diff --git a/.claude/scripts/run-onboarding-diagnostic.sh b/.claude/scripts/run-onboarding-diagnostic.sh index 10a80a2..aeafe7e 100644 --- a/.claude/scripts/run-onboarding-diagnostic.sh +++ b/.claude/scripts/run-onboarding-diagnostic.sh @@ -259,7 +259,8 @@ PS echo "[OK] Uploaded chunk $IDX/$N_CHUNKS" done -echo "[INFO] Decoding and executing probe on endpoint (timeout 240s)..." +EXEC_TIMEOUT="${DIAG_EXEC_TIMEOUT:-240}" +echo "[INFO] Decoding and executing probe on endpoint (timeout ${EXEC_TIMEOUT}s)..." # Final command: decode base64 file -> .ps1, run it, then clean up both temp files. RUN_SCRIPT="$WORK_DIR/runcmd.ps1" @@ -278,7 +279,7 @@ try { } PS -RESULT="$(dispatch_one "$RUN_SCRIPT" 240)" || { echo "[ERROR] Probe execution dispatch failed" >&2; exit 1; } +RESULT="$(dispatch_one "$RUN_SCRIPT" "$EXEC_TIMEOUT")" || { echo "[ERROR] Probe execution dispatch failed" >&2; exit 1; } CMD_ID="$(cat "$WORK_DIR/last_cmd_id" 2>/dev/null || echo unknown)" FINAL_STATUS="$(echo "$RESULT" | jq -r '.status // empty')" diff --git a/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.json b/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.json new file mode 100644 index 0000000..eb5c1c4 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.json @@ -0,0 +1,972 @@ +{ + "host": "DESKTOP-PMML1JC", + "collected_at_utc": "2026-06-03T00:39:57Z", + "os": { + "caption": "Microsoft Windows 11 Pro", + "version": "10.0.26200", + "build": "26200", + "install_date": "2025-03-03T05:24:23Z", + "last_boot_utc": "2026-05-27T09:37:09Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2027-10-12", + "release": "Win11 25H2" + }, + "pending_updates": 2, + "pending_reboot": true, + "uptime_days": 6.6, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "81Y8", + "manufacturer": "LENOVO", + "bios_date": "2022-11-15", + "cpu_logical": 12, + "bios_version": "EFCN58WW", + "cpu_cores": 6, + "ram_gb": 31.9, + "serial": "PF2G2VPV", + "cpu": "Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz" + }, + "local_administrators": [ + "Administrator", + "localadmin", + "Richard" + ], + "os_build": "26200", + "secure_boot": true, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RtkAudUService", + "value": "\"C:\\WINDOWS\\System32\\RtkAudUService64.exe\" -background" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Acrobat Assistant 8.0", + "value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "EEventManager", + "value": "\"C:\\Program Files (x86)\\Epson Software\\Event Manager\\EEventManager.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}", + "value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.96\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "Delete Cached Update Binary", + "value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "Delete Cached Standalone Update Binary", + "value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "WDC WD10SPSX-08A6W", + "media_type": "HDD" + }, + { + "health": "Healthy", + "model": "WDC WDS100T2B0C-00PXH0", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2021-11-18", + "name": "Richard", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 23, + "volumes": [ + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 64, + "free_gb": 0.1 + }, + { + "drive": "D:", + "size_gb": 931.5, + "free_pct": 100, + "free_gb": 931.3 + }, + { + "drive": "C:", + "size_gb": 930.3, + "free_pct": 68.2, + "free_gb": 634.3 + }, + { + "drive": "[unlabeled]", + "size_gb": 1.1, + "free_pct": 10, + "free_gb": 0.1 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "OpenVPN Data Channel Offload", + "gateway": [ + null + ], + "mac": "", + "ip": [ + "10.100.0.2", + "fe80::564:408d:e02a:124a" + ], + "dns": [ + "103.86.96.100", + "103.86.99.100" + ] + }, + { + "dhcp": true, + "description": "Intel(R) Wi-Fi 6 AX201 160MHz", + "gateway": [ + "192.168.0.1" + ], + "mac": "68:3E:26:B5:93:6B", + "ip": [ + "192.168.0.5", + "fe80::7eb3:304d:8df9:2e0f" + ], + "dns": [ + "192.168.0.1", + "205.171.2.25" + ] + }, + { + "dhcp": false, + "description": "NordLynx Tunnel", + "gateway": [ + null + ], + "mac": "", + "ip": [ + "10.5.0.2", + "fe80::564:408d:e02a:124a" + ], + "dns": [ + null + ] + } + ], + "failed_autostart_services": [ + { + "name": "Intel(R) TPM Provisioning Service", + "display": "Intel(R) TPM Provisioning Service", + "state": "Stopped" + }, + { + "name": "IntelAudioService", + "display": "Intel(R) Audio Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 3, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": false, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Marketplace for SOLIDWORKS", + "version": "6.29.743" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Acrobat DC", + "version": "15.009.20077" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Autodesk", + "name": "AutoCAD Mechanical 2004", + "version": "7.0.42.8" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk Express Viewer", + "version": "3.1" + }, + { + "publisher": "Apple Inc.", + "name": "Bonjour", + "version": "3.0.0.10" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "Epson America, Inc.", + "name": "Epson ES Series User?s Guide", + "version": "1.0" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Event Manager", + "version": "3.11.0053" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Scan 2", + "version": "" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Scan OCR Component Pro", + "version": "1.0.10" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson ScanSmart", + "version": "3.7.1" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Software Updater", + "version": "5.0.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Host - 8.0.8 (x64)", + "version": "64.32.18380" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Host FX Resolver - 8.0.8 (x64)", + "version": "64.32.18380" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Runtime - 8.0.8 (x64)", + "version": "64.32.18380" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft 365 Apps for business - en-us", + "version": "16.0.20026.20112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft OneDrive", + "version": "26.084.0504.0007" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "5.72.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64)", + "version": "7.1.00.00" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64) English", + "version": "7.1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Windows Desktop Runtime - 8.0.8 (x64)", + "version": "64.32.18376" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Windows Desktop Runtime - 8.0.8 (x64)", + "version": "8.0.8.33916" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "Nord Security", + "name": "NordUpdater", + "version": "1.5.0.1028" + }, + { + "publisher": "Nord Security", + "name": "NordVPN", + "version": "8.3.6.0" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Graphics Driver 517.00", + "version": "517.00" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.370.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.20026.20076" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2020 SP05", + "version": "28.150.0078" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2020 SP05", + "version": "28.5.0.78" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2020 SP05", + "version": "28.50.0078" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2020 SP05", + "version": "28.50.0078" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2020 SP05", + "version": "28.50.0012" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2020 SP05", + "version": "28.50.0078" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2020 SP05", + "version": "28.50.0078" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft Corporation", + "name": "Teams Machine-Wide Installer", + "version": "1.4.0.22976" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows PC Health Check", + "version": "3.2.2110.14001" + }, + { + "publisher": "WireGuard LLC", + "name": "WireGuard", + "version": "0.5.3" + }, + { + "publisher": "Microsoft", + "name": "WPTx64", + "version": "8.100.26866" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "OpenSSH Users", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "User Mode Hardware Operators", + "Users" + ], + "battery": { + "estimated_charge_remaining": "100", + "status": "2", + "present": true + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 11 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "Free-running System Clock", + "chassis_types": [ + 10 + ], + "last_hotfix": { + "hotfix_id": "KB5089573", + "installed_on": "2026-05-27T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "CCleanerCrashReporting", + "state": "Ready" + }, + { + "path": "\\", + "name": "EPSON ES-50 Update", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Per-Machine Standalone Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-4044652462-3973564329-339036029-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-4044652462-3973564329-339036029-1001", + "state": "Ready" + }, + { + "path": "\\HardDiskSentinel\\", + "name": "Hard Disk Sentinel_richard", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\", + "name": "Lenovo iM Controller Monitor", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\", + "name": "Lenovo iM Controller Scheduled Maintenance", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\Plugins\\", + "name": "LenovoSystemUpdatePlugin_WeeklyTask", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\TimeBasedEvents\\", + "name": "01e15cc2-18a7-45be-bf24-142c08f2bc0f", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\TimeBasedEvents\\", + "name": "3d63669f-2af1-4405-b424-15880ab6649b", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\TimeBasedEvents\\", + "name": "6a05589d-b7b5-4241-9561-d4eb4e7554ed", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\TimeBasedEvents\\", + "name": "891b2b33-e75f-43ac-a4d1-b456e771024f", + "state": "Ready" + }, + { + "path": "\\Lenovo\\ImController\\TimeBasedEvents\\", + "name": "9d043f8d-9f68-46de-8e94-e65d03313647", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-1116 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-1051390473-2587535097-844096240-1116\\", + "name": "SoftLandingCreativeManagementTask", + "state": "Ready" + }, + { + "path": "\\SoftLanding\\S-1-5-21-1051390473-2587535097-844096240-1116\\", + "name": "SoftLandingDeferralTask-{b2ec7b7e-7f02-4337-ba65-bc1fc879d10b}", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": true, + "installed_software_count": 73, + "secure_channel_ok": false, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "critical", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (3)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "Administrator\nlocaladmin\nRichard" + }, + { + "id": "sec.patch.os_supported", + "category": "security", + "severity": "info", + "title": "OS build supported: Win11 25H2", + "detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.", + "evidence": "Microsoft Windows 11 Pro build 26200" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "2 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5089573", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5089573 installed 2026-05-27T07:00:00Z" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.recurring", + "category": "health", + "severity": "critical", + "title": "Recurring stability events in the last 14 days", + "detail": "Three or more of one event class (unexpected shutdown, BSOD, or disk error) in 14 days indicates a hardware or driver problem. Investigate memory, disk, PSU, and drivers.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=3" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "2 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped\nIntelAudioService (Intel(R) Audio Service) = Stopped" + }, + { + "id": "health.domain.secure_channel_broken", + "category": "health", + "severity": "critical", + "title": "Domain secure channel is BROKEN", + "detail": "Test-ComputerSecureChannel returned false. The machine trust relationship with the domain is broken (Group Policy, Kerberos, and domain logon will fail). Repair with Test-ComputerSecureChannel -Repair or rejoin.", + "evidence": "PartOfDomain=True; Test-ComputerSecureChannel=False; Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=Free-running System Clock" + }, + { + "id": "health.battery.present", + "category": "health", + "severity": "info", + "title": "Battery present", + "detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)", + "evidence": "EstimatedChargeRemaining=100%; BatteryStatus=2" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md b/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md new file mode 100644 index 0000000..89fff26 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md @@ -0,0 +1,259 @@ +# Onboarding Diagnostic Baseline - DESKTOP-PMML1JC + +- **Grade:** RED +- **Host:** DESKTOP-PMML1JC +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:39:57Z +- **Agent ID:** 286cf717-86ac-4985-b0a6-0254fba0dfdb +- **Command ID:** a8871fc1-4667-4d2f-8a12-784747b820cc +- **Findings:** 3 critical / 3 warning / 15 info / 0 unknown + +- **OS:** Microsoft Windows 11 Pro (build 26200) + +--- + +## CRITICAL (3) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### Recurring stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.recurring` +- Three or more of one event class (unexpected shutdown, BSOD, or disk error) in 14 days indicates a hardware or driver problem. Investigate memory, disk, PSU, and drivers. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=3 +``` + +### Domain secure channel is BROKEN +- **Category:** health +- **ID:** `health.domain.secure_channel_broken` +- Test-ComputerSecureChannel returned false. The machine trust relationship with the domain is broken (Group Policy, Kerberos, and domain logon will fail). Repair with Test-ComputerSecureChannel -Repair or rejoin. + +``` +PartOfDomain=True; Test-ComputerSecureChannel=False; Domain=ucryo.local +``` + + +## WARNING (3) + +### 2 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 2 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped +IntelAudioService (Intel(R) Audio Service) = Stopped +``` + + +## INFO (15) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (3) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +Administrator +localadmin +Richard +``` + +### OS build supported: Win11 25H2 +- **Category:** security +- **ID:** `sec.patch.os_supported` +- Build 26200 (Win11 25H2) is in support until 2027-10-12. + +``` +Microsoft Windows 11 Pro build 26200 +``` + +### Last hotfix: KB5089573 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5089573 installed 2026-05-27T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=Free-running System Clock +``` + +### Battery present +- **Category:** health +- **ID:** `health.battery.present` +- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) + +``` +EstimatedChargeRemaining=100%; BatteryStatus=2 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 81Y8 +- **Serial:** PF2G2VPV +- **CPU:** Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz (6 cores / 12 logical) +- **RAM (GB):** 31.9 +- **BIOS:** EFCN58WW (2022-11-15) +- **Chassis is laptop:** true +- **TPM present / Secure Boot:** true / true +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 6.6 +- **Pending reboot:** true +- **Installed software count:** 73 +- **Scheduled tasks (non-MS, enabled):** 23 +- **Local administrators:** Administrator, localadmin, Richard + +### Fixed volumes + +- [unlabeled] - 0.1 GB free of 0.1 GB (64%) +- D: - 931.3 GB free of 931.5 GB (100%) +- C: - 634.3 GB free of 930.3 GB (68.2%) +- [unlabeled] - 0.1 GB free of 1.1 GB (10%) + +### Network adapters + +- OpenVPN Data Channel Offload - IP: 10.100.0.2, fe80::564:408d:e02a:124a - DNS: 103.86.96.100, 103.86.99.100 - DHCP: false +- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.0.5, fe80::7eb3:304d:8df9:2e0f - DNS: 192.168.0.1, 205.171.2.25 - DHCP: true +- NordLynx Tunnel - IP: 10.5.0.2, fe80::564:408d:e02a:124a - DNS: - DHCP: false + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-PMML1JC-20260603T004601.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.json b/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.json new file mode 100644 index 0000000..4e9f14a --- /dev/null +++ b/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.json @@ -0,0 +1,774 @@ +{ + "host": "GROMIT", + "collected_at_utc": "2026-06-03T00:46:10Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2023-12-28T16:25:22Z", + "last_boot_utc": "2026-05-04T17:29:14Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 9, + "pending_reboot": true, + "uptime_days": 29.3, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "20FRS1RQ00", + "manufacturer": "LENOVO", + "bios_date": "2017-03-08", + "cpu_logical": 4, + "bios_version": "N1FET50W (1.24 )", + "cpu_cores": 2, + "ram_gb": 15.4, + "serial": "R90KPJJF", + "cpu": "Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz" + }, + "local_administrators": [ + "GROMIT\\Administrator", + "GROMIT\\localadmin", + "GROMIT\\owner", + "UCRYO\\Domain Admins" + ], + "os_build": "19045", + "secure_boot": null, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Logitech Download Assistant", + "value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ControlCenter4", + "value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Acrobat Assistant 8.0", + "value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}", + "value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.96\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "SanDisk SD7SN6S-128G-1006", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2019-12-26", + "name": "owner", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-08-12", + "name": "QBDataServiceUser24", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-12-21", + "name": "QBDataServiceUser30", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 24, + "volumes": [ + { + "drive": "[System Reserved]", + "size_gb": 0.6, + "free_pct": 94.4, + "free_gb": 0.5 + }, + { + "drive": "C:", + "size_gb": 118.1, + "free_pct": 25.7, + "free_gb": 30.3 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.6, + "free_pct": 13.3, + "free_gb": 0.1 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Intel(R) Dual Band Wireless-AC 8260", + "gateway": [ + "172.29.0.1" + ], + "mac": "44:85:00:BF:40:96", + "ip": [ + "172.29.0.125", + "fe80::9f6b:2b36:fadb:5993" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "gpsvc", + "display": "Group Policy Client", + "state": "Stopped" + }, + { + "name": "LPlatSvc", + "display": "Lenovo Platform Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Acrobat DC", + "version": "15.009.20077" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "Brother MFL-Pro Suite MFC-9130CW", + "version": "1.0.1.0" + }, + { + "publisher": "Conexant Systems", + "name": "Conexant SmartAudio", + "version": "6.0.277.0" + }, + { + "publisher": "Dolby Laboratories, Inc.", + "name": "Dolby Audio X2 Windows API SDK", + "version": "0.8.8.90" + }, + { + "publisher": "Dolby Laboratories, Inc.", + "name": "Dolby Audio X2 Windows APP", + "version": "0.8.5.74" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Office Professional Plus 2019 - en-us", + "version": "16.0.19127.20302" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026", + "version": "14.0.23026.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.23026", + "version": "14.0.23026" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.23026", + "version": "14.0.23026" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810", + "version": "14.40.33810.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810", + "version": "14.40.33810" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810", + "version": "14.40.33810" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Thunderbird (x86 en-US)", + "version": "149.0.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.19127.20154" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Licensing Component", + "version": "16.0.19029.20136" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Localization Component", + "version": "16.0.14026.20246" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4017.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Mfg and Whsle Edition 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Intuit Inc.", + "name": "TurboTax 2024", + "version": "024.000.0365" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for Windows 10 for x64-based Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "Wacom Technology Corp.", + "name": "Wacom Pen", + "version": "7.3.4-33" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "present": false + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, OEM_DM channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "UC2-SERVER.ucryo.local", + "chassis_types": [ + 31 + ], + "last_hotfix": { + "hotfix_id": "KB5037768", + "installed_on": "2024-05-18T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "G2MUpdateTask-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\", + "name": "G2MUploadTask-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\", + "name": "Lenovo Power Management Driver PnP Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2629Core{09E81947-80DA-47E1-B3D7-965B834A0334}", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2629UA{DE8AD6FA-99F4-4B46-83FF-AB79F9777AA7}", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2615", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2634", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2649", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2651", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3327184043-4248725150-2357155321-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Background monitor", + "state": "Running" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Uninstall task", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-2629 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Default Browser Agent 308046B0AF4A39CB", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": false, + "installed_software_count": 40, + "secure_channel_ok": true, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "warning", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (4)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "GROMIT\\Administrator\nGROMIT\\localadmin\nGROMIT\\owner\nUCRYO\\Domain Admins" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "9 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 9" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5037768", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5037768 installed 2024-05-18T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "2 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "gpsvc (Group Policy Client) = Stopped\nLPlatSvc (Lenovo Platform Service) = Stopped" + }, + { + "id": "health.domain.secure_channel_ok", + "category": "health", + "severity": "info", + "title": "Domain secure channel healthy", + "detail": "Machine trust relationship with the domain is intact.", + "evidence": "Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=UC2-SERVER.ucryo.local" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md b/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md new file mode 100644 index 0000000..3633d63 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md @@ -0,0 +1,257 @@ +# Onboarding Diagnostic Baseline - GROMIT + +- **Grade:** RED +- **Host:** GROMIT +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:46:10Z +- **Agent ID:** 20da3f2f-6bef-4d8c-b6fa-141d47a01d52 +- **Command ID:** 77775791-1c4b-4921-8c69-2c83afac1620 +- **Findings:** 1 critical / 5 warning / 15 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (1) + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + + +## WARNING (5) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### 9 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 9 +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 2 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +gpsvc (Group Policy Client) = Stopped +LPlatSvc (Lenovo Platform Service) = Stopped +``` + + +## INFO (15) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (4) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +GROMIT\Administrator +GROMIT\localadmin +GROMIT\owner +UCRYO\Domain Admins +``` + +### Last hotfix: KB5037768 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5037768 installed 2024-05-18T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### No stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.clean` +- No unexpected shutdowns, BSODs, or disk errors logged. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### Domain secure channel healthy +- **Category:** health +- **ID:** `health.domain.secure_channel_ok` +- Machine trust relationship with the domain is intact. + +``` +Domain=ucryo.local +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=UC2-SERVER.ucryo.local +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 20FRS1RQ00 +- **Serial:** R90KPJJF +- **CPU:** Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz (2 cores / 4 logical) +- **RAM (GB):** 15.4 +- **BIOS:** N1FET50W (1.24 ) (2017-03-08) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** true / ? +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 29.3 +- **Pending reboot:** true +- **Installed software count:** 40 +- **Scheduled tasks (non-MS, enabled):** 24 +- **Local administrators:** GROMIT\Administrator, GROMIT\localadmin, GROMIT\owner, UCRYO\Domain Admins + +### Fixed volumes + +- [System Reserved] - 0.5 GB free of 0.6 GB (94.4%) +- C: - 30.3 GB free of 118.1 GB (25.7%) +- [unlabeled] - 0.1 GB free of 0.6 GB (13.3%) + +### Network adapters + +- Intel(R) Dual Band Wireless-AC 8260 - IP: 172.29.0.125, fe80::9f6b:2b36:fadb:5993 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `GROMIT-20260603T004715.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.json b/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.json new file mode 100644 index 0000000..0b3aef2 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.json @@ -0,0 +1,1157 @@ +{ + "host": "HOBBES", + "collected_at_utc": "2026-06-03T00:47:28Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2020-12-15T18:35:44Z", + "last_boot_utc": "2026-06-02T19:51:47Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 1, + "pending_reboot": true, + "uptime_days": 0.2, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "Precision M4800", + "manufacturer": "Dell Inc.", + "bios_date": "2015-12-01", + "cpu_logical": 8, + "bios_version": "A16", + "cpu_cores": 4, + "ram_gb": 15.9, + "serial": "CTWRT32", + "cpu": "Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz" + }, + "local_administrators": [ + "HOBBES\\Administrator", + "HOBBES\\localadmin", + "HOBBES\\paul", + "UCRYO\\Domain Admins" + ], + "os_build": "19045", + "secure_boot": true, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RtHDVCpl", + "value": "\"C:\\Program Files\\Realtek\\Audio\\HDA\\RtkNGUI64.exe\" /s" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RtHDVBg", + "value": "\"C:\\Program Files\\Realtek\\Audio\\HDA\\RAVBg64.exe\" /MAXX5REC" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Apoint", + "value": "\"C:\\Program Files\\DellTPad\\Apoint.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "WavesSvc", + "value": "\"C:\\Program Files\\Waves\\MaxxAudio\\WavesSvc64.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Access", + "value": "\"C:\\Program Files\\Autodesk\\AdODIS\\V1\\Access\\AdskAccessCore.exe\" --minimizedUi --autoLaunch" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Access Service", + "value": "\"C:\\Program Files\\Autodesk\\AdODIS\\V1\\Setup\\AdskAccessService.exe\" --autoLaunch" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ControlCenter4", + "value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Genuine Service ", + "value": "C:\\Program Files\\Autodesk\\Genuine Service\\GenuineService.exe" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "SAMSUNG SSD 830 Series", + "media_type": "SSD" + }, + { + "health": "Healthy", + "model": "HGST HTS721010A9E630", + "media_type": "HDD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-05-21", + "name": "paul", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-08-18", + "name": "QBDataServiceUser30", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 19, + "volumes": [ + { + "drive": "[unlabeled]", + "size_gb": 0.5, + "free_pct": 15.4, + "free_gb": 0.1 + }, + { + "drive": "C:", + "size_gb": 931, + "free_pct": 80.4, + "free_gb": 748.2 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 72, + "free_gb": 0.1 + }, + { + "drive": "[Recovery]", + "size_gb": 0.5, + "free_pct": 97.4, + "free_gb": 0.5 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Intel(R) Ethernet Connection I217-LM", + "gateway": [ + "172.29.0.1" + ], + "mac": "20:47:47:A8:6F:AB", + "ip": [ + "172.29.0.137", + "fe80::529a:39b9:465d:500b" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": { + "name": "gpsvc", + "display": "Group Policy Client", + "state": "Stopped" + }, + "stability_14d": { + "unexpected_shutdowns": 1, + "disk_errors": 1, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Exchange for SOLIDWORKS", + "version": "32.31.0002" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Marketplace for SOLIDWORKS", + "version": "6.32.3047" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk Access", + "version": "2.21.0.559" + }, + { + "publisher": "Autodesk Inc.", + "name": "Autodesk CER", + "version": "7.2.2.923" + }, + { + "publisher": "Autodesk", + "name": "Autodesk Genuine Service", + "version": "7.6.0.229" + }, + { + "publisher": "Autodesk", + "name": "Autodesk HSMWorks 2024", + "version": "18.0.0.44173" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk HSMWorks Ultimate 2024", + "version": "18.0.0.44173" + }, + { + "publisher": "Autodesk", + "name": "Autodesk Identity Manager", + "version": "1.11.9.11" + }, + { + "publisher": "Apple Inc.", + "name": "Bonjour", + "version": "3.0.0.10" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "Brother MFL-Pro Suite MFC-9130CW", + "version": "1.0.1.0" + }, + { + "publisher": "Cablescan", + "name": "Cablescan TestRite", + "version": "6.6.124.0" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "CEF for SOLIDWORKS Applications", + "version": "123.0.32733.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "ALPSALPINE CO., LTD.", + "name": "Dell Touchpad", + "version": "10.3201.101.215" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Processor Graphics", + "version": "20.19.15.5063" + }, + { + "publisher": "The Document Foundation", + "name": "LibreOffice 26.2.3.2", + "version": "26.2.3.2" + }, + { + "publisher": "Waves Audio Ltd.", + "name": "Maxx Audio Installer (x64)", + "version": "2.6.6766.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64)", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64) English", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130", + "version": "14.38.33130.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34438", + "version": "14.42.34438.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130", + "version": "14.38.33130" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130", + "version": "14.38.33130" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x64 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x86 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Thunderbird (x86 en-US)", + "version": "144.0.1" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA 3D Vision Driver 411.63", + "version": "411.63" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Ansel", + "version": "6.0.478.0" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Control Panel 411.63", + "version": "411.63" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container", + "version": "1.11" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container LS", + "version": "1.11" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Session Container", + "version": "1.11" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Watchdog Plugin", + "version": "1.11" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Graphics Driver 411.63", + "version": "411.63" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA HD Audio Driver 1.3.37.5", + "version": "1.3.37.5" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.306.3" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA nView 149.34", + "version": "149.34" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Stereoscopic 3D Driver", + "version": "7.17.13.7500" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA WMI 2.33.0", + "version": "2.33.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Core Interpreter (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Development Libraries (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Documentation (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Executables (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 pip Bootstrap (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Standard Library (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Tcl/Tk Support (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Test Suite (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.9.0 Utility Scripts (64-bit)", + "version": "3.9.150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python Launcher", + "version": "3.9.7217.0" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4015.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Mfg and Whsle Edition 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "Realtek Semiconductor Corp.", + "name": "Realtek Audio COM Components", + "version": "1.0.2" + }, + { + "publisher": "Realtek Semiconductor Corp.", + "name": "Realtek High Definition Audio Driver", + "version": "6.0.1.6098" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Schneider Electric Motion USA", + "name": "SEM SPI Interface", + "version": "1.0.19" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2018 SP05", + "version": "26.150.0066" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2018 SP05", + "version": "26.5.0.66" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2020 SP0.1", + "version": "28.0.1.1" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2020 SP0.1", + "version": "28.101.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2024 SP03.1", + "version": "32.131.0002" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2024 SP03.1", + "version": "32.3.1.2" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2018 SP05", + "version": "26.50.0066" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2024 SP03.1", + "version": "32.31.0002" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2018 SP05", + "version": "26.50.0066" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2024 SP03.1", + "version": "32.31.0002" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2018 SP05", + "version": "18.50.0014" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2020 SP0.1", + "version": "28.00.5031" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2024 SP03.1", + "version": "32.30.0020" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Explorer 2018 SP05", + "version": "26.50.0066" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2024 SP03.1", + "version": "32.31.0002" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS SolidNetWork License Manager", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2018 SP05", + "version": "26.50.0066" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2024 SP03.1", + "version": "32.31.0002" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Software Updater", + "version": "1.5.6.23" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "ipcas GmbH", + "name": "USB Floppy Emulator V2", + "version": "1.40" + }, + { + "publisher": "Silicon Laboratories Inc.", + "name": "Windows Driver Package - Silicon Laboratories Inc. (silabser) Ports (05/23/2018 6.7.6.2130)", + "version": "05/23/2018 6.7.6.2130" + }, + { + "publisher": "WireGuard LLC", + "name": "WireGuard", + "version": "0.5.3" + }, + { + "publisher": "Microsoft", + "name": "WPTx64", + "version": "8.100.26866" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "estimated_charge_remaining": "224", + "status": "2", + "present": true + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "UC2-SERVER.ucryo.local", + "chassis_types": [ + 9 + ], + "last_hotfix": { + "hotfix_id": "KB5072653", + "installed_on": "2025-11-18T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "nWizard_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-3829738941-2076101303-266003226-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2629", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2644", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2646", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3829738941-2076101303-266003226-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-3829738941-2076101303-266003226-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "RtHDVBg_PushButton", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-2650 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-3829738941-2076101303-266003226-1001 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Default Browser Agent 308046B0AF4A39CB", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": true, + "installed_software_count": 117, + "secure_channel_ok": true, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Software Updater 1.5.6.23\nprogram: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running\nservice: SSUService (Splashtop Software Updater Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "critical", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (4)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "HOBBES\\Administrator\nHOBBES\\localadmin\nHOBBES\\paul\nUCRYO\\Domain Admins" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "1 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5072653", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5072653 installed 2025-11-18T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "1 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "gpsvc (Group Policy Client) = Stopped" + }, + { + "id": "health.domain.secure_channel_ok", + "category": "health", + "severity": "info", + "title": "Domain secure channel healthy", + "detail": "Machine trust relationship with the domain is intact.", + "evidence": "Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=UC2-SERVER.ucryo.local" + }, + { + "id": "health.battery.present", + "category": "health", + "severity": "info", + "title": "Battery present", + "detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)", + "evidence": "EstimatedChargeRemaining=224%; BatteryStatus=2" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md b/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md new file mode 100644 index 0000000..31556f4 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md @@ -0,0 +1,268 @@ +# Onboarding Diagnostic Baseline - HOBBES + +- **Grade:** RED +- **Host:** HOBBES +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:47:28Z +- **Agent ID:** a336deb1-6d09-4ade-b2c3-0b258664f4bd +- **Command ID:** c9af21ee-ad06-4e61-bdff-36bd7146de27 +- **Findings:** 2 critical / 5 warning / 15 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (2) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + + +## WARNING (5) + +### 1 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 1 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +gpsvc (Group Policy Client) = Stopped +``` + + +## INFO (15) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Software Updater 1.5.6.23 +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +service: SSUService (Splashtop Software Updater Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (4) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +HOBBES\Administrator +HOBBES\localadmin +HOBBES\paul +UCRYO\Domain Admins +``` + +### Last hotfix: KB5072653 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5072653 installed 2025-11-18T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Domain secure channel healthy +- **Category:** health +- **ID:** `health.domain.secure_channel_ok` +- Machine trust relationship with the domain is intact. + +``` +Domain=ucryo.local +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=UC2-SERVER.ucryo.local +``` + +### Battery present +- **Category:** health +- **ID:** `health.battery.present` +- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) + +``` +EstimatedChargeRemaining=224%; BatteryStatus=2 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** Dell Inc. / Precision M4800 +- **Serial:** CTWRT32 +- **CPU:** Intel(R) Core(TM) i7-4910MQ CPU @ 2.90GHz (4 cores / 8 logical) +- **RAM (GB):** 15.9 +- **BIOS:** A16 (2015-12-01) +- **Chassis is laptop:** true +- **TPM present / Secure Boot:** ? / true +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 0.2 +- **Pending reboot:** true +- **Installed software count:** 117 +- **Scheduled tasks (non-MS, enabled):** 19 +- **Local administrators:** HOBBES\Administrator, HOBBES\localadmin, HOBBES\paul, UCRYO\Domain Admins + +### Fixed volumes + +- [unlabeled] - 0.1 GB free of 0.5 GB (15.4%) +- C: - 748.2 GB free of 931 GB (80.4%) +- [unlabeled] - 0.1 GB free of 0.1 GB (72%) +- [Recovery] - 0.5 GB free of 0.5 GB (97.4%) + +### Network adapters + +- Intel(R) Ethernet Connection I217-LM - IP: 172.29.0.137, fe80::529a:39b9:465d:500b - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `HOBBES-20260603T004835.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.json b/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.json new file mode 100644 index 0000000..a14338f --- /dev/null +++ b/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.json @@ -0,0 +1,1126 @@ +{ + "host": "HOBORG", + "collected_at_utc": "2026-06-03T00:48:48Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2022-09-19T16:26:38Z", + "last_boot_utc": "2026-05-15T19:48:33Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 3, + "pending_reboot": true, + "uptime_days": 18.2, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "20ENCTO1WW", + "manufacturer": "LENOVO", + "bios_date": "2018-11-14", + "cpu_logical": 8, + "bios_version": "N1EET81W (1.54 )", + "cpu_cores": 4, + "ram_gb": 31.4, + "serial": "PC0LBN9T", + "cpu": "Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz" + }, + "local_administrators": [ + "HOBORG\\Administrator", + "HOBORG\\localadmin", + "HOBORG\\Owner", + "UCRYO\\Domain Admins" + ], + "os_build": "19045", + "secure_boot": null, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Acrobat Assistant 8.0", + "value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ControlCenter4", + "value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "EEventManager", + "value": "\"C:\\Program Files (x86)\\Epson Software\\Event Manager\\EEventManager.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "msedge_cleanup_{C50565E9-CCCF-44B4-BA15-5AC5C6569197}", + "value": "\"C:\\Program Files (x86)\\Microsoft\\Copilot\\Application\\148.0.3967.70\\Installer\\setup.exe\" --mscopilot --channel=stable --delete-old-versions --system-level --verbose-logging --on-logon" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}", + "value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.96\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon" + } + ], + "physical_disks": [ + { + "health": "Warning", + "model": "TOSHIBA THNSNJ512GDNU A", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2019-12-19", + "name": "Owner", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 24, + "volumes": [ + { + "drive": "[System Reserved]", + "size_gb": 0.6, + "free_pct": 94.4, + "free_gb": 0.5 + }, + { + "drive": "C:", + "size_gb": 475.8, + "free_pct": 31.4, + "free_gb": 149.5 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.6, + "free_pct": 13.9, + "free_gb": 0.1 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Realtek USB GbE Family Controller", + "gateway": [ + "172.29.0.1" + ], + "mac": "00:1C:C2:97:DE:02", + "ip": [ + "172.29.0.128", + "fe80::344c:f8cc:8fca:b4ed" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "LPlatSvc", + "display": "Lenovo Platform Service", + "state": "Stopped" + }, + { + "name": "SynaHlp", + "display": "Synaptics helper service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Exchange for SOLIDWORKS", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Marketplace for SOLIDWORKS", + "version": "6.32.1051" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Acrobat DC", + "version": "15.009.20077" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Autodesk", + "name": "AutoCAD Mechanical 2004", + "version": "7.0.42.8" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk Express Viewer", + "version": "3.1" + }, + { + "publisher": "Apple Inc.", + "name": "Bonjour", + "version": "3.0.0.10" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "Brother MFL-Pro Suite MFC-9130CW", + "version": "1.0.1.0" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "CEF for SOLIDWORKS Applications", + "version": "142.0.34576.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "Dolby Laboratories, Inc.", + "name": "Dolby Audio X2 Windows API SDK", + "version": "0.8.8.90" + }, + { + "publisher": "Epson America, Inc.", + "name": "Epson ES Series User?s Guide", + "version": "1.0" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Event Manager", + "version": "3.11.79" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Scan 2", + "version": "" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Scan OCR Component Pro", + "version": "1.0.11" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson ScanSmart", + "version": "3.7.13" + }, + { + "publisher": "Seiko Epson Corporation", + "name": "Epson Software Updater", + "version": "4.6.7" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Processor Graphics", + "version": "23.20.16.4973" + }, + { + "publisher": "The Document Foundation", + "name": "LibreOffice 26.2.3.2", + "version": "26.2.3.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Office Professional Plus 2019 - en-us", + "version": "16.0.19127.20302" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64)", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64) English", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34438", + "version": "14.42.34438.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34438", + "version": "14.42.34438.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x64 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x86 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022", + "version": "17.0.33529" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022 x64 Hosting Support", + "version": "17.0.33529" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022 x86 Hosting Support", + "version": "17.0.33529" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Thunderbird (x86 en-US)", + "version": "144.0.1" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Ansel", + "version": "7.1.797.811" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Control Panel 512.92", + "version": "512.92" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container LS", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display MessageBus", + "version": "512.92" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Session Container", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Watchdog Plugin", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Graphics Driver 538.18", + "version": "538.18" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.408.0" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA RTX Desktop Manager 202.85", + "version": "202.85" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA WMI 2.36.0", + "version": "2.36.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.19127.20154" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Licensing Component", + "version": "16.0.19029.20208" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Localization Component", + "version": "16.0.14131.20278" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4017.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Mfg and Whsle Edition 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2020 SP0.1", + "version": "28.0.1.1" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2020 SP0.1", + "version": "28.101.0001" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2024 SP01", + "version": "32.1.0.123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2024 SP01", + "version": "32.110.0123" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2026 SP01.1", + "version": "34.1.1.11" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2026 SP01.1", + "version": "34.111.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2020 SP0.1", + "version": "28.00.5031" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2024 SP01", + "version": "32.10.0076" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2026 SP01.1", + "version": "34.11.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Login Manager", + "version": "25.50.34500.0" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2020 SP0.1", + "version": "28.01.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "LunarG, Inc.", + "name": "Vulkan Run Time Libraries 1.0.65.1", + "version": "1.0.65.1" + }, + { + "publisher": "Microsoft", + "name": "WPTx64", + "version": "8.100.26866" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "estimated_charge_remaining": "99", + "status": "2", + "present": true + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, OEM_DM channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "UC2-SERVER.ucryo.local", + "chassis_types": [ + 10 + ], + "last_hotfix": { + "hotfix_id": "KB5072653", + "installed_on": "2025-11-18T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Running" + }, + { + "path": "\\", + "name": "EPSON ES-50 Update", + "state": "Ready" + }, + { + "path": "\\", + "name": "Lenovo Power Management Driver PnP Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-1116Core", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-1116UA", + "state": "Ready" + }, + { + "path": "\\", + "name": "nWizard_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3115597025-3675110087-445951324-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3115597025-3675110087-445951324-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\", + "name": "RtHDVBg_Dolby", + "state": "Running" + }, + { + "path": "\\", + "name": "RTKCPL", + "state": "Ready" + }, + { + "path": "\\", + "name": "User_Feed_Synchronization-{26276C50-E3EF-47D9-BE24-D95E1BD36302}", + "state": "Ready" + }, + { + "path": "\\", + "name": "ZoomUpdateTaskUser-S-1-5-21-1051390473-2587535097-844096240-1116", + "state": "Ready" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Background monitor", + "state": "Running" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Uninstall task", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-1116 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Default Browser Agent 308046B0AF4A39CB", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender", + "Sentinel Agent" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": true, + "installed_software_count": 108, + "secure_channel_ok": true, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.third_party", + "category": "security", + "severity": "warning", + "title": "Third-party AV present: Sentinel Agent", + "detail": "A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.", + "evidence": "Registered AV: Windows Defender, Sentinel Agent" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "critical", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (4)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "HOBORG\\Administrator\nHOBORG\\localadmin\nHOBORG\\Owner\nUCRYO\\Domain Admins" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "3 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 3" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5072653", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5072653 installed 2025-11-18T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.disk_smart.toshiba_thnsnj512gdnu_a", + "category": "health", + "severity": "critical", + "title": "Disk not healthy: TOSHIBA THNSNJ512GDNU A (Warning)", + "detail": "A physical disk reports a non-Healthy SMART/health status. Imminent failure risk. Back up immediately and plan replacement.", + "evidence": "HealthStatus=Warning; Wear=100; ReadErrorsTotal=0; Temperature=41" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "2 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "LPlatSvc (Lenovo Platform Service) = Stopped\nSynaHlp (Synaptics helper service) = Stopped" + }, + { + "id": "health.domain.secure_channel_ok", + "category": "health", + "severity": "info", + "title": "Domain secure channel healthy", + "detail": "Machine trust relationship with the domain is intact.", + "evidence": "Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=UC2-SERVER.ucryo.local" + }, + { + "id": "health.battery.present", + "category": "health", + "severity": "info", + "title": "Battery present", + "detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)", + "evidence": "EstimatedChargeRemaining=99%; BatteryStatus=2" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md b/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md new file mode 100644 index 0000000..e64c4b9 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md @@ -0,0 +1,275 @@ +# Onboarding Diagnostic Baseline - HOBORG + +- **Grade:** RED +- **Host:** HOBORG +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:48:48Z +- **Agent ID:** 89ee0a5d-49f2-4334-8e49-eaafa389e9ec +- **Command ID:** fa21ce79-d1f7-4fbd-badf-443e1a1d3c31 +- **Findings:** 3 critical / 5 warning / 15 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (3) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + +### Disk not healthy: TOSHIBA THNSNJ512GDNU A (Warning) +- **Category:** health +- **ID:** `health.disk_smart.toshiba_thnsnj512gdnu_a` +- A physical disk reports a non-Healthy SMART/health status. Imminent failure risk. Back up immediately and plan replacement. + +``` +HealthStatus=Warning; Wear=100; ReadErrorsTotal=0; Temperature=41 +``` + + +## WARNING (5) + +### Third-party AV present: Sentinel Agent +- **Category:** security +- **ID:** `sec.av_products.third_party` +- A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection. + +``` +Registered AV: Windows Defender, Sentinel Agent +``` + +### 3 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 3 +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 2 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +LPlatSvc (Lenovo Platform Service) = Stopped +SynaHlp (Synaptics helper service) = Stopped +``` + + +## INFO (15) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (4) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +HOBORG\Administrator +HOBORG\localadmin +HOBORG\Owner +UCRYO\Domain Admins +``` + +### Last hotfix: KB5072653 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5072653 installed 2025-11-18T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### No stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.clean` +- No unexpected shutdowns, BSODs, or disk errors logged. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### Domain secure channel healthy +- **Category:** health +- **ID:** `health.domain.secure_channel_ok` +- Machine trust relationship with the domain is intact. + +``` +Domain=ucryo.local +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=UC2-SERVER.ucryo.local +``` + +### Battery present +- **Category:** health +- **ID:** `health.battery.present` +- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) + +``` +EstimatedChargeRemaining=99%; BatteryStatus=2 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 20ENCTO1WW +- **Serial:** PC0LBN9T +- **CPU:** Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (4 cores / 8 logical) +- **RAM (GB):** 31.4 +- **BIOS:** N1EET81W (1.54 ) (2018-11-14) +- **Chassis is laptop:** true +- **TPM present / Secure Boot:** true / ? +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 18.2 +- **Pending reboot:** true +- **Installed software count:** 108 +- **Scheduled tasks (non-MS, enabled):** 24 +- **Local administrators:** HOBORG\Administrator, HOBORG\localadmin, HOBORG\Owner, UCRYO\Domain Admins + +### Fixed volumes + +- [System Reserved] - 0.5 GB free of 0.6 GB (94.4%) +- C: - 149.5 GB free of 475.8 GB (31.4%) +- [unlabeled] - 0.1 GB free of 0.6 GB (13.9%) + +### Network adapters + +- Realtek USB GbE Family Controller - IP: 172.29.0.128, fe80::344c:f8cc:8fca:b4ed - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `HOBORG-20260603T005101.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.json b/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.json new file mode 100644 index 0000000..56f3cf7 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.json @@ -0,0 +1,960 @@ +{ + "host": "KIRBY", + "collected_at_utc": "2026-06-03T00:35:40Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2022-07-23T08:06:56Z", + "last_boot_utc": "2026-04-28T17:03:48Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 4, + "pending_reboot": true, + "uptime_days": 35.3, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "82K8", + "manufacturer": "LENOVO", + "bios_date": "2023-11-17", + "cpu_logical": 16, + "bios_version": "HACN42WW", + "cpu_cores": 8, + "ram_gb": 31.4, + "serial": "PF40739R", + "cpu": "AMD Ryzen 7 5800H with Radeon Graphics " + }, + "local_administrators": [ + "KIRBY\\Administrator", + "KIRBY\\localadmin", + "KIRBY\\paul", + "UCRYO\\Domain Admins" + ], + "os_build": "19045", + "secure_boot": true, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\Windows\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "RtkAudUService", + "value": "\"C:\\Windows\\System32\\DriverStore\\FileRepository\\realtekservice.inf_amd64_0a6e841b98282717\\RtkAudUService64.exe\" -background" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Logitech Download Assistant", + "value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "LogiOptions", + "value": "C:\\Program Files\\Logitech\\LogiOptions\\LogiOptions.exe /noui" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Acrobat Assistant 8.0", + "value": "\"C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrotray.exe\"" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "(default)", + "value": "" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ControlCenter4", + "value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "Delete Cached Update Binary", + "value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "name": "Delete Cached Standalone Update Binary", + "value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "SKHynix_HFS512GDE9X084N", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-07-22", + "name": "paul", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 15, + "volumes": [ + { + "drive": "C:", + "size_gb": 474.4, + "free_pct": 59.6, + "free_gb": 282.7 + }, + { + "drive": "[WINRE_DRV]", + "size_gb": 2, + "free_pct": 56.5, + "free_gb": 1.1 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 72, + "free_gb": 0.1 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.5, + "free_pct": 16.6, + "free_gb": 0.1 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "MediaTek Wi-Fi 6 MT7921 Wireless LAN Card", + "gateway": [ + "172.29.0.1" + ], + "mac": "88:94:EB:1B:F0:DD", + "ip": [ + "172.29.0.148", + "fe80::d7aa:6bcd:882c:e640" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": null, + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Exchange for SOLIDWORKS", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "3DEXPERIENCE Marketplace for SOLIDWORKS", + "version": "6.32.1051" + }, + { + "publisher": "Atlas Business Solutions, Inc.", + "name": "ABS PDF Install", + "version": "4.2.2" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Acrobat DC", + "version": "15.009.20077" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Apple Inc.", + "name": "Bonjour", + "version": "3.0.0.10" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "Brother MFL-Pro Suite MFC-9130CW", + "version": "1.0.1.0" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "CEF for SOLIDWORKS Applications", + "version": "142.0.34576.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "Logi", + "name": "Logi Bolt", + "version": "1.01.415.0" + }, + { + "publisher": "Logitech", + "name": "Logitech Options", + "version": "9.40.86" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Office Professional Plus 2019 - en-us", + "version": "16.0.19127.20302" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft OneDrive", + "version": "26.084.0504.0007" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64)", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64) English", + "version": "7.1.11.28" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.42.34438", + "version": "14.42.34438.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.42.34438", + "version": "14.42.34438.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.42.34438", + "version": "14.42.34438" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x64 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2019 x86 Hosting Support", + "version": "16.0.31110" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022", + "version": "17.0.33529" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022 x64 Hosting Support", + "version": "17.0.33529" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2022 x86 Hosting Support", + "version": "17.0.33529" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.3" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Graphics Driver 527.99", + "version": "527.99" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.382.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.19127.20154" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Licensing Component", + "version": "16.0.19029.20184" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4017.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Mfg and Whsle Edition 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2024 SP01", + "version": "32.1.0.123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2024 SP01", + "version": "32.110.0123" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2026 SP01.1", + "version": "34.1.1.11" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2026 SP01.1", + "version": "34.111.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2024 SP01", + "version": "32.10.0076" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2026 SP01.1", + "version": "34.11.0001" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2026 SP01.1", + "version": "34.11.0011" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Login Manager", + "version": "25.50.34500.0" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2024 SP01", + "version": "32.10.0123" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows PC Health Check", + "version": "3.6.2204.08001" + }, + { + "publisher": "Microsoft", + "name": "WPTx64", + "version": "8.100.26866" + }, + { + "publisher": "Yubico AB", + "name": "Yubico Authenticator", + "version": "7.0.0" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "estimated_charge_remaining": "94", + "status": "2", + "present": true + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "UC2-SERVER.ucryo.local", + "chassis_types": [ + 10 + ], + "last_hotfix": { + "hotfix_id": "KB5072653", + "installed_on": "2025-11-20T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Per-Machine Standalone Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1115", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-3167958784-13707620-2457732989-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1115", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-3167958784-13707620-2457732989-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "ZoomUpdateTaskUser-S-1-5-21-1051390473-2587535097-844096240-1115", + "state": "Ready" + }, + { + "path": "\\GoogleUser\\GoogleUpdater\\", + "name": "GoogleUpdaterTaskUser149.0.7814.0{E499484E-3F36-4644-8060-31171C0E93F1}", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-1115 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Default Browser Agent 308046B0AF4A39CB", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": true, + "installed_software_count": 82, + "secure_channel_ok": true, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "critical", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (4)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "KIRBY\\Administrator\nKIRBY\\localadmin\nKIRBY\\paul\nUCRYO\\Domain Admins" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "4 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5072653", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5072653 installed 2025-11-20T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.reboot_uptime.long_uptime", + "category": "health", + "severity": "warning", + "title": "Uptime is 35.3 days", + "detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.", + "evidence": "LastBootUpTime=2026-04-28 10:03:48Z" + }, + { + "id": "health.failed_services.ok", + "category": "health", + "severity": "info", + "title": "All auto-start services running", + "detail": "No automatic-start services found stopped (excluding known trigger-start/update services).", + "evidence": "Win32_Service StartMode=Auto State!=Running -> none significant" + }, + { + "id": "health.domain.secure_channel_ok", + "category": "health", + "severity": "info", + "title": "Domain secure channel healthy", + "detail": "Machine trust relationship with the domain is intact.", + "evidence": "Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=UC2-SERVER.ucryo.local" + }, + { + "id": "health.battery.present", + "category": "health", + "severity": "info", + "title": "Battery present", + "detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)", + "evidence": "EstimatedChargeRemaining=94%; BatteryStatus=2" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md b/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md new file mode 100644 index 0000000..3b62317 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md @@ -0,0 +1,275 @@ +# Onboarding Diagnostic Baseline - KIRBY + +- **Grade:** RED +- **Host:** KIRBY +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:35:40Z +- **Agent ID:** 82f16929-ec3c-434b-81f9-84b63e0af56d +- **Command ID:** b7cf0191-c81c-414f-9a3b-0fe2d0205552 +- **Findings:** 2 critical / 4 warning / 17 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (2) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + + +## WARNING (4) + +### 4 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4 +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### Uptime is 35.3 days +- **Category:** health +- **ID:** `health.reboot_uptime.long_uptime` +- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance. + +``` +LastBootUpTime=2026-04-28 10:03:48Z +``` + + +## INFO (17) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (4) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +KIRBY\Administrator +KIRBY\localadmin +KIRBY\paul +UCRYO\Domain Admins +``` + +### Last hotfix: KB5072653 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5072653 installed 2025-11-20T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### No stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.clean` +- No unexpected shutdowns, BSODs, or disk errors logged. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### All auto-start services running +- **Category:** health +- **ID:** `health.failed_services.ok` +- No automatic-start services found stopped (excluding known trigger-start/update services). + +``` +Win32_Service StartMode=Auto State!=Running -> none significant +``` + +### Domain secure channel healthy +- **Category:** health +- **ID:** `health.domain.secure_channel_ok` +- Machine trust relationship with the domain is intact. + +``` +Domain=ucryo.local +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=UC2-SERVER.ucryo.local +``` + +### Battery present +- **Category:** health +- **ID:** `health.battery.present` +- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) + +``` +EstimatedChargeRemaining=94%; BatteryStatus=2 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 82K8 +- **Serial:** PF40739R +- **CPU:** AMD Ryzen 7 5800H with Radeon Graphics (8 cores / 16 logical) +- **RAM (GB):** 31.4 +- **BIOS:** HACN42WW (2023-11-17) +- **Chassis is laptop:** true +- **TPM present / Secure Boot:** true / true +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 35.3 +- **Pending reboot:** true +- **Installed software count:** 82 +- **Scheduled tasks (non-MS, enabled):** 15 +- **Local administrators:** KIRBY\Administrator, KIRBY\localadmin, KIRBY\paul, UCRYO\Domain Admins + +### Fixed volumes + +- C: - 282.7 GB free of 474.4 GB (59.6%) +- [WINRE_DRV] - 1.1 GB free of 2 GB (56.5%) +- [unlabeled] - 0.1 GB free of 0.1 GB (72%) +- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%) + +### Network adapters + +- MediaTek Wi-Fi 6 MT7921 Wireless LAN Card - IP: 172.29.0.148, fe80::d7aa:6bcd:882c:e640 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `KIRBY-20260603T003656.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/LILO-20260603T005456.json b/clients/ucryo/onboarding-baselines/LILO-20260603T005456.json new file mode 100644 index 0000000..192343f --- /dev/null +++ b/clients/ucryo/onboarding-baselines/LILO-20260603T005456.json @@ -0,0 +1,1108 @@ +{ + "host": "LILO", + "collected_at_utc": "2026-06-03T00:52:27Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2023-01-31T00:31:03Z", + "last_boot_utc": "2026-03-12T17:25:21Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 1, + "pending_reboot": true, + "uptime_days": 82.3, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "20EQS12M00", + "manufacturer": "LENOVO", + "bios_date": "2024-03-18", + "cpu_logical": 8, + "bios_version": "N1EETA2W (1.75 )", + "cpu_cores": 4, + "ram_gb": 31.8, + "serial": "PC0G9X3B", + "cpu": "Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz" + }, + "local_administrators": [ + "LILO\\Administrator", + "LILO\\localadmin", + "LILO\\me", + "LILO\\paul", + "UCRYO\\Domain Admins" + ], + "os_build": "19045", + "secure_boot": true, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Logitech Download Assistant", + "value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Access", + "value": "\"C:\\Program Files\\Autodesk\\AdODIS\\V1\\Access\\AdskAccessCore.exe\" --minimizedUi --autoLaunch" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Access Service", + "value": "\"C:\\Program Files\\Autodesk\\AdODIS\\V1\\Setup\\AdskAccessService.exe\" --autoLaunch" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "ControlCenter4", + "value": "C:\\Program Files (x86)\\ControlCenter4\\BrCcBoot.exe /autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Autodesk Genuine Service ", + "value": "C:\\Program Files\\Autodesk\\Genuine Service\\GenuineService.exe" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "CT1000P1SSD8", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "me", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2024-05-15", + "name": "paul", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 21, + "volumes": [ + { + "drive": "[unlabeled]", + "size_gb": 0.6, + "free_pct": 13.8, + "free_gb": 0.1 + }, + { + "drive": "[Recovery]", + "size_gb": 0.5, + "free_pct": 97.4, + "free_gb": 0.5 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 72, + "free_gb": 0.1 + }, + { + "drive": "C:", + "size_gb": 930.3, + "free_pct": 73, + "free_gb": 679.3 + } + ], + "network_adapters": [ + { + "dhcp": true, + "description": "Intel(R) Dual Band Wireless-AC 8260", + "gateway": [ + "172.29.0.1" + ], + "mac": "E4:A7:A0:87:41:5A", + "ip": [ + "172.29.0.129", + "fe80::a46c:9046:12ba:7f13" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "gpsvc", + "display": "Group Policy Client", + "state": "Stopped" + }, + { + "name": "Intel(R) TPM Provisioning Service", + "display": "Intel(R) TPM Provisioning Service", + "state": "Stopped" + }, + { + "name": "LPlatSvc", + "display": "Lenovo Platform Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Autodesk", + "name": "AutoCAD Mechanical 2004", + "version": "7.0.42.8" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk Access", + "version": "2.21.0.559" + }, + { + "publisher": "Autodesk Inc.", + "name": "Autodesk CER", + "version": "7.2.2.923" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk Express Viewer", + "version": "3.1" + }, + { + "publisher": "Autodesk", + "name": "Autodesk Genuine Service", + "version": "7.6.0.229" + }, + { + "publisher": "Autodesk", + "name": "Autodesk HSMWorks 2023", + "version": "17.0.0.44039" + }, + { + "publisher": "Autodesk, Inc.", + "name": "Autodesk HSMWorks Ultimate 2023", + "version": "17.0.0.44039" + }, + { + "publisher": "Autodesk", + "name": "Autodesk Identity Manager", + "version": "1.11.9.11" + }, + { + "publisher": "Autodesk", + "name": "Autodesk Single Sign On Component", + "version": "13.5.5.1805" + }, + { + "publisher": "Apple Inc.", + "name": "Bonjour", + "version": "3.0.0.10" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "Brother MFL-Pro Suite MFC-9130CW", + "version": "1.0.1.0" + }, + { + "publisher": "Cablescan", + "name": "Cablescan TestRite", + "version": "6.6.124.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "Dolby Laboratories, Inc.", + "name": "Dolby Audio X2 Windows API SDK", + "version": "0.8.8.90" + }, + { + "publisher": "Intel Corporation", + "name": "Intel(R) Processor Graphics", + "version": "23.20.16.4973" + }, + { + "publisher": "The Document Foundation", + "name": "LibreOffice 26.2.3.2", + "version": "26.2.3.2" + }, + { + "publisher": "McMaster-Carr", + "name": "McMaster-Carr SolidWorks Add-in", + "version": "2.1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.96" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Office Professional Plus 2019 - en-us", + "version": "16.0.19127.20302" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64)", + "version": "7.1.11.18" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x64) English", + "version": "7.1.11.18" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130", + "version": "14.38.33130.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704", + "version": "14.30.30704.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130", + "version": "14.38.33130" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130", + "version": "14.38.33130" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704", + "version": "14.30.30704" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704", + "version": "14.30.30704" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Firefox (x64 en-US)", + "version": "151.0.2" + }, + { + "publisher": "Mozilla", + "name": "Mozilla Maintenance Service", + "version": "151.0.2" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Ansel", + "version": "7.1.797.811" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Control Panel 513.29", + "version": "513.29" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Container LS", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display MessageBus", + "version": "513.29" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Session Container", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Display Watchdog Plugin", + "version": "1.37" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Graphics Driver 538.18", + "version": "538.18" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA Install Application", + "version": "2.1002.408.0" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA RTX Desktop Manager 203.05", + "version": "203.05" + }, + { + "publisher": "NVIDIA Corporation", + "name": "NVIDIA WMI 2.36.0", + "version": "2.36.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.19127.20154" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Licensing Component", + "version": "16.0.19029.20184" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Localization Component", + "version": "16.0.13929.20372" + }, + { + "publisher": "Simon Tatham", + "name": "PuTTY release 0.78 (64-bit)", + "version": "0.78.0.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Core Interpreter (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Development Libraries (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Documentation (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Executables (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 pip Bootstrap (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Standard Library (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Tcl/Tk Support (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Test Suite (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python 3.11.1 Utility Scripts (64-bit)", + "version": "3.11.1150.0" + }, + { + "publisher": "Python Software Foundation", + "name": "Python Launcher", + "version": "3.11.8009.0" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4017.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Premier: Mfg and Whsle Edition 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Skype Technologies S.A.", + "name": "Skype version 8.72", + "version": "8.72" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2020 SP02", + "version": "28.120.0064" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2020 SP02", + "version": "28.2.0.64" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS 2022 SP05", + "version": "30.150.0049" + }, + { + "publisher": "SolidWorks Corporation", + "name": "SOLIDWORKS 2022 SP05", + "version": "30.5.0.49" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2020 SP02", + "version": "28.20.0064" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS CAM 2022 SP05", + "version": "30.50.0049" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2020 SP02", + "version": "28.20.0064" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Composer Player 2022 SP05", + "version": "30.50.0049" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2020 SP02", + "version": "28.20.0046" + }, + { + "publisher": "Dassault Syst?mes SolidWorks Corp", + "name": "SOLIDWORKS eDrawings 2022 SP05", + "version": "30.50.0019" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2020 SP02", + "version": "28.20.0064" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS File Utilities 2022 SP05", + "version": "30.50.0049" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2020 SP02", + "version": "28.20.0064" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS Visualize 2022 SP05", + "version": "30.50.0049" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "LunarG, Inc.", + "name": "Vulkan Run Time Libraries 1.0.65.1", + "version": "1.0.65.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows 11 Installation Assistant", + "version": "1.4.19041.3630" + }, + { + "publisher": "WireGuard LLC", + "name": "WireGuard", + "version": "0.5.3" + }, + { + "publisher": "Microsoft", + "name": "WPTx64", + "version": "8.100.26866" + } + ], + "tpm": { + "enabled": true, + "ready": true, + "present": true + }, + "local_groups": [ + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "estimated_charge_remaining": "99", + "status": "2", + "present": true + }, + "third_party_av_active": false, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, OEM_DM channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "UC2-SERVER.ucryo.local", + "chassis_types": [ + 10 + ], + "last_hotfix": { + "hotfix_id": "KB5072653", + "installed_on": "2025-11-18T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2650Core{BF12FECA-34CF-4DB7-9470-17E1BA996B1D}", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskUserS-1-5-21-1051390473-2587535097-844096240-2650UA{6606EBC1-7A36-43D4-98EC-BA94C6501B2E}", + "state": "Ready" + }, + { + "path": "\\", + "name": "nWizard_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-1115", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-2615", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-3479997975-746733243-4120700161-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-1115", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2615", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Standalone Update Task-S-1-5-21-3479997975-746733243-4120700161-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-1051390473-2587535097-844096240-2650", + "state": "Ready" + }, + { + "path": "\\", + "name": "RtHDVBg_Dolby", + "state": "Running" + }, + { + "path": "\\", + "name": "RTKCPL", + "state": "Ready" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Background monitor", + "state": "Running" + }, + { + "path": "\\Lenovo\\Power Manager\\", + "name": "Uninstall task", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Background Update S-1-5-21-1051390473-2587535097-844096240-2650 308046B0AF4A39CB", + "state": "Ready" + }, + { + "path": "\\Mozilla\\", + "name": "Firefox Default Browser Agent 308046B0AF4A39CB", + "state": "Ready" + } + ], + "antivirus_products": [ + "Windows Defender" + ], + "domain_joined": true, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": true, + "real_time_protection": true, + "nis_enabled": true, + "available": true, + "antivirus_enabled": true, + "am_service_enabled": true + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": true, + "installed_software_count": 105, + "secure_channel_ok": true, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.ok", + "category": "security", + "severity": "info", + "title": "Defender active and current", + "detail": "Real-time protection on, service running, signatures current.", + "evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True" + }, + { + "id": "sec.av_products.defender_only", + "category": "security", + "severity": "info", + "title": "Defender is the only registered AV", + "detail": "Only Microsoft/Windows Defender is registered in Security Center.", + "evidence": "Windows Defender" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "critical", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (5)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "LILO\\Administrator\nLILO\\localadmin\nLILO\\me\nLILO\\paul\nUCRYO\\Domain Admins" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "1 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5072653", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5072653 installed 2025-11-18T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.reboot_uptime.long_uptime", + "category": "health", + "severity": "warning", + "title": "Uptime is 82.3 days", + "detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.", + "evidence": "LastBootUpTime=2026-03-12 10:25:21Z" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "3 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "gpsvc (Group Policy Client) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped\nLPlatSvc (Lenovo Platform Service) = Stopped" + }, + { + "id": "health.domain.secure_channel_ok", + "category": "health", + "severity": "info", + "title": "Domain secure channel healthy", + "detail": "Machine trust relationship with the domain is intact.", + "evidence": "Domain=ucryo.local" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=UC2-SERVER.ucryo.local" + }, + { + "id": "health.battery.present", + "category": "health", + "severity": "info", + "title": "Battery present", + "detail": "Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)", + "evidence": "EstimatedChargeRemaining=99%; BatteryStatus=2" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/LILO-20260603T005456.md b/clients/ucryo/onboarding-baselines/LILO-20260603T005456.md new file mode 100644 index 0000000..67b0dcf --- /dev/null +++ b/clients/ucryo/onboarding-baselines/LILO-20260603T005456.md @@ -0,0 +1,278 @@ +# Onboarding Diagnostic Baseline - LILO + +- **Grade:** RED +- **Host:** LILO +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:52:27Z +- **Agent ID:** 5d0bdfc0-cb58-496f-b9bd-d585eb643d85 +- **Command ID:** c3002dde-bb3b-4ce5-b54c-e8ea4714a071 +- **Findings:** 2 critical / 5 warning / 16 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (2) + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + + +## WARNING (5) + +### 1 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### Uptime is 82.3 days +- **Category:** health +- **ID:** `health.reboot_uptime.long_uptime` +- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance. + +``` +LastBootUpTime=2026-03-12 10:25:21Z +``` + +### 3 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +gpsvc (Group Policy Client) = Stopped +Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped +LPlatSvc (Lenovo Platform Service) = Stopped +``` + + +## INFO (16) + +### Defender active and current +- **Category:** security +- **ID:** `sec.defender.ok` +- Real-time protection on, service running, signatures current. + +``` +RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True +``` + +### Defender is the only registered AV +- **Category:** security +- **ID:** `sec.av_products.defender_only` +- Only Microsoft/Windows Defender is registered in Security Center. + +``` +Windows Defender +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (5) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +LILO\Administrator +LILO\localadmin +LILO\me +LILO\paul +UCRYO\Domain Admins +``` + +### Last hotfix: KB5072653 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5072653 installed 2025-11-18T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### No stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.clean` +- No unexpected shutdowns, BSODs, or disk errors logged. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### Domain secure channel healthy +- **Category:** health +- **ID:** `health.domain.secure_channel_ok` +- Machine trust relationship with the domain is intact. + +``` +Domain=ucryo.local +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=UC2-SERVER.ucryo.local +``` + +### Battery present +- **Category:** health +- **ID:** `health.battery.present` +- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) + +``` +EstimatedChargeRemaining=99%; BatteryStatus=2 +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** LENOVO / 20EQS12M00 +- **Serial:** PC0G9X3B +- **CPU:** Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz (4 cores / 8 logical) +- **RAM (GB):** 31.8 +- **BIOS:** N1EETA2W (1.75 ) (2024-03-18) +- **Chassis is laptop:** true +- **TPM present / Secure Boot:** true / true +- **Domain joined:** true (ucryo.local) +- **OS activation licensed:** true +- **Uptime (days):** 82.3 +- **Pending reboot:** true +- **Installed software count:** 105 +- **Scheduled tasks (non-MS, enabled):** 21 +- **Local administrators:** LILO\Administrator, LILO\localadmin, LILO\me, LILO\paul, UCRYO\Domain Admins + +### Fixed volumes + +- [unlabeled] - 0.1 GB free of 0.6 GB (13.8%) +- [Recovery] - 0.5 GB free of 0.5 GB (97.4%) +- [unlabeled] - 0.1 GB free of 0.1 GB (72%) +- C: - 679.3 GB free of 930.3 GB (73%) + +### Network adapters + +- Intel(R) Dual Band Wireless-AC 8260 - IP: 172.29.0.129, fe80::a46c:9046:12ba:7f13 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LILO-20260603T005456.json` (immutable)._ diff --git a/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.json b/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.json new file mode 100644 index 0000000..c256660 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.json @@ -0,0 +1,577 @@ +{ + "host": "UC2-SERVER", + "collected_at_utc": "2026-06-03T00:41:48Z", + "os": { + "caption": "Microsoft Windows Server 2012 R2 Essentials", + "version": "6.3.9600", + "build": "9600", + "install_date": "2016-05-27T08:40:20Z", + "last_boot_utc": "2026-04-27T12:16:28Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": null, + "defender": { + "available": false + }, + "pending_updates": 0, + "pending_reboot": true, + "uptime_days": 36.5, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "Virtual Machine", + "manufacturer": "Microsoft Corporation", + "bios_date": "2012-05-23", + "cpu_logical": 6, + "bios_version": "090006 ", + "cpu_cores": 6, + "ram_gb": 18, + "serial": "4644-9206-3161-7423-6607-4293-62", + "cpu": "Intel(R) Xeon(R) CPU E5450 @ 3.00GHz" + }, + "local_administrators": [ + "Accounting", + "Administrator", + "arthur", + "Domain Admins", + "Enterprise Admins", + "greg", + "kirby", + "localadmin", + "paul", + "richard", + "VPND", + "William" + ], + "os_build": "9600", + "secure_boot": null, + "backup_agents": null, + "autoruns_run_keys": [], + "physical_disks": [ + { + "health": "Healthy", + "model": "PhysicalDisk0", + "media_type": "UnSpecified" + }, + { + "health": "Healthy", + "model": "PhysicalDisk1", + "media_type": "UnSpecified" + } + ], + "scheduled_tasks_count": 8, + "volumes": [ + { + "drive": "\u0000:", + "size_gb": 0.3, + "free_pct": 20.6, + "free_gb": 0.1 + }, + { + "drive": "E:", + "size_gb": 931.5, + "free_pct": 39, + "free_gb": 363.3 + }, + { + "drive": "C:", + "size_gb": 499.7, + "free_pct": 74.8, + "free_gb": 374 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "Microsoft Hyper-V Network Adapter", + "gateway": [ + "172.29.0.1" + ], + "mac": "00:15:5D:00:04:01", + "ip": [ + "172.29.0.5", + "fe80::ed92:3fe4:fb92:fef6" + ], + "dns": [ + "172.29.0.5", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "CertSvc", + "display": "Active Directory Certificate Services", + "state": "Stopped" + }, + { + "name": "IISADMIN", + "display": "IIS Admin Service", + "state": "Stopped" + }, + { + "name": "ShellHWDetection", + "display": "Shell Hardware Detection", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": true, + "laps_present": false, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Flash Player 11 ActiveX", + "version": "11.3.300.268" + }, + { + "publisher": "Piriform", + "name": "Defraggler", + "version": "2.22" + }, + { + "publisher": "Google LLC", + "name": "Google Chrome", + "version": "109.0.5414.168" + }, + { + "publisher": "Google Inc.", + "name": "Google Update Helper", + "version": "1.3.25.5" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Silverlight", + "version": "5.1.50918.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212", + "version": "14.0.24212.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.24212", + "version": "14.0.24212" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.24212", + "version": "14.0.24212" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112", + "version": "14.44.35112.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Arizona Computer Guru", + "name": "Online Backup 8.6", + "version": "8.6" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "24.0.4003.2403" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "30.0.4006.3000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Server 2014", + "version": "24.0.4003.2403" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Server 2020", + "version": "30.0.4006.3000" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Dassault Systemes SolidWorks Corp", + "name": "SOLIDWORKS SolidNetWork License Manager", + "version": "27.30.0052" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.5.8.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.0.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Helios", + "name": "TextPad 8", + "version": "8.0.2" + }, + { + "publisher": "win.rar GmbH", + "name": "WinRAR 7.22 (64-bit)", + "version": "7.22.0" + }, + { + "publisher": "Antibody Software", + "name": "WizTree v4.31", + "version": "4.31" + }, + { + "publisher": "Fresh Software", + "name": "X-NetStat Pro 5.63", + "version": "5.63" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows Server 2012 R2 Essentials", + "description": "Windows(R) Operating System, OEM_COA_NSLP channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "VM IC Time Synchronization Provider", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5031003", + "installed_on": "2026-06-02T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Flash Player Updater", + "state": "Ready" + }, + { + "path": "\\", + "name": "GoogleUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "GoogleUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1108", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1117", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-500", + "state": "Ready" + }, + { + "path": "\\", + "name": "ShadowCopyVolume{a863bf0a-2533-11e6-80bd-806e6f6e6963}", + "state": "Ready" + }, + { + "path": "\\", + "name": "ShadowCopyVolume{bc8958b8-23e3-11e6-80b4-806e6f6e6963}", + "state": "Ready" + } + ], + "antivirus_products": [], + "domain_joined": true, + "local_users": [], + "bitlocker": { + "available": false, + "os_volume": "C:" + }, + "is_laptop": false, + "installed_software_count": 39, + "secure_channel_ok": null, + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "ucryo.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.unavailable", + "category": "security", + "severity": "warning", + "title": "Defender status unavailable", + "detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).", + "evidence": "Get-MpComputerStatus returned null" + }, + { + "id": "sec.av_products.none_registered", + "category": "security", + "severity": "info", + "title": "No AV products registered in Security Center", + "detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.", + "evidence": "root\\SecurityCenter2 AntiVirusProduct: none" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.5.8.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nprogram: Syncro 1.0.0.0\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unavailable", + "category": "security", + "severity": "unknown", + "title": "BitLocker status unavailable", + "detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).", + "evidence": "MountPoint=C:, Get-BitLockerVolume returned null" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (12)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "Accounting\nAdministrator\narthur\nDomain Admins\nEnterprise Admins\ngreg\nkirby\nlocaladmin\npaul\nrichard\nVPND\nWilliam" + }, + { + "id": "sec.patch.os_build_unknown", + "category": "security", + "severity": "unknown", + "title": "OS build not in EOL map: 9600", + "detail": "The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.", + "evidence": "Microsoft Windows Server 2012 R2 Essentials build 9600" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5031003", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5031003 installed 2026-06-02T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1", + "category": "security", + "severity": "critical", + "title": "SMBv1 is ENABLED", + "detail": "SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.", + "evidence": "Get-SmbServerConfiguration EnableSMB1Protocol=True" + }, + { + "id": "sec.exposure.no_laps", + "category": "security", + "severity": "info", + "title": "LAPS not detected", + "detail": "No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.", + "evidence": "No LAPS registry keys, CSE, or service found" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "CBS RebootPending; WU RebootRequired; PendingFileRenameOperations" + }, + { + "id": "health.reboot_uptime.long_uptime", + "category": "health", + "severity": "warning", + "title": "Uptime is 36.5 days", + "detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.", + "evidence": "LastBootUpTime=2026-04-27 05:16:28Z" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "3 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "CertSvc (Active Directory Certificate Services) = Stopped\nIISADMIN (IIS Admin Service) = Stopped\nShellHWDetection (Shell Hardware Detection) = Stopped" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=VM IC Time Synchronization Provider" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md b/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md new file mode 100644 index 0000000..07d92f3 Binary files /dev/null and b/clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md differ diff --git a/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.json b/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.json new file mode 100644 index 0000000..5e16dc0 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.json @@ -0,0 +1,681 @@ +{ + "host": "WIN-709JUVCJ2DQ", + "collected_at_utc": "2026-06-03T00:43:19Z", + "os": { + "caption": "Microsoft Windows Server 2012 R2 Essentials", + "version": "6.3.9600", + "build": "9600", + "install_date": "2016-05-20T01:24:32Z", + "last_boot_utc": "2026-04-27T12:14:06Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": null, + "defender": { + "available": false + }, + "pending_updates": 0, + "pending_reboot": false, + "uptime_days": 36.5, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "PowerEdge 2950", + "manufacturer": "Dell Inc.", + "bios_date": "2008-04-29", + "cpu_logical": 4, + "bios_version": "2.3.1", + "cpu_cores": 4, + "ram_gb": 32, + "serial": "762F0G1", + "cpu": "Intel(R) Xeon(R) CPU E5450 @ 3.00GHz" + }, + "os_build": "9600", + "secure_boot": null, + "backup_agents": [ + { + "label": "Veeam", + "service": "VeeamBackupSvc", + "state": "Stopped" + }, + { + "label": "Veeam", + "service": "VeeamCatalogSvc", + "state": "Stopped" + }, + { + "label": "Veeam", + "service": "VeeamCloudSvc", + "state": "Stopped" + }, + { + "label": "Veeam", + "service": "VeeamDeploySvc", + "state": "Running" + }, + { + "label": "Veeam", + "service": "VeeamHvIntegrationSvc", + "state": "Running" + }, + { + "label": "Veeam", + "service": "VeeamMountSvc", + "state": "Stopped" + }, + { + "label": "Veeam", + "service": "VeeamNFSSvc", + "state": "Running" + }, + { + "label": "Veeam", + "service": "VeeamTransportSvc", + "state": "Running" + } + ], + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "VirtualCloneDrive", + "value": "\"C:\\Program Files (x86)\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "PhysicalDisk0", + "media_type": "UnSpecified" + }, + { + "health": "Healthy", + "model": "PhysicalDisk1", + "media_type": "UnSpecified" + }, + { + "health": "Healthy", + "model": "PhysicalDisk2", + "media_type": "UnSpecified" + } + ], + "scheduled_tasks_count": 6, + "volumes": [ + { + "drive": "\u0000:", + "size_gb": 0.3, + "free_pct": 20.6, + "free_gb": 0.1 + }, + { + "drive": "F:", + "size_gb": 1395.7, + "free_pct": 33.3, + "free_gb": 464.8 + }, + { + "drive": "M:", + "size_gb": 4657.5, + "free_pct": 94.8, + "free_gb": 4417.1 + }, + { + "drive": "C:", + "size_gb": 878.6, + "free_pct": 95.4, + "free_gb": 837.8 + }, + { + "drive": "E:", + "size_gb": 983.6, + "free_pct": 4.1, + "free_gb": 40.4 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "Hyper-V Virtual Ethernet Adapter #2", + "gateway": [ + "172.29.0.1" + ], + "mac": "00:1E:C9:3E:75:52", + "ip": [ + "172.29.0.4", + "fe80::a8c1:e232:97d6:976" + ], + "dns": [ + "8.8.8.8", + "4.4.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "VeeamBackupSvc", + "display": "Veeam Backup Service", + "state": "Stopped" + }, + { + "name": "VeeamCatalogSvc", + "display": "Veeam Guest Catalog Service", + "state": "Stopped" + }, + { + "name": "VeeamCloudSvc", + "display": "Veeam Cloud Connect Service", + "state": "Stopped" + }, + { + "name": "VeeamMountSvc", + "display": "Veeam Mount Service", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 0, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": true, + "laps_present": false, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Microsoft", + "name": "D3DX10", + "version": "15.4.2368.0902" + }, + { + "publisher": "Google Inc.", + "name": "Google Update Helper", + "version": "1.3.25.5" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Application Error Reporting", + "version": "12.0.6015.5000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Silverlight", + "version": "5.1.50918.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 R2 (64-bit)", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 R2 Native Client", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 R2 RsFx Driver", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 R2 Setup (English)", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 Setup Support Files ", + "version": "10.1.2731.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2012 Management Objects (x64)", + "version": "11.0.2100.60" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server Browser", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server VSS Writer", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Sync Framework 2.0 Core Components (x64) ENU ", + "version": "2.0.1578.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Sync Framework 2.0 Provider Services (x64) ENU ", + "version": "2.0.1578.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft System CLR Types for SQL Server 2012 (x64)", + "version": "11.0.2100.60" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Movie Maker", + "version": "16.4.3528.0331" + }, + { + "publisher": "Microsoft", + "name": "MSVCRT110", + "version": "16.4.1108.0727" + }, + { + "publisher": "Microsoft Corporation", + "name": "Photo Gallery", + "version": "16.4.3528.0331" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Microsoft Corporation", + "name": "Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit)", + "version": "10.51.2500.0" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Software Updater", + "version": "1.5.6.19" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.5.0.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2008 R2 SP1 Common Files", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2008 R2 SP1 Database Engine Services", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2008 R2 SP1 Database Engine Shared", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Sql Server Customer Experience Improvement Program", + "version": "10.50.1600.1" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "Microsoft", + "name": "SyncToy 2.1 (x64)", + "version": "2.1.0" + }, + { + "publisher": "Helios", + "name": "TextPad 8", + "version": "8.0.2" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup & Replication", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup & Replication Console", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup & Replication Server", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup Catalog", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup Transport", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Backup vPowerNFS", + "version": "9.0.0.902" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Explorer for Microsoft Active Directory", + "version": "9.0.0.1307" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Explorer for Microsoft Exchange", + "version": "9.0.0.1307" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Explorer for Microsoft SharePoint", + "version": "9.0.0.1307" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Explorer for Microsoft SQL Server", + "version": "9.0.0.1307" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Explorer for Oracle", + "version": "9.0.0.1307" + }, + { + "publisher": "Veeam Software AG", + "name": "Veeam Hyper-V Integration", + "version": "9.0.0.902" + }, + { + "publisher": "videowinsoft.com", + "name": "Video Win Movie Maker 2016", + "version": "" + }, + { + "publisher": "Elaborate Bytes", + "name": "VirtualCloneDrive", + "version": "5.5.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows Live Installer", + "version": "16.4.3528.0331" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows Live Photo Common", + "version": "16.4.3528.0331" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows Live SOXE", + "version": "16.4.3528.0331" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows Live UX Platform", + "version": "16.4.3528.0331" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows Server 2012 R2 Essentials", + "description": "Windows(R) Operating System, OEM_COA_NSLP channel", + "licensed": true, + "license_status_code": 1 + }, + "time_source": "The following error occurred: The service has not been started. (0x80070426)", + "chassis_types": [ + 23 + ], + "last_hotfix": { + "hotfix_id": "KB5031003", + "installed_on": "2023-10-12T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "GoogleUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "GoogleUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-1007", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-1008", + "state": "Ready" + }, + { + "path": "\\", + "name": "Optimize Start Menu Cache Files-S-1-5-21-3747875994-3968202050-1352405024-500", + "state": "Ready" + }, + { + "path": "\\", + "name": "VeeamZIP Monday", + "state": "Ready" + } + ], + "antivirus_products": [], + "domain_joined": false, + "local_users": [], + "bitlocker": { + "available": false, + "os_volume": "C:" + }, + "is_laptop": false, + "installed_software_count": 48, + "local_administrators": [ + "Administrator", + "Guru", + "Jacobs", + "localadmin", + "paul" + ], + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "WORKGROUP", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.unavailable", + "category": "security", + "severity": "warning", + "title": "Defender status unavailable", + "detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).", + "evidence": "Get-MpComputerStatus returned null" + }, + { + "id": "sec.av_products.none_registered", + "category": "security", + "severity": "info", + "title": "No AV products registered in Security Center", + "detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.", + "evidence": "root\\SecurityCenter2 AntiVirusProduct: none" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Software Updater 1.5.6.19\nprogram: Splashtop Streamer 3.5.0.2\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running\nservice: SSUService (Splashtop Software Updater Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unavailable", + "category": "security", + "severity": "unknown", + "title": "BitLocker status unavailable", + "detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).", + "evidence": "MountPoint=C:, Get-BitLockerVolume returned null" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (5)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "Administrator\nGuru\nJacobs\nlocaladmin\npaul" + }, + { + "id": "sec.patch.os_build_unknown", + "category": "security", + "severity": "unknown", + "title": "OS build not in EOL map: 9600", + "detail": "The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.", + "evidence": "Microsoft Windows Server 2012 R2 Essentials build 9600" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5031003", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5031003 installed 2023-10-12T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_on", + "category": "security", + "severity": "warning", + "title": "RDP is enabled", + "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", + "evidence": "fDenyTSConnections=0; UserAuthentication=1" + }, + { + "id": "sec.exposure.smb1", + "category": "security", + "severity": "critical", + "title": "SMBv1 is ENABLED", + "detail": "SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.", + "evidence": "Get-SmbServerConfiguration EnableSMB1Protocol=True" + }, + { + "id": "sec.exposure.no_laps", + "category": "security", + "severity": "info", + "title": "LAPS not detected", + "detail": "No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.", + "evidence": "No LAPS registry keys, CSE, or service found" + }, + { + "id": "health.disk_space.E", + "category": "health", + "severity": "critical", + "title": "Disk critically low: E: at 4.1% free", + "detail": "Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.", + "evidence": "E: free 40.4 GB of 983.6 GB (4.1%)" + }, + { + "id": "health.stability.clean", + "category": "health", + "severity": "info", + "title": "No stability events in the last 14 days", + "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" + }, + { + "id": "health.reboot_uptime.long_uptime", + "category": "health", + "severity": "warning", + "title": "Uptime is 36.5 days", + "detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.", + "evidence": "LastBootUpTime=2026-04-27 05:14:06Z" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "4 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "VeeamBackupSvc (Veeam Backup Service) = Stopped\nVeeamCatalogSvc (Veeam Guest Catalog Service) = Stopped\nVeeamCloudSvc (Veeam Cloud Connect Service) = Stopped\nVeeamMountSvc (Veeam Mount Service) = Stopped" + }, + { + "id": "health.domain.workgroup", + "category": "health", + "severity": "info", + "title": "Not domain-joined (workgroup)", + "detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.", + "evidence": "PartOfDomain=False; Domain=WORKGROUP" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=The following error occurred: The service has not been started. (0x80070426)" + }, + { + "id": "health.backup.present", + "category": "health", + "severity": "info", + "title": "Backup agent installed and running", + "detail": "A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).", + "evidence": "Veeam: VeeamBackupSvc = Stopped\nVeeam: VeeamCatalogSvc = Stopped\nVeeam: VeeamCloudSvc = Stopped\nVeeam: VeeamDeploySvc = Running\nVeeam: VeeamHvIntegrationSvc = Running\nVeeam: VeeamMountSvc = Stopped\nVeeam: VeeamNFSSvc = Running\nVeeam: VeeamTransportSvc = Running" + } + ] +} diff --git a/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md b/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md new file mode 100644 index 0000000..58f2a97 --- /dev/null +++ b/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md @@ -0,0 +1,274 @@ +# Onboarding Diagnostic Baseline - WIN-709JUVCJ2DQ + +- **Grade:** RED +- **Host:** WIN-709JUVCJ2DQ +- **Client:** Universal Cryogenics (`ucryo`) +- **Collected (UTC):** 2026-06-03T00:43:19Z +- **Agent ID:** b7311d8a-6c5e-4aa5-9abf-79212d344009 +- **Command ID:** 48bd8684-226b-448f-af5f-9d9db61dd01c +- **Findings:** 2 critical / 4 warning / 13 info / 2 unknown + +- **OS:** Microsoft Windows Server 2012 R2 Essentials (build 9600) + +--- + +## CRITICAL (2) + +### SMBv1 is ENABLED +- **Category:** security +- **ID:** `sec.exposure.smb1` +- SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature. + +``` +Get-SmbServerConfiguration EnableSMB1Protocol=True +``` + +### Disk critically low: E: at 4.1% free +- **Category:** health +- **ID:** `health.disk_space.E` +- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently. + +``` +E: free 40.4 GB of 983.6 GB (4.1%) +``` + + +## WARNING (4) + +### Defender status unavailable +- **Category:** security +- **ID:** `sec.defender.unavailable` +- Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check). + +``` +Get-MpComputerStatus returned null +``` + +### RDP is enabled +- **Category:** security +- **ID:** `sec.exposure.rdp_on` +- Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. + +``` +fDenyTSConnections=0; UserAuthentication=1 +``` + +### Uptime is 36.5 days +- **Category:** health +- **ID:** `health.reboot_uptime.long_uptime` +- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance. + +``` +LastBootUpTime=2026-04-27 05:14:06Z +``` + +### 4 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +VeeamBackupSvc (Veeam Backup Service) = Stopped +VeeamCatalogSvc (Veeam Guest Catalog Service) = Stopped +VeeamCloudSvc (Veeam Cloud Connect Service) = Stopped +VeeamMountSvc (Veeam Mount Service) = Stopped +``` + + +## INFO (13) + +### No AV products registered in Security Center +- **Category:** security +- **ID:** `sec.av_products.none_registered` +- SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active. + +``` +root\SecurityCenter2 AntiVirusProduct: none +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Software Updater 1.5.6.19 +program: Splashtop Streamer 3.5.0.2 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +service: SSUService (Splashtop Software Updater Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (5) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +Administrator +Guru +Jacobs +localadmin +paul +``` + +### Last hotfix: KB5031003 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5031003 installed 2023-10-12T07:00:00Z +``` + +### LAPS not detected +- **Category:** security +- **ID:** `sec.exposure.no_laps` +- No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords. + +``` +No LAPS registry keys, CSE, or service found +``` + +### No stability events in the last 14 days +- **Category:** health +- **ID:** `health.stability.clean` +- No unexpected shutdowns, BSODs, or disk errors logged. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 +``` + +### Not domain-joined (workgroup) +- **Category:** health +- **ID:** `health.domain.workgroup` +- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. + +``` +PartOfDomain=False; Domain=WORKGROUP +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=The following error occurred: The service has not been started. (0x80070426) +``` + +### Backup agent installed and running +- **Category:** health +- **ID:** `health.backup.present` +- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup). + +``` +Veeam: VeeamBackupSvc = Stopped +Veeam: VeeamCatalogSvc = Stopped +Veeam: VeeamCloudSvc = Stopped +Veeam: VeeamDeploySvc = Running +Veeam: VeeamHvIntegrationSvc = Running +Veeam: VeeamMountSvc = Stopped +Veeam: VeeamNFSSvc = Running +Veeam: VeeamTransportSvc = Running +``` + + +## UNKNOWN (2) + +### BitLocker status unavailable +- **Category:** security +- **ID:** `sec.bitlocker.unavailable` +- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status). + +``` +MountPoint=C:, Get-BitLockerVolume returned null +``` + +### OS build not in EOL map: 9600 +- **Category:** security +- **ID:** `sec.patch.os_build_unknown` +- The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map. + +``` +Microsoft Windows Server 2012 R2 Essentials build 9600 +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** Dell Inc. / PowerEdge 2950 +- **Serial:** 762F0G1 +- **CPU:** Intel(R) Xeon(R) CPU E5450 @ 3.00GHz (4 cores / 4 logical) +- **RAM (GB):** 32 +- **BIOS:** 2.3.1 (2008-04-29) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** ? / ? +- **Domain joined:** false (WORKGROUP) +- **OS activation licensed:** true +- **Uptime (days):** 36.5 +- **Pending reboot:** false +- **Installed software count:** 48 +- **Scheduled tasks (non-MS, enabled):** 6 +- **Local administrators:** Administrator, Guru, Jacobs, localadmin, paul + +### Fixed volumes + +- : - 0.1 GB free of 0.3 GB (20.6%) +- F: - 464.8 GB free of 1395.7 GB (33.3%) +- M: - 4417.1 GB free of 4657.5 GB (94.8%) +- C: - 837.8 GB free of 878.6 GB (95.4%) +- E: - 40.4 GB free of 983.6 GB (4.1%) + +### Network adapters + +- Hyper-V Virtual Ethernet Adapter #2 - IP: 172.29.0.4, fe80::a8c1:e232:97d6:976 - DNS: 8.8.8.8, 4.4.8.8 - DHCP: false + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `WIN-709JUVCJ2DQ-20260603T004420.json` (immutable)._ diff --git a/clients/ucryo/session-logs/2026-06-02-session.md b/clients/ucryo/session-logs/2026-06-02-session.md new file mode 100644 index 0000000..09a9e7f --- /dev/null +++ b/clients/ucryo/session-logs/2026-06-02-session.md @@ -0,0 +1,107 @@ +# Universal Cryogenics (UCRYO) — Session 2026-06-02 + +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +## Session Summary + +Onboarded a new client, Universal Cryogenics (shortname UCRYO), into GuruRMM with a single site "Main" (site_code LIGHT-WOLF-2305), vaulting the one-time agent enrollment key. Over the session eight Windows agents enrolled under the site: the domain controller UC2-SERVER, the Hyper-V/Veeam backup host WIN-709JUVCJ2DQ, and six workstations (DESKTOP-PMML1JC, KIRBY, gromit, hobbes, hoborg, lilo). + +Investigated reported "remnants of a previous cryptolocker infection" on UC2-SERVER. Read-only recon identified a December 2019 TrickBot infection: a hidden SYSTEM scheduled task "System Health Application" (boot + every 12 min) pointing at a launcher EXE that was already gone, plus the TrickBot module/config folder under the SYSTEM profile. The task had been failing every run with 0x80070002 (FILE_NOT_FOUND). Quarantined the module folder, deleted the task, removed the folder, and verified. Swept the second server clean. Flagged the real outstanding risk: TrickBot ran pwgrab64 (credential theft) on a domain controller in 2019, so domain credentials/KRBTGT were exposed then — confirmation of a post-incident reset is the open item. Confirmed no free Ryuk decryptor exists or is forthcoming. A reported "crypto" folder of held encrypted data could not be located on either server; the user concluded it was misremembered. + +Ran the onboarding health/security diagnostic across all eight boxes. A first parallel run had 7 of 8 agents return "interrupted" (agent restarted mid-probe under concurrent load); a gentler sequential re-run completed all eight. All graded RED (typical SMB fleet: missing BitLocker, EOL OS builds, pending patches, RDP enabled). Required a one-line change to the diagnostic runner to make the per-probe exec timeout overridable. + +Filed a GuruRMM bug (#39) for the agent spawning duplicate system-tray icons (5 gururmm-tray.exe processes on GURU-5070, no single-instance guard). Diagnosed and fixed a Backblaze-bound backup failure on UC2-SERVER's MSP360 plan: the agent was failing TLS to Backblaze because the 64-bit .NET TLS keys were unset on Server 2012 R2; added the keys, restarted services, and confirmed uploads resumed. Established via a controlled comparison (Seth-PC on Win11 with identical missing keys but zero TLS errors) that the issue is legacy-OS-specific, so did not mass-apply the fix to modern boxes. Traced the mspbackups console "disagreement" to a combination of a stalled session never reporting a terminal result and an outdated agent degrading dashboard status reporting. Finally, produced SPEC-024 for a ScreenConnect auto-deploy GuruRMM module and committed it. + +## Key Decisions + +- **Client slug `ucryo`, client code `UCRYO`.** Used the user-provided shortname as the GuruRMM client `code` and lowercase as the vault slug, matching existing per-client vault conventions. +- **Read-before-write on the DC.** All TrickBot investigation was read-only; cleanup (quarantine + task delete + folder removal) was gated on explicit user confirmation given UC2-SERVER is a domain controller. +- **Quarantine-then-remove** rather than outright delete, preserving the TrickBot modules at C:\Quarantine\syshealth-trickbot-20260602-170235 for IR record. +- **Sequential diagnostic re-run** after the parallel run caused agent interruptions — isolated the cause as concurrent-load contention (not an agent-stability bug), since the gentle pass completed cleanly. +- **Did NOT mass-apply the .NET TLS fix** to the 9 RMM-reachable MSP360 boxes. The sweep proved they are all modern OS (2016/2019/2022/Win10) where .NET already negotiates TLS 1.2 by default; the missing keys are benign there. Restarting backup services on healthy production servers across multiple clients was not justified. +- **TLS root cause is legacy-OS-specific.** Confirmed by controlled comparison: Seth-PC (Win11) has the identical missing keys but 0 secure-channel errors, vs UC2-SERVER (2012 R2) which had many. The fix is only needed on 2012 R2 / Win7-8 era boxes. +- **Session log placed under `clients/ucryo/`** (primary subject = UCRYO onboarding/infra). GuruRMM bug #39 and SPEC-024 are GuruRMM-scoped cross-references; the fleet-wide MSP360 TLS/agent-version findings are noted but are not UCRYO-specific. +- **ScreenConnect spec modeled on the existing MSPBackups integration** pattern, with the labeled installer URL built server-side (labels = ScreenConnect c0..c7 custom properties applied at download time). + +## Problems Encountered + +- **PowerShell parser error** (`An empty pipe element is not allowed`) from piping a `foreach(){}` statement directly into `Sort-Object`/`Format-Table`. Aborted whole probes silently (empty stdout). Fixed by collecting into a variable first, then piping. +- **Empty Defender section** on the recon — expected: Server 2012 R2 does not ship the Defender AV PowerShell cmdlets. +- **Diagnostic probe timeout (240s)** on UC2-SERVER (slow 2012 R2, installed-software enumeration). Made the runner's exec timeout overridable via `DIAG_EXEC_TIMEOUT` env var (default unchanged at 240) and used 480s for servers. +- **7/8 diagnostic agents "interrupted"** on the parallel run (agent restarted mid-probe under load). Resolved by re-running sequentially — all completed. +- **MSP360 monitoring API field/enum guessing.** Initial jq used wrong field names (Result/LastBackup null); correct fields are Status/ErrorMessage/FilesCopied/BuildVersion etc. Calibrated the Status enum empirically across 66 records. +- **Coord todos POST schema mismatch** — endpoint requires `text`, `created_by_user`, `created_by_machine` (not title/description); todo creation returned null and was not reliably persisted. Follow-up captured in this log instead. +- **Over-generalized the TLS hypothesis** to the Tucson Coin Win11 boxes from the shared "Status 3 stuck" symptom; corrected after the user pointed out they are Win11 and endpoint evidence showed 0 secure-channel errors. The stuck-Status-3 signature is not TLS-specific. + +## Configuration Changes + +**Created:** +- `clients/ucryo/gururmm-site-main.sops.yaml` (vault repo) — UCRYO Main site GuruRMM enrollment key (SOPS-encrypted). +- `clients/ucryo/onboarding-baselines/*.{json,md}` — 8 immutable diagnostic baselines (UC2-SERVER, WIN-709JUVCJ2DQ, DESKTOP-PMML1JC, KIRBY, gromit, hobbes, hoborg, lilo), timestamped 20260603T00xxxx UTC. +- `projects/msp-tools/guru-rmm/docs/specs/SPEC-024-screenconnect-auto-deploy.md` — ScreenConnect auto-deploy module spec (committed gururmm 1e24b71). + +**Modified:** +- `.claude/scripts/run-onboarding-diagnostic.sh` — added `EXEC_TIMEOUT="${DIAG_EXEC_TIMEOUT:-240}"` and used it for the probe-exec dispatch (was hardcoded 240). +- `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` — added Integration Features → "Remote Access Tools (Auto-Deploy)" subsection linking SPEC-024. + +**On endpoint UC2-SERVER (Server 2012 R2):** +- Added DWORD `SchUseStrongCrypto=1` and `SystemDefaultTlsVersions=1` to BOTH `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319` and `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319`. +- Restarted services "Online Backup Service" and "Online Backup Service Remote Management". +- Deleted scheduled task "System Health Application"; removed `C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\`; quarantine copy at `C:\Quarantine\syshealth-trickbot-20260602-170235\`. + +**GitHub/Gitea:** +- gururmm#39 — bug: duplicate system-tray icons (no single-instance guard). + +## Credentials & Secrets + +- **UCRYO GuruRMM enrollment key** — vaulted at `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url). +- **MSP360 Managed Backup Service API** — vault `msp-tools/msp360-api.sops.yaml`. Base URL `https://api.mspbackups.com`; login `kY9PvDdWki` (password vaulted). Auth: `POST /api/Provider/Login` (body `{"UserName","Password"}`) → `access_token`; then `GET /api/Monitoring` with Bearer token. +- **GuruRMM admin API** — vault `infrastructure/gururmm-server.sops.yaml` (credentials.gururmm-api.admin-email / admin-password). Base `http://172.16.3.30:3001`. +- **ScreenConnect instance (ACG)** — relay host `instance-kgc7jt-relay.screenconnect.com`, port 443, instance GUID `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` (observed in UC2-SERVER client launch string; public key `k` also in that string). Not high-sensitivity but record for SPEC-024 implementation. + +## Infrastructure & Servers + +**Universal Cryogenics — domain `ucryo.local`** +- **UC2-SERVER** — Windows Server 2012 R2 Essentials (build 9600), domain controller (AD DS, DNS, DHCP, WSUS, AD CS installed). Drives C: (500GB) and E: (931GB, shares: OFFICE DOCS, Projects, QB2020, UCDATA, x-files; Offsite Archive). MSP360 plan "Ucryo Files" (user richard@ucryo.com). RMM agent id `64cff183-429c-44bf-aebd-55386417a494`. +- **WIN-709JUVCJ2DQ** — Windows Server 2012 R2 Essentials, Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts). Drives C:/E: Hyper-V/V-Hard-Disks / F: Hyper-Data-Disks / M: 4.7TB MWF-Backup. RMM agent id `b7311d8a-6c5e-4aa5-9abf-79212d344009`. UC2-SERVER is likely a guest VM on this host. +- Workstations: DESKTOP-PMML1JC, KIRBY (Win10 Pro 19045 laptop), gromit, hobbes, hoborg, lilo — all GuruRMM v0.6.54. +- Management stack present (legit): Syncro, ScreenConnect, Splashtop, ACG Online Backup (MSP360), GuruRMM. + +**GuruRMM site:** client_id `f954f150-3605-4ef7-82e7-6b942883cb00`, site Main, site_id `345e59d2-ca30-4b9c-b703-c19915b47753`, site_code **LIGHT-WOLF-2305**. + +**Other (fleet/cross-client):** +- Seth-PC — Windows 11 Home (build 26200), client "Tucson Coin and Autograph". RMM agent id `4267e35a-cd14-424d-ab82-3da4f9baa0dc`. MSP360 build 8.6.0.290. +- MSP360 fleet: 47 computers; newest deployed build 8.6.0.290 (34 boxes, still flagged outdated by console); oldest 4.4.2.221 (2 boxes). + +## Commands & Outputs + +- TrickBot task: `schtasks /query /tn "System Health Application" /xml` → hidden, RunLevel HighestAvailable, UserId SYSTEM, BootTrigger + 12-min repetition; Last Result `-2147024894` (0x80070002 FILE_NOT_FOUND). +- TrickBot modules confirmed: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64` + `dinj`/`dpost`/`sinj` configs + `settings.ini` under `...systemprofile\AppData\Roaming\syshealth\`. +- Backup failure (UC2 plan log `5a44fc46-...log`): `LightWebException: The request was aborted: Could not create SSL/TLS secure channel.` against `api001.backblazeb2.com`. First secure-channel error 2025-10-15; intermittent thru May; hard-failing 2026-06-02. +- Post-fix verify: `cbb plan -r "Ucryo Files"` → "Plan is started"; `secure-channel errors in last 5 min: 0`; `Scanned 474.9 GB ... Uploaded 2.15 GB`. +- MSP360 Status enum (empirical): 0=completed/idle, 1=Success, 2=Warning, 3=Running(in-progress), 4=Scheduled/never-run, 7=completed-with-errors. Counters (FilesCopied/DataCopied/Duration) populate only at session completion, not during a run. +- Tray bug evidence (GURU-5070): 5 × `gururmm-tray.exe` PIDs (26224, 11424, 14524, 15928, 4076) with distinct StartTimes spanning 2 days; 2 × `gururmm-agent.exe` (expected: agent + watchdog). + +## Pending / Incomplete Tasks + +- **UCRYO 2019 incident — confirm domain credential / KRBTGT reset.** TrickBot pwgrab64 ran on the DC in 2019; verify with client/records whether a full post-incident reset was done. If not, this is the primary residual risk. +- **AD2** (ACG internal) TLS key check is queued — agent was offline; re-check when it reconnects. It is the only RMM-reachable box that might be legacy OS. +- **Tucson Coin agent update** — Seth-PC + DESKTOP-P36LUUN: update the outdated MSP360 agent (clears the grey dashboard indicator). Do it AFTER the current first-full completes (avoid restarting the ~20GB upload). Now that Seth-PC is RMM-enabled it can be driven via RMM. +- **Fleet MSP360 agent-update pass** — 47 boxes lagging; prioritize the 4.4.2.221 / 7.8.x / 7.9.x stragglers. Worklist (client+host+build) can be pulled from the MSP360 API. +- **GuruRMM bug #39** (tray icons) — awaiting triage/fix; repo has zero labels (offered to create a `bug` label). +- **SPEC-024 open questions** — instance GUID per-node?, slot-name auto-fetch?, per-OS existing-client detection strings, force_relabel semantics, Linux installer variant, which fields fill remaining c-slots (no tags model in GuruRMM yet). +- **All 8 UCRYO boxes graded RED** — remediation backlog: BitLocker (KIRBY laptop unencrypted), Win10 22H2 EOL, pending patches, RDP exposure review. + +## Reference Information + +- GuruRMM API: `http://172.16.3.30:3001` · Coord API: `http://172.16.3.30:8001/api/coord` +- UCRYO installer page: `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` · MSI: `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer` +- MSP360 API: `https://api.mspbackups.com` (`/api/Provider/Login`, `/api/Monitoring`) +- UC2-SERVER MSP360 plan id: `5a44fc46-ca94-4095-a645-889eaf754389` ("Ucryo Files", richard@ucryo.com) +- gururmm#39: `https://git.azcomputerguru.com/azcomputerguru/gururmm/issues/39` +- SPEC-024: `projects/msp-tools/guru-rmm/docs/specs/SPEC-024-screenconnect-auto-deploy.md` (gururmm commit `1e24b71`) +- ScreenConnect ClientSetup build URL form: `https://.screenconnect.com/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest&c=..&c=` (c0..c7 = 8 custom org properties, applied at download time) +- TLS fix (legacy Windows + Backblaze): set `SchUseStrongCrypto=1` + `SystemDefaultTlsVersions=1` (DWORD) under both `.NETFramework\v4.0.30319` and `WOW6432Node\...\v4.0.30319`, restart Online Backup services. Only needed on 2012 R2 / Win7-8; modern OS unaffected. diff --git a/wiki/clients/ucryo.md b/wiki/clients/ucryo.md new file mode 100644 index 0000000..90e8cef --- /dev/null +++ b/wiki/clients/ucryo.md @@ -0,0 +1,235 @@ +--- +type: client +name: ucryo +display_name: Universal Cryogenics +last_compiled: 2026-06-02 +compiled_by: GURU-5070/claude-main +sources: + - clients/ucryo/session-logs/2026-06-02-session.md + - clients/ucryo/onboarding-baselines/UC2-SERVER-20260603T004304.md + - clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md + - clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md + - clients/ucryo/onboarding-baselines/KIRBY-20260603T003656.md + - clients/ucryo/onboarding-baselines/GROMIT-20260603T004715.md + - clients/ucryo/onboarding-baselines/HOBBES-20260603T004835.md + - clients/ucryo/onboarding-baselines/HOBORG-20260603T005101.md + - clients/ucryo/onboarding-baselines/LILO-20260603T005456.md +backlinks: + - projects/gururmm +--- + +# Universal Cryogenics + +Industrial cryogenics company. ACG onboarded 2026-06-02. Domain: `ucryo.local`. Client shortname / code: UCRYO. Two Windows Server 2012 R2 Essentials hosts (one DC, one Hyper-V/Veeam backup host) plus six domain-joined Windows workstations. All 8 agents graded RED on initial diagnostic. Active security history: December 2019 TrickBot infection on the domain controller, remediated 2026-06-02 with one critical open item remaining (KRBTGT/domain credential reset confirmation). + +--- + +## Profile + +- **Client code:** UCRYO +- **Domain:** ucryo.local +- **MSP360 backup contact:** richard@ucryo.com +- **Key contacts:** richard@ucryo.com (billing/backup contact — identity verify) +- **Management stack (ACG-deployed):** GuruRMM, ScreenConnect (instance `instance-kgc7jt-relay.screenconnect.com`), Splashtop Streamer, Syncro + +--- + +## Infrastructure + +### Servers + +| Host | OS | Role | Agent ID | Notes | +|---|---|---|---|---| +| UC2-SERVER | Windows Server 2012 R2 Essentials (build 9600) | Domain Controller (AD DS, DNS, DHCP, WSUS, AD CS), File Server | `64cff183-429c-44bf-aebd-55386417a494` | Guest VM (Hyper-V on WIN-709JUVCJ2DQ). Drives C: (500 GB) and E: (931 GB; shares OFFICE DOCS, Projects, QB2020, UCDATA, x-files, Offsite Archive). MSP360 backup plan "Ucryo Files". IP: 172.29.0.5. SMBv1 ENABLED. | +| WIN-709JUVCJ2DQ | Windows Server 2012 R2 Essentials (build 9600) | Hyper-V + Veeam backup host (VBRCatalog, Veeam-Scripts) | `b7311d8a-6c5e-4aa5-9abf-79212d344009` | Physical Dell PowerEdge 2950 (serial 762F0G1). UC2-SERVER is likely a guest VM on this host. Drives C:/E:/F:/M: (M: is 4.7 TB MWF-Backup). IP: 172.29.0.4. Workgroup (not domain-joined). SMBv1 ENABLED. E: critically low (4.1% free, 40.4 GB of 983.6 GB). Veeam services stopped. | + +### Workstations + +| Host | OS | Form Factor | Agent ID | Notable | +|---|---|---|---|---| +| DESKTOP-PMML1JC | Windows 11 Pro (build 26200) | Laptop (Lenovo 81Y8) | `286cf717-86ac-4985-b0a6-0254fba0dfdb` | Broken domain secure channel. 3 disk errors in 14 days. BitLocker off. OpenVPN + NordLynx present. | +| KIRBY | Windows 10 Pro (build 19045) | Laptop (Lenovo 82K8) | `82f16929-ec3c-434b-81f9-84b63e0af56d` | **BitLocker OFF on a laptop — primary critical.** Win10 22H2 EOL (2025-10-14). 4 pending patches. | +| gromit | Windows 10 Pro (build 19045) | Desktop (Lenovo 20FRS1RQ00) | `20da3f2f-6bef-4d8c-b6fa-141d47a01d52` | Win10 22H2 EOL. 9 pending patches. BitLocker off. Group Policy Client service stopped. | +| hobbes | Windows 10 Pro (build 19045) | Laptop (Dell Precision M4800) | `a336deb1-6d09-4ade-b2c3-0b258664f4bd` | Win10 22H2 EOL. BitLocker off. 1 unexpected shutdown + 1 disk error in 14 days. | +| hoborg | Windows 10 Pro (build 19045) | Laptop (Lenovo 20ENCTO1WW) | `89ee0a5d-49f2-4334-8e49-eaafa389e9ec` | Win10 22H2 EOL. BitLocker off. **Toshiba SSD SMART Warning (wear=100%) — imminent failure risk.** Dual AV: Defender + SentinelOne. | +| lilo | Windows 10 Pro (build 19045) | Laptop (Lenovo 20EQS12M00) | `5d0bdfc0-cb58-496f-b9bd-d585eb643d85` | Win10 22H2 EOL. BitLocker off. Uptime 82 days. | + +All agents GuruRMM v0.6.54. + +--- + +## GuruRMM Onboarding + +Onboarded 2026-06-02. Single site "Main". + +| Field | Value | +|---|---| +| client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` | +| site_id | `345e59d2-ca30-4b9c-b703-c19915b47753` | +| site_code | `LIGHT-WOLF-2305` | +| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` | +| MSI URL | `https://rmm.azcomputerguru.com/api/sites/345e59d2-ca30-4b9c-b703-c19915b47753/installer` | +| Vault | `clients/ucryo/gururmm-site-main.sops.yaml` (fields: client_id, site_id, site_code, api_key, installer_url, msi_url) | + +--- + +## [WARNING] Security History — 2019 TrickBot Incident + +**This section must be reviewed before any domain-level changes.** + +### Background + +In December 2019, TrickBot infected UC2-SERVER (the domain controller). A hidden SYSTEM scheduled task named "System Health Application" (boot trigger + every 12 minutes, RunLevel HighestAvailable) launched a module loader from the SYSTEM profile. The launcher EXE was already gone by the time of discovery; the task had been failing every run since with error `0x80070002` (FILE_NOT_FOUND). The TrickBot module folder remained intact under the SYSTEM profile: + +`C:\Windows\system32\config\systemprofile\AppData\Roaming\syshealth\` + +Modules present: `injectDll64`, `pwgrab64`, `psfin64`, `importDll64`, `tabDll64`, `mwormDll64`, `mshareDll64`, `networkDll64`, `NewBCtestnDll64`, plus `dinj`/`dpost`/`sinj` config files and `settings.ini`. + +WIN-709JUVCJ2DQ was swept clean — no TrickBot artifacts found. + +### Remediation (2026-06-02) + +All cleanup was done read-only first, then gated on explicit client confirmation before any writes (DC-safety protocol): + +1. Quarantined the module folder: `C:\Quarantine\syshealth-trickbot-20260602-170235\` +2. Deleted the scheduled task "System Health Application" +3. Removed the original folder `...syshealth\` + +Quarantine copy is preserved at `C:\Quarantine\syshealth-trickbot-20260602-170235\` as an IR record. + +No active C2 traffic was expected — the launcher had been gone for years and the task was failing continuously. + +**No free Ryuk decryptor exists.** A reported "crypto" folder of encrypted data could not be located on either server; client concluded it was misremembered. + +### [OPEN — CRITICAL] KRBTGT / Domain Credential Reset + +**pwgrab64 (credential theft module) ran on a domain controller in 2019.** This means domain credentials, service account passwords, and the KRBTGT hash were potentially exposed at that time. Standard post-DC-compromise IR requires: + +- Double-rotation of the KRBTGT password (with a DC replication interval between rotations) +- Reset of all domain user passwords and service account passwords + +**Status: UNCONFIRMED.** Whether a post-incident credential/KRBTGT reset was performed in 2019 or afterward has not been verified with the client. Until confirmed, the residual risk is an unrotated KRBTGT on a domain that had a credential-theft module running with SYSTEM privileges on the DC. + +**Action required:** Ask the client or review any 2019/2020 IT records. If the reset was never done, execute it during a scheduled maintenance window. + +--- + +## Backup + +### MSP360 "Ucryo Files" Plan (UC2-SERVER) + +| Field | Value | +|---|---| +| Plan name | "Ucryo Files" | +| Plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` | +| Account | richard@ucryo.com | +| Target | Backblaze B2 (api001.backblazeb2.com) | +| Vault | `msp-tools/msp360-api.sops.yaml` (shared MSP360 API creds) | + +**Backblaze TLS failure — fixed 2026-06-02.** + +UC2-SERVER (Windows Server 2012 R2) was failing TLS negotiation to Backblaze. Root cause: the 64-bit .NET TLS registry keys were unset, which on legacy OS (2012 R2 / Win7-8 era) prevents .NET from negotiating TLS 1.2. First secure-channel error logged 2025-10-15; escalated to hard-failing by 2026-06-02. + +Fix applied to UC2-SERVER: +- `HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319` — `SchUseStrongCrypto=1`, `SystemDefaultTlsVersions=1` (DWORD) +- `HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319` — same two keys +- Restarted "Online Backup Service" and "Online Backup Service Remote Management" + +Post-fix verification: `cbb plan -r "Ucryo Files"` returned "Plan is started"; zero secure-channel errors in 5-minute window; scanned 474.9 GB, uploaded 2.15 GB. + +**Note:** This fix is legacy-OS-specific. Do NOT apply it fleet-wide — modern OS (Server 2016/2019/2022, Win10/11) already negotiates TLS 1.2 by default; the missing keys are benign on those platforms. + +WIN-709JUVCJ2DQ has Veeam installed. All four primary Veeam services (VeeamBackupSvc, VeeamCatalogSvc, VeeamCloudSvc, VeeamMountSvc) were stopped at baseline time. Confirm Veeam job status and why services are stopped. (verify) + +--- + +## Diagnostic Baselines — 2026-06-02 + +Baselines collected UTC 2026-06-03T00:35 – 00:54 (sequential run after a parallel run caused agent interruptions under concurrent load). Raw JSON snapshots are immutable at `clients/ucryo/onboarding-baselines/`. + +### Per-Host Summary + +| Host | Grade | Criticals | Warnings | Standout Findings | +|---|---|---|---|---| +| UC2-SERVER | RED | 1 | 5 | CRITICAL: SMBv1 enabled (WannaCry/EternalBlue vector). Defender cmdlet unavailable (Server 2012 R2). RDP enabled. 3 stopped auto-start services (AD CS, IIS, ShellHWDetection). 36.5-day uptime, reboot pending. BitLocker unavailable (verify). 12 local admins. EOL OS (build 9600 not in map). | +| WIN-709JUVCJ2DQ | RED | 2 | 4 | CRITICAL: SMBv1 enabled. **CRITICAL: E: drive at 4.1% free (40.4 GB of 983.6 GB) — urgent.** Defender unavailable. RDP enabled. Veeam services stopped. Not domain-joined (WORKGROUP). 36.5-day uptime. EOL OS. | +| DESKTOP-PMML1JC | RED | 3 | 3 | CRITICAL: BitLocker off (laptop). CRITICAL: 3 disk errors in 14 days. CRITICAL: Domain secure channel broken. 2 pending patches. | +| KIRBY | RED | 2 | 4 | CRITICAL: **BitLocker OFF (laptop — highest data-at-rest risk).** CRITICAL: Win10 22H2 EOL (2025-10-14). 4 pending patches. RDP enabled. Reboot pending, 35-day uptime. | +| gromit | RED | 1 | 5 | CRITICAL: Win10 22H2 EOL. BitLocker off (desktop). 9 pending patches. RDP enabled. Group Policy Client stopped. | +| hobbes | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. Unexpected shutdown + disk error in 14 days. RDP enabled. | +| hoborg | RED | 3 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. **CRITICAL: Toshiba SSD SMART Warning (wear=100%) — replace immediately.** Dual AV (Defender + SentinelOne — possible conflict). RDP enabled. | +| lilo | RED | 2 | 5 | CRITICAL: BitLocker off (laptop). CRITICAL: Win10 22H2 EOL. 82-day uptime. RDP enabled. Group Policy Client + TPM Provisioning stopped. | + +### Fleet-Wide Patterns + +- All 8 hosts graded RED. +- SMBv1 enabled on both servers (WannaCry/EternalBlue vector — disable before enabling any internet-facing services). +- Win10 22H2 EOL on all 6 workstations (EOL 2025-10-14, no further security patches). +- BitLocker absent on all 5 laptops (KIRBY, DESKTOP-PMML1JC, hobbes, hoborg, lilo) and the DESKTOP-PMML1JC. Servers have BitLocker status UNKNOWN (cmdlet unavailable on 2012 R2). +- RDP enabled on all 8 hosts — confirm firewall restriction to internal/VPN only. +- No LAPS on servers. LAPS registry key present on workstations. +- No backup agent on any workstation. + +--- + +## Open Items / Follow-ups + +| Priority | Item | Notes | +|---|---|---| +| CRITICAL | Confirm 2019 KRBTGT/domain credential reset | pwgrab64 ran on the DC — if reset never done, this is the primary residual risk. | +| HIGH | hoborg SSD replacement | Toshiba SMART Warning, wear=100%. Data backup first. | +| HIGH | WIN-709JUVCJ2DQ E: drive space | 4.1% free (40.4 GB). Identify what is consuming the volume and free/expand. | +| HIGH | Disable SMBv1 on UC2-SERVER and WIN-709JUVCJ2DQ | WannaCry/EternalBlue vector. `Set-SmbServerConfiguration -EnableSMB1Protocol $false` + remove feature. | +| HIGH | BitLocker on all 5 laptops | KIRBY highest priority (domain-joined laptop, unencrypted, mobile). Escrow recovery keys. | +| HIGH | Win10 22H2 EOL on 6 workstations | Feature update or OS upgrade required (EOL 2025-10-14). | +| MEDIUM | DESKTOP-PMML1JC domain secure channel | Run `Test-ComputerSecureChannel -Repair` or rejoin. | +| MEDIUM | Veeam services stopped on WIN-709JUVCJ2Dq | VeeamBackupSvc/CatalogSvc/CloudSvc/MountSvc all stopped — confirm Veeam job health. | +| MEDIUM | RDP exposure review — all 8 hosts | Confirm RDP is restricted to VPN or specific source IPs; not exposed to internet. | +| MEDIUM | hoborg dual AV (Defender + SentinelOne) | Verify intended AV; remove one to prevent conflicts. | +| LOW | UC2-SERVER stopped services | AD CS, IIS Admin, ShellHWDetection stopped — review if these should be running. | +| LOW | LAPS not deployed on servers | Deploy Windows LAPS or legacy AdmPwd to UC2-SERVER and WIN-709JUVCJ2DQ. | + +--- + +## Reference + +### IDs and URLs + +| Resource | Value | +|---|---| +| GuruRMM client_id | `f954f150-3605-4ef7-82e7-6b942883cb00` | +| GuruRMM site_id (Main) | `345e59d2-ca30-4b9c-b703-c19915b47753` | +| GuruRMM site_code | `LIGHT-WOLF-2305` | +| Installer page | `https://rmm.azcomputerguru.com/install/LIGHT-WOLF-2305` | +| MSP360 plan ID | `5a44fc46-ca94-4095-a645-889eaf754389` | +| MSP360 API base | `https://api.mspbackups.com` | +| ScreenConnect instance | `instance-kgc7jt-relay.screenconnect.com` (port 443) | +| ScreenConnect instance GUID | `s=9f3db089-eb29-441d-a9d2-2c441bde8c78` | + +### Vault Paths + +| Secret | Vault Path | +|---|---| +| GuruRMM enrollment key (site Main) | `clients/ucryo/gururmm-site-main.sops.yaml` | +| MSP360 API credentials | `msp-tools/msp360-api.sops.yaml` | + +### Diagnostic Baseline Files + +`clients/ucryo/onboarding-baselines/` — 8 immutable `.json` + `.md` pairs, timestamped 20260603T00xxxx UTC. + +--- + +## Compilation Notes + +**Session logs read:** `clients/ucryo/session-logs/2026-06-02-session.md` (onboarding session, primary source). All 8 diagnostic baseline files read in full. + +**First wiki article for this client.** Onboarded 2026-06-02. + +**Open items flagged as unverified (verify):** +- KRBTGT/domain credential reset — not confirmed with client; must verify +- Veeam job health on WIN-709JUVCJ2DQ — services stopped, backup status unknown +- Key contacts beyond richard@ucryo.com — not yet documented + +## Backlinks + +- [[projects/gururmm]] — 8 agents enrolled under site LIGHT-WOLF-2305 diff --git a/wiki/index.md b/wiki/index.md index 0e06ac9..358f8b8 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -47,6 +47,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 | | [AT Trebesch](clients/attrebesch.md) | Residential, Tucson AZ; Syncro 238740; GuruRMM enrolled (DESKTOP-QNP3ON5, SWIFT-LION-2892); PST contact recovery imported (~660 contacts, emails populating, one Gleason); 4 source PSTs re-mounted after accidental unmount; Suggested Contacts (639) cleared (not reversible); pending Howard clarification before next step; Syncro #31953 open | 2026-06-02 | | [Deere Park Development, LLC](clients/deere-park-development.md) | Property development ("Glabman"); Syncro 7088463; per-incident, no prepaid block; no tax rate assigned (must fix before billing); active estimate #7190 (ticket #32366) — UniFi WiFi 7 deployment (4x U7 Pro + 2x U7 Mesh + UCG Ultra + USW-Flex-2.5G-8-PoE), $2,816.70, Fresh | 2026-06-02 | +| [Universal Cryogenics](clients/ucryo.md) | New client onboarded 2026-06-02; ucryo.local DC (UC2-SERVER), 8 agents, 2019 TrickBot remediated, Backblaze TLS backup fix | 2026-06-02 | ## Projects @@ -110,6 +111,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | Furrier / Desert Rat | websvr.acghosting.com; cPanel exim | — | | Equity Valuation Services | Single Win11 VM | — | | Scileppi Law | Sylvias-Mini (M2 Mac mini) | GuruRMM (enrollment pending) | +| Universal Cryogenics | UC2-SERVER (172.29.0.5, DC, guest VM); WIN-709JUVCJ2DQ (172.29.0.4, Hyper-V/Veeam, Dell PowerEdge 2950); 6 workstations (ucryo.local, 172.29.0.x) | GuruRMM (8 agents, site LIGHT-WOLF-2305) | ---