS, DNS, DHCP, WSUS, AD CS), File Server | `64cff183-429c-44bf-aebd-55386417a494` | Guest VM (Hyper-V on WIN-709JUVCJ2DQ). Drives C: (500 GB) and E: (931 GB; shares OFFICE DOCS, Projects, QB2020, UCDATA, x-files, Offsite Archive). MSP360 backup plan "Ucryo Files". IP: 172.29.0.5. SMBv1 ENABLED. |
| WIN-709JUVCJ2DQ | Windows Server 2012 R2 Essentials (build 9600) | Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts) | `b7311d8a-6c5e-4aa5-9abf-79212d344009` | Physical Dell PowerEdge 2950 (serial 762F0G1). UC2-SERVER is likely a guest VM on this host. Drives C:/E:/F:/M: (M: is 4.7 TB MWF-Backup). IP: 172.29.0.4. Workgroup (not domain-joined). SMBv1 ENABLED. E: critically low (4.1% free, 40.4 GB of 983.6 GB). Veeam services stopped. |
### Workstations
| Host | OS | Form Factor | Agent ID | Notable |
|---|---|---|---|---|
| DESKTOP-PMML1JC | Windows 11 Pro (build 26200) | Laptop (Lenovo 81Y8) | `286cf717-86ac-4985-b0a6-0254fba0dfdb` | Broken domain secure channel. 3 disk errors in 14 days. BitLocker off. OpenVPN + NordLynx present. |
| KIRBY | Windows 10 Pro (build 19045) | Laptop (Lenovo 82K8) | `82f16929-ec3c-434b-81f9-84b63e0af56d` | **BitLocker OFF on a laptop — primary critical.** Win10 22H2 EOL (2025-10-14). 4 pending patches. |
| gromit | Windows 10 Pro (build 19045) | Desktop (Lenovo 20FRS1RQ00) | `20da3f2f-6bef-4d8c-b6fa-141d47a01d52` | Win10 22H2 EOL. 9 pending patches. BitLocker off. Group Policy Client service stopped. |
| hobbes | Windows 10 Pro (build 19045) | Laptop (Dell Precision M4800) | `a336deb1-6d09-4ade-b2c3-0b258664f4bd` | Win10 22H2 EOL. BitLocker off. 1 unexpected shutdown + 1 disk error in 14 days. |
| hoborg | Windows 10 Pro (build 19045) | Laptop (Lenovo 20ENCTO1WW) | `89ee0a5d-49f2-4334-8e49-eaafa389e9ec` | Win10 22H2 EOL. BitLocker off. **Toshiba SSD SMART Warning (wear=100%) — imminent failure risk.** Dual AV: Defender + SentinelOne. |
| lilo | Windows 10 Pro (build 19045) | Laptop (Lenovo 20EQS12M00) | `5d0bdfc0-cb58-496f-b9bd-d585eb643d85` | Win10 22H2 EOL. BitLocker off. Uptime 82 days. |
All agents GuruRMM v0.6.54.
---
## GuruRMM Onboarding
Onboarded 2026-06-02. Single site "Main".
| Field | Value |
|---|---|
| client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| site_id | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSI URL | `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer` |
| Vault | `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url) |
---
## [WARNING] Security History — 2019 TrickBot Incident
**This section must be reviewed before any domain-level changes.**
### Background
In December 2019, TrickBot infected UC2-SERVER (the domain controller). A hidden SYSTEM scheduled task named "System Health Application" (boot trigger + every 12 minutes, RunLevel HighestAvailable) launched a module loader from the SYSTEM profile. The launcher EXE was already gone by the time of discovery; the task had been failing every run since with error `0x80070002` (FILE_NOT_FOUND). The TrickBot module folder remained intact under the SYSTEM profile:
`C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\`
Modules present: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64`, plus `dinj`/`dpost`/`sinj` config files and `settings.ini`.
WIN-709JUVCJ2DQ was swept clean — no TrickBot artifacts found.
### Remediation (2026-06-02)
All cleanup was done read-only first, then gated on explicit client confirmation before any writes (DC-safety protocol):
1. Quarantined the module folder: `C:\Quarantine\syshealth-trickbot-20260602-170235\`
2. Deleted the scheduled task "System Health Application"
3. Removed the original folder `...syshealth\`
Quarantine copy is preserved at `C:\Quarantine\syshealth-trickbot-20260602-170235\` as an IR record.
No active C2 traffic was expected — the launcher had been gone for years and the task was failing continuously.
**No free Ryuk decryptor exists.** A reported "crypto" folder of encrypted data could not be located on either server; client concluded it was misremembered.
### [OPEN — CRITICAL] KRBTGT / Domain Credential Reset
**pwgrab64 (credential theft module) ran on a domain controller in 2019.** This means domain credentials, service account passwords, and the KRBTGT hash were potentially exposed at that time. Standard post-DC-compromise IR requires:
- Double-rotation of the KRBTGT password (with a DC replication interval between rotations)
- Reset of all domain user passwords and service account passwords
**Status: UNCONFIRMED.** Whether a post-incident credential/KRBTGT reset was performed in 2019 or afterward has not been verified with the client. Until confirmed, the residual risk is an unrotated KRBTGT on a domain that had a credential-theft module running with SYSTEM privileges on the DC.
**Action required:** Ask the client or review any 2019/2020 IT records. If the reset was never done, execute it during a scheduled maintenance window.
---
## Backup
### MSP360 "Ucryo Files" Plan (UC2-SERVER)
| Field | Value |
|---|---|
| Plan name | "Ucryo Files" |
| Plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| Account | richard@ucryo.com |
| Target | Backblaze B2 (api001.backblazeb2.com) |
| Vault | `msp-tools/msp360-api.sops.yaml` (shared MSP360 API creds) |
**Backblaze TLS failure — fixed 2026-06-02.**
UC2-SERVER (Windows Server 2012 R2) was failing TLS negotiation to Backblaze. Root cause: the 64-bit .NET TLS registry keys were unset, which on legacy OS (2012 R2 / Win7-8 era) prevents .NET from negotiating TLS 1.2. First secure-channel error logged 2025-10-15; escalated to hard-failing by 2026-06-02.
Fix applied to UC2-SERVER:
- `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319``SchUseStrongCrypto=1`, `SystemDefaultTlsVersions=1` (DWORD)
- `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319` — same two keys
- Restarted "Online Backup Service" and "Online Backup Service Remote Management"
Post-fix verification: `cbb plan -r "Ucryo Files"` returned "Plan is started"; zero secure-channel errors in 5-minute window; scanned 474.9 GB, uploaded 2.15 GB.
**Note:** This fix is legacy-OS-specific. Do NOT apply it fleet-wide — modern OS (Server 2016/2019/2022, Win10/11) already negotiates TLS 1.2 by default; the missing keys are benign on those platforms.
WIN-709JUVCJ2DQ has Veeam installed. All four primary Veeam services (VeeamBackupSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamMountSvc) were stopped at baseline time. Confirm Veeam job status and why services are stopped. (verify)
---
## Diagnostic Baselines — 2026-06-02
Baselines collected UTC 2026-06-03T00:35 00:54 (sequential run after a parallel run caused agent interruptions under concurrent load). Raw JSON snapshots are immutable at `clients/ucryo/onboarding-baselines/`.
### Per-Host Summary
| Host | Grade | Criticals | Warnings | Standout Findings |
|---|---|---|---|---|
| UC2-SERVER | RED | 1 | 5 | CRITICAL: SMBv1 enabled (WannaCry/EternalBlue vector). Defender cmdlet unavailable (Server 2012 R2). RDP enabled. 3 stopped auto-start services (AD CS, IIS, ShellHWDetection). 36.5-day uptime, reboot pending. BitLocker unavailable (verify). 12 local admins. EOL OS (build 9600 not in map). |
| WIN-709JUVCJ2DQ | RED | 2 | 4 | CRITICAL: SMBv1 enabled. **CRITICAL: E: drive at 4.1% free (40.4 GB of 983.6 GB) — urgent.** Defender unavailable. RDP enabled. Veeam services stopped. Not domain-joined (WORKGROUP). 36.5-day uptime. EOL OS. |
| DESKTOP-PMML1JC | RED | 3 | 3 | CRITICAL: BitLocker off (laptop). CRITICAL: 3 disk errors in 14 days. CRITICAL: Domain secure channel broken. 2 pending patches. |
| KIRBY | RED | 2 | 4 | CRITICAL: **BitLocker OFF (laptop — highest data-at-rest risk).** CRITICAL: Win10 22H2 EOL (2025-10-14). 4 pending patches. RDP enabled. Reboot pending, 35-day uptime. |
| gromit | RED | 1 | 5 | CRITICAL: Win10 22H2 EOL. BitLocker off (desktop). 9 pending patches. RDP enabled. Group Policy Client stopped. |
| hobbes | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. Unexpected shutdown + disk error in 14 days. RDP enabled. |
| hoborg | RED | 3 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. **CRITICAL: Toshiba SSD SMART Warning (wear=100%) — replace immediately.** Dual AV (Defender + SentinelOne — possible conflict). RDP enabled. |
| lilo | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. 82-day uptime. RDP enabled. Group Policy Client + TPM Provisioning stopped. |
### Fleet-Wide Patterns
- All 8 hosts graded RED.
- SMBv1 enabled on both servers (WannaCry/EternalBlue vector — disable before enabling any internet-facing services).
- Win10 22H2 EOL on all 6 workstations (EOL 2025-10-14, no further security patches).
- BitLocker absent on all 5 laptops (KIRBY, DESKTOP-PMML1JC, hobbes, hoborg, lilo) and the DESKTOP-PMML1JC. Servers have BitLocker status UNKNOWN (cmdlet unavailable on 2012 R2).
- RDP enabled on all 8 hosts — confirm firewall restriction to internal/VPN only.
- No LAPS on servers. LAPS registry key present on workstations.
- No backup agent on any workstation.
---
## Open Items / Follow-ups
| Priority | Item | Notes |
|---|---|---|
| CRITICAL | Confirm 2019 KRBTGT/domain credential reset | pwgrab64 ran on the DC — if reset never done, this is the primary residual risk. |
| HIGH | hoborg SSD replacement | Toshiba SMART Warning, wear=100%. Data backup first. |
| HIGH | WIN-709JUVCJ2DQ E: drive space | 4.1% free (40.4 GB). Identify what is consuming the volume and free/expand. |
| HIGH | Disable SMBv1 on UC2-SERVER and WIN-709JUVCJ2DQ | WannaCry/EternalBlue vector. `Set-SmbServerConfiguration -EnableSMB1Protocol $false` + remove feature. |
| HIGH | BitLocker on all 5 laptops | KIRBY highest priority (domain-joined laptop, unencrypted, mobile). Escrow recovery keys. |
| HIGH | Win10 22H2 EOL on 6 workstations | Feature update or OS upgrade required (EOL 2025-10-14). |
| MEDIUM | DESKTOP-PMML1JC domain secure channel | Run `Test-ComputerSecureChannel -Repair` or rejoin. |
| MEDIUM | Veeam services stopped on WIN-709JUVCJ2Dq | VeeamBackupSvc/CatalogSvc/CloudSvc/MountSvc all stopped — confirm Veeam job health. |
| MEDIUM | RDP exposure review — all 8 hosts | Confirm RDP is restricted to VPN or specific source IPs; not exposed to internet. |
| MEDIUM | hoborg dual AV (Defender + SentinelOne) | Verify intended AV; remove one to prevent conflicts. |
| LOW | UC2-SERVER stopped services | AD CS, IIS Admin, ShellHWDetection stopped — review if these should be running. |
| LOW | LAPS not deployed on servers | Deploy Windows LAPS or legacy AdmPwd to UC2-SERVER and WIN-709JUVCJ2DQ. |
---
## Reference
### IDs and URLs
| Resource | Value |
|---|---|
| GuruRMM client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` |
| GuruRMM site_id (Main) | `345e59d2-ca30-4b9c-b703-c19915b47753` |
| GuruRMM site_code | `LIGHT-WOLF-2305` |
| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` |
| MSP360 plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` |
| MSP360 API base | `https://api.mspbackups.com` |
| ScreenConnect instance | `instance-kgc7jt-relay.screenconnect.com` (port 443) |
| ScreenConnect instance GUID | `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` |
### Vault Paths
| Secret | Vault Path |
|---|---|
| GuruRMM enrollment key (site Main) | `clients/ucryo/gururmm-site-main.sops.yaml` |
| MSP360 API credentials | `msp-tools/msp360-api.sops.yaml` |
### Diagnostic Baseline Files
`clients/ucryo/onboarding-baselines/` — 8 immutable `.json` + `.md` pairs, timestamped 20260603T00xxxx UTC.
---
## Compilation Notes
**Session logs read:** `clients/ucryo/session-logs/2026-06-02-session.md` (onboarding session, primary source). All 8 diagnostic baseline files read in full.
**First wiki article for this client.** Onboarded 2026-06-02.
**Open items flagged as unverified (verify):**
- KRBTGT/domain credential reset — not confirmed with client; must verify
- Veeam job health on WIN-709JUVCJ2DQ — services stopped, backup status unknown
- Key contacts beyond richard@ucryo.com — not yet documented
## Backlinks
- [[projects/gururmm]] — 8 agents enrolled under site LIGHT-WOLF-2305

2
wiki/index.md
View File

@@ -47,6 +47,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |
| [AT Trebesch](clients/attrebesch.md) | Residential, Tucson AZ; Syncro 238740; GuruRMM enrolled (DESKTOP-QNP3ON5, SWIFT-LION-2892); PST contact recovery imported (~660 contacts, emails populating, one Gleason); 4 source PSTs re-mounted after accidental unmount; Suggested Contacts (639) cleared (not reversible); pending Howard clarification before next step; Syncro #31953 open | 2026-06-02 |
| [Deere Park Development, LLC](clients/deere-park-development.md) | Property development ("Glabman"); Syncro 7088463; per-incident, no prepaid block; no tax rate assigned (must fix before billing); active estimate #7190 (ticket #32366) — UniFi WiFi 7 deployment (4x U7 Pro + 2x U7 Mesh + UCG Ultra + USW-Flex-2.5G-8-PoE), $2,816.70, Fresh | 2026-06-02 |
| [Universal Cryogenics](clients/ucryo.md) | New client onboarded 2026-06-02; ucryo.local DC (UC2-SERVER), 8 agents, 2019 TrickBot remediated, Backblaze TLS backup fix | 2026-06-02 |
## Projects
@@ -110,6 +111,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| Furrier / Desert Rat | websvr.acghosting.com; cPanel exim | — |
| Equity Valuation Services | Single Win11 VM | — |
| Scileppi Law | Sylvias-Mini (M2 Mac mini) | GuruRMM (enrollment pending) |
| Universal Cryogenics | UC2-SERVER (172.29.0.5, DC, guest VM); WIN-709JUVCJ2DQ (172.29.0.4, Hyper-V/Veeam, Dell PowerEdge 2950); 6 workstations (ucryo.local, 172.29.0.x) | GuruRMM (8 agents, site LIGHT-WOLF-2305) |
---