From c6c79d8f3e5ff4dbbbf8a12b370a57f21deaa95d Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 13:24:10 -0700 Subject: [PATCH] data(rednour): onboarding baseline for REDNOURCARRIEVI (3rd machine, RED) Completes Rednour first-baseline set. Note: ScreenConnect/Splashtop/Syncro/Datto RMM+EDR flagged critical are ACG's own stack (false positives - detection tuning tracked separately). Real issues: Win10 22H2 EOL, RDP without NLA, no BitLocker, C: 12% free. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../REDNOURCARRIEVI-20260529T202250.json | 1365 +++++++++++++++++ .../REDNOURCARRIEVI-20260529T202250.md | 286 ++++ 2 files changed, 1651 insertions(+) create mode 100644 clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.json create mode 100644 clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md diff --git a/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.json b/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.json new file mode 100644 index 0000000..0a21e77 --- /dev/null +++ b/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.json @@ -0,0 +1,1365 @@ +{ + "host": "REDNOURCARRIEVI", + "collected_at_utc": "2026-05-29T20:21:21Z", + "os": { + "caption": "Microsoft Windows 10 Pro", + "version": "10.0.19045", + "build": "19045", + "install_date": "2023-07-26T21:21:01Z", + "last_boot_utc": "2026-05-29T14:29:33Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": false, + "os_eol": { + "eol_date": "2025-10-14", + "release": "Win10 22H2" + }, + "pending_updates": 1, + "pending_reboot": true, + "uptime_days": 0.2, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTask-FDB2E75C10B82FA3FCD17C720B5E429C", + "state": "Ready" + }, + { + "path": "\\", + "name": "CorelUpdateHelperTaskCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "Datto EDR Health Check", + "state": "Ready" + }, + { + "path": "\\", + "name": "G2MUpdateTask-S-1-5-21-148119619-2107441338-2344149896-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "G2MUploadTask-S-1-5-21-148119619-2107441338-2344149896-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "Intel PTT EK Recertification", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Per-Machine Standalone Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-148119619-2107441338-2344149896-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-148119619-2107441338-2344149896-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Reporting Task-S-1-5-21-148119619-2107441338-2344149896-1005", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-148119619-2107441338-2344149896-1001", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-148119619-2107441338-2344149896-1002", + "state": "Ready" + }, + { + "path": "\\", + "name": "OneDrive Startup Task-S-1-5-21-148119619-2107441338-2344149896-1005", + "state": "Ready" + }, + { + "path": "\\", + "name": "PowerENGAGE", + "state": "Ready" + }, + { + "path": "\\HP\\HP Print Scan Doctor\\", + "name": "Printer Health Monitor", + "state": "Ready" + }, + { + "path": "\\HP\\HP Print Scan Doctor\\", + "name": "Printer Health Monitor Logon", + "state": "Ready" + } + ], + "hardware": { + "model": "To Be Filled By O.E.M.", + "manufacturer": "To Be Filled By O.E.M.", + "bios_date": "2019-04-01", + "cpu_logical": 4, + "bios_version": "P4.10", + "cpu_cores": 4, + "ram_gb": 7.7, + "serial": "To Be Filled By O.E.M.", + "cpu": "Intel(R) Core(TM) i3-9100 CPU @ 3.60GHz" + }, + "os_build": "19045", + "secure_boot": false, + "backup_agents": null, + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Datto EDR", + "value": "C:\\Program Files\\infocyte\\agent\\system-tray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "(default)", + "value": "" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Intuit SyncManager", + "value": "C:\\Program Files (x86)\\Common Files\\Intuit\\Sync\\IntuitSyncManager.exe startup" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "LogMeIn Hamachi Ui", + "value": "\"C:\\Program Files (x86)\\LogMeIn Hamachi\\hamachi-2-ui.exe\" --auto-start" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "CentraStage", + "value": "C:\\Program Files (x86)\\CentraStage\\Gui.exe" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrStsMon00", + "value": "C:\\Program Files (x86)\\Browny02\\Brother\\BrStMonW.exe /AUTORUN" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "BrotherSoftwareUpdateNotification", + "value": "C:\\Program Files (x86)\\Brother\\SoftwareUpdateNotification\\SoftwareUpdateNotificationService.exe /Autorun" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "(default)", + "value": "" + }, + { + "key": "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "(default)", + "value": "" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "CT500P1SSD8", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "", + "name": "Administrator", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-05-29", + "name": "Carrie", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-05-29", + "name": "emma", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-03-16", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "guru", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-05-28", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-05-29", + "name": "QBDataServiceUser26", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "WDAGUtilityAccount", + "password_never_expires": false, + "enabled": false + } + ], + "scheduled_tasks_count": 19, + "volumes": [ + { + "drive": "[unlabeled]", + "size_gb": 0.1, + "free_pct": 71.7, + "free_gb": 0.1 + }, + { + "drive": "C:", + "size_gb": 465.1, + "free_pct": 11.7, + "free_gb": 54.4 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.5, + "free_pct": 8.5, + "free_gb": 0 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "ZeroTier Virtual Port", + "gateway": [ + "25.255.255.254" + ], + "mac": "D6:8D:FD:D6:83:3E", + "ip": [ + "10.147.17.253", + "fe80::c624:d955:2579:a9e4", + "fcfb:1c63:8659:2d21:d189::1" + ], + "dns": [ + null + ] + }, + { + "dhcp": true, + "description": "Intel(R) Ethernet Connection (7) I219-V", + "gateway": [ + "192.168.10.1" + ], + "mac": "70:85:C2:CC:4F:4D", + "ip": [ + "192.168.10.194", + "fe80::e42e:510a:5261:a8dd" + ], + "dns": [ + "192.168.10.1" + ] + } + ], + "failed_autostart_services": [ + { + "name": "Intel(R) TPM Provisioning Service", + "display": "Intel(R) TPM Provisioning Service", + "state": "Stopped" + }, + { + "name": "NetMsmqActivator", + "display": "Net.Msmq Listener Adapter", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 1, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": true, + "uac_enabled": true, + "rdp_nla": false + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Igor Pavlov", + "name": "7-Zip 26.01 (x64)", + "version": "26.01" + }, + { + "publisher": "Adobe", + "name": "Adobe Acrobat (64-bit)", + "version": "26.001.21563" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "BrLauncher", + "version": "2.0.36.0" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "BrLogRx", + "version": "1.0.5.0" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "Brother IPPoverUSB Driver", + "version": "1.5.1.0" + }, + { + "publisher": "Aviata, Inc.", + "name": "Brother PowerENGAGE", + "version": "1.0.27" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "Brother Printer Driver", + "version": "2.1.0.0" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "BrSupportTools", + "version": "1.0.44.0" + }, + { + "publisher": "Corel Corporation", + "name": "Common", + "version": "14.0.2.20" + }, + { + "publisher": "Corel Corporation", + "name": "Contents", + "version": "14.0.2.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Copilot", + "version": "148.0.3967.70" + }, + { + "publisher": "Corel Corporation", + "name": "Corel Compatibility Pack", + "version": "12.4518.1018" + }, + { + "publisher": "Corel corporation", + "name": "Corel Update Manager", + "version": "2.16.673" + }, + { + "publisher": "Corel Corporation", + "name": "Corel VideoStudio Essentials X4", + "version": "14.0.2.20" + }, + { + "publisher": "Datto, Inc", + "name": "Datto EDR Agent", + "version": "3.17.1.5371" + }, + { + "publisher": "Datto Inc.", + "name": "Datto RMM", + "version": "4.4.11616.11616" + }, + { + "publisher": "Corel Corporation", + "name": "DeviceIO", + "version": "14.0.2.20" + }, + { + "publisher": "Avira Operations GmbH", + "name": "Endpoint Protection SDK", + "version": "1.0.2510.6851" + }, + { + "publisher": "Microsoft Corporation", + "name": "GDR 6179 for SQL Server 2014 (KB5029184) (64-bit)", + "version": "12.3.6179.1" + }, + { + "publisher": "LogMeIn, Inc.", + "name": "GoTo Opener", + "version": "1.0.533" + }, + { + "publisher": "LogMeIn, Inc.", + "name": "Hamachi", + "version": "2.3.0.111" + }, + { + "publisher": "Brother Industries Ltd.", + "name": "HttpToUsbBridge", + "version": "2.6.123.1" + }, + { + "publisher": "Corel Corporation", + "name": "ICA", + "version": "14.0.2.20" + }, + { + "publisher": "Corel Corporation", + "name": "IPM_VS_Pro", + "version": "13.0" + }, + { + "publisher": "Corel Corporation", + "name": "ISCOM", + "version": "14.0.2.20" + }, + { + "publisher": "LexisNexis", + "name": "LexisNexis Mobility Access Manager", + "version": "1.5.0.0" + }, + { + "publisher": "Logitech", + "name": "Logitech Unifying Software 2.50", + "version": "2.50.25" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4 Multi-Targeting Pack", + "version": "4.0.30319" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft 365 Apps for business - en-us", + "version": "16.0.20026.20112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Application Error Reporting", + "version": "12.0.6012.5000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Command Line Utilities 11 for SQL Server", + "version": "11.0.2270.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge", + "version": "148.0.3967.83" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "148.0.3967.83" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Help Viewer 1.1", + "version": "1.1.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft ODBC Driver 11 for SQL Server", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft OneDrive", + "version": "26.078.0426.0002" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Report Viewer 2014 Runtime", + "version": "12.0.2000.8" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 R2 Management Objects", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2008 Setup Support Files ", + "version": "10.3.5500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2012 Native Client ", + "version": "11.4.7462.6" + }, + { + "publisher": "", + "name": "Microsoft SQL Server 2014 (64-bit)", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 Policies ", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 RsFx Driver", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 Setup (English)", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 Transact-SQL Compiler Service ", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 Transact-SQL ScriptDom ", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server System CLR Types", + "version": "10.51.2500.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft System CLR Types for SQL Server 2014 (x64)", + "version": "12.3.6179.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Update Health Tools", + "version": "3.74.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86)", + "version": "7.1.00.00" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Basic for Applications 7.1 (x86) English", + "version": "7.1.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.61001" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.56336" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.61000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974", + "version": "9.0.30729.4974" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", + "version": "9.0.30729.6161" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727", + "version": "11.0.50727.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727", + "version": "11.0.50727" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727", + "version": "11.0.50727" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", + "version": "12.0.30501.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211", + "version": "14.44.35211.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211", + "version": "14.44.35211" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2010 Shell (Isolated) - ENU", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)", + "version": "10.0.31119" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)", + "version": "10.0.31124" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft VSS Writer for SQL Server 2014", + "version": "12.3.6024.0" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "NetworkRepairTool", + "version": "1.2.29.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Extensibility Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Licensing Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 15 Click-to-Run Localization Component", + "version": "15.0.5603.1000" + }, + { + "publisher": "Microsoft Corporation", + "name": "Office 16 Click-to-Run Extensibility Component", + "version": "16.0.20026.20076" + }, + { + "publisher": "Arizona Computer Guru", + "name": "Online Backup 8.6", + "version": "8.6" + }, + { + "publisher": "PCLaw | Time Matters?", + "name": "PCLaw | Time Matters? Common API", + "version": "1.90.0.0" + }, + { + "publisher": "Aviata, Inc.", + "name": "PowerENGAGE", + "version": "3.2.16" + }, + { + "publisher": "Corel Corporation", + "name": "PureHD", + "version": "14.0.2.20" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks", + "version": "26.0.4007.2607" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Pro 2016", + "version": "26.0.4007.2607" + }, + { + "publisher": "Intuit Inc.", + "name": "QuickBooks Runtime Redistributable", + "version": "1.00.0000" + }, + { + "publisher": "Piriform", + "name": "Recuva", + "version": "1.54" + }, + { + "publisher": "", + "name": "Restart to UEFI v1.0.6.1", + "version": "1.0.6.1" + }, + { + "publisher": "RingCentral", + "name": "RingCentral for Windows", + "version": "6.6.10219.164" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Microsoft Corporation", + "name": "Service Pack 3 for SQL Server 2014 (KB4022619) (64-bit)", + "version": "12.3.6024.0" + }, + { + "publisher": "Corel Corporation", + "name": "Setup", + "version": "14.0.2.20" + }, + { + "publisher": "Corel Corporation", + "name": "Share", + "version": "14.0.2.20" + }, + { + "publisher": "Corel Corporation", + "name": "Share64", + "version": "14.0.2.20" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "SoftwareUpdateNotification", + "version": "1.0.26.0" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.2.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2014 Client Tools", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2014 Common Files", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2014 Database Engine Services", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2014 Database Engine Shared", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2014 Management Studio", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Browser for SQL Server 2014", + "version": "12.3.6024.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Sql Server Customer Experience Improvement Program", + "version": "12.3.6024.0" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "StatusMonitor", + "version": "1.42.0.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "PCLaw | Time Matters?", + "name": "Time Matters?", + "version": "21.0.0.123" + }, + { + "publisher": "PCLaw | Time Matters?", + "name": "Time Matters? Connection Manager", + "version": "3.3.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for x64-based Windows Systems (KB5001716)", + "version": "8.94.0.0" + }, + { + "publisher": "Brother Industries, Ltd.", + "name": "UsbRepairTool", + "version": "1.4.0.0" + }, + { + "publisher": "Corel Corporation", + "name": "VIO", + "version": "14.0.2.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio 2010 Prerequisites - English", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio Tools for the Office system 3.0 Runtime", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio Tools for the Office system 3.0 Runtime", + "version": "9.0.30729" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)", + "version": "1" + }, + { + "publisher": "Corel Corporation", + "name": "VSClassic", + "version": "14.0.2.20" + }, + { + "publisher": "Corel Corporation", + "name": "VSPro", + "version": "14.0.2.20" + }, + { + "publisher": "", + "name": "Web Components", + "version": "3.0.6.28" + }, + { + "publisher": "", + "name": "Windows Media Encoder 9 Series", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows Media Encoder 9 Series", + "version": "9.00.2980" + }, + { + "publisher": "Microsoft Corporation", + "name": "Windows PC Health Check", + "version": "3.6.2204.08001" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021", + "version": "21.0.0.81" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Common Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Common Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - IPM", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - IPM Content", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Lightning Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Lightning Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Presentations Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Presentations Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Quattro Pro Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Quattro Pro Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Redists", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - Setup Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WordPerfect Files", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WordPerfect Files English", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office 2021 - WPD format Props x64", + "version": "21.0" + }, + { + "publisher": " Corel Corporation", + "name": "WordPerfect Office 2021 - Writing Tools", + "version": "21.0" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 32-bit", + "version": "1.8" + }, + { + "publisher": "Corel Corporation", + "name": "WordPerfect Office IFilter 64-bit", + "version": "1.8" + }, + { + "publisher": "ZeroTier, Inc.", + "name": "ZeroTier One", + "version": "1.6.6" + }, + { + "publisher": "ZeroTier", + "name": "ZeroTier One Virtual Network Port", + "version": "1.0.1" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [ + "HelpLibraryUpdaters", + "SQLServer2005SQLBrowserUser$REDNOURCARRIEVI", + "Access Control Assistance Operators", + "Administrators", + "Backup Operators", + "Cryptographic Operators", + "Device Owners", + "Distributed COM Users", + "Event Log Readers", + "Guests", + "Hyper-V Administrators", + "IIS_IUSRS", + "Network Configuration Operators", + "Performance Log Users", + "Performance Monitor Users", + "Power Users", + "Remote Desktop Users", + "Remote Management Users", + "Replicator", + "System Managed Accounts Group", + "Users" + ], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows 10 Pro", + "description": "Windows(R) Operating System, RETAIL channel", + "licensed": false, + "license_status_code": 5 + }, + "time_source": "Local CMOS Clock", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5072653", + "installed_on": "2025-12-20T07:00:00Z" + }, + "antivirus_products": [ + "Windows Defender", + "Datto AV" + ], + "domain_joined": false, + "defender": { + "antispyware_signature_age": 0, + "tamper_protected": false, + "real_time_protection": false, + "nis_enabled": false, + "available": true, + "antivirus_enabled": false, + "am_service_enabled": false + }, + "bitlocker": { + "os_volume": "C:", + "key_protectors": [], + "recovery_key_present": false, + "available": true, + "encryption_percent": 0, + "protection_status": "Off" + }, + "is_laptop": false, + "installed_software_count": 151, + "local_administrators": [ + "REDNOURCARRIEVI\\Administrator", + "REDNOURCARRIEVI\\Carrie", + "REDNOURCARRIEVI\\emma", + "REDNOURCARRIEVI\\localadmin" + ], + "firewall_profiles": { + "Private": true, + "Domain": true, + "Public": true + }, + "domain": "WORKGROUP", + "foreign_agents": [ + "ScreenConnect / ConnectWise Control", + "Datto RMM", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ] + }, + "findings": [ + { + "id": "sec.defender.rtp_off", + "category": "security", + "severity": "critical", + "title": "Defender real-time protection is OFF", + "detail": "Real-time protection is disabled. The endpoint is unprotected against active threats. Re-enable immediately or confirm a managed 3rd-party AV is providing real-time protection.", + "evidence": "RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False" + }, + { + "id": "sec.defender.amservice_off", + "category": "security", + "severity": "critical", + "title": "Defender antimalware service is not running", + "detail": "The Defender antimalware service is not active. If no 3rd-party AV is present, this endpoint has no antivirus protection.", + "evidence": "RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False" + }, + { + "id": "sec.defender.tamper_off", + "category": "security", + "severity": "warning", + "title": "Defender tamper protection is OFF", + "detail": "Tamper protection is disabled, so malware or a local admin can silently disable Defender. Enable tamper protection (typically via Intune / Security Center).", + "evidence": "RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False" + }, + { + "id": "sec.av_products.third_party", + "category": "security", + "severity": "warning", + "title": "Third-party AV present: Datto AV", + "detail": "A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.", + "evidence": "Registered AV: Windows Defender, Datto AV" + }, + { + "id": "sec.foreign_agents.screenconnect_connectwise_control", + "category": "security", + "severity": "critical", + "title": "Foreign management/remote-access agent: ScreenConnect / ConnectWise Control", + "detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.datto_rmm", + "category": "security", + "severity": "critical", + "title": "Foreign management/remote-access agent: Datto RMM", + "detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.", + "evidence": "program: Datto RMM 4.4.11616.11616\nservice: CagService (Datto RMM) Running" + }, + { + "id": "sec.foreign_agents.splashtop_sos_streamer_", + "category": "security", + "severity": "critical", + "title": "Foreign management/remote-access agent: Splashtop (SOS/Streamer)", + "detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.", + "evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.syncro_kabuto", + "category": "security", + "severity": "critical", + "title": "Foreign management/remote-access agent: Syncro / Kabuto", + "detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.ok", + "category": "security", + "severity": "info", + "title": "All firewall profiles enabled", + "detail": "Domain, Private, and Public firewall profiles are all enabled.", + "evidence": "Private=True; Domain=True; Public=True" + }, + { + "id": "sec.bitlocker.unencrypted", + "category": "security", + "severity": "warning", + "title": "OS volume is NOT encrypted with BitLocker", + "detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.", + "evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (4)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "REDNOURCARRIEVI\\Administrator\nREDNOURCARRIEVI\\Carrie\nREDNOURCARRIEVI\\emma\nREDNOURCARRIEVI\\localadmin" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 22H2", + "detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "1 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5072653", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5072653 installed 2025-12-20T07:00:00Z" + }, + { + "id": "sec.exposure.rdp_no_nla", + "category": "security", + "severity": "critical", + "title": "RDP enabled WITHOUT Network Level Authentication", + "detail": "RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.", + "evidence": "fDenyTSConnections=0; UserAuthentication=0" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.disk_space.C", + "category": "health", + "severity": "warning", + "title": "Disk low: C: at 11.7% free", + "detail": "Less than 15 percent free. Plan cleanup or expansion.", + "evidence": "C: free 54.4 GB of 465.1 GB (11.7%)" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "2 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped\nNetMsmqActivator (Net.Msmq Listener Adapter) = Stopped" + }, + { + "id": "health.domain.workgroup", + "category": "health", + "severity": "info", + "title": "Not domain-joined (workgroup)", + "detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.", + "evidence": "PartOfDomain=False; Domain=WORKGROUP" + }, + { + "id": "health.time.local_cmos", + "category": "health", + "severity": "warning", + "title": "Time source is local CMOS clock (not NTP)", + "detail": "The system is not syncing time from an NTP source. Clock drift breaks Kerberos and certificate validation. Configure a reliable time source (domain hierarchy or pool.ntp.org).", + "evidence": "Source=Local CMOS Clock" + }, + { + "id": "health.backup.none", + "category": "health", + "severity": "info", + "title": "No backup agent detected", + "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", + "evidence": "No matching backup service in Win32_Service" + } + ] +} diff --git a/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md b/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md new file mode 100644 index 0000000..ca9efbf --- /dev/null +++ b/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md @@ -0,0 +1,286 @@ +# Onboarding Diagnostic Baseline - REDNOURCARRIEVI + +- **Grade:** RED +- **Host:** REDNOURCARRIEVI +- **Client:** Rednour Law Offices (`rednour`) +- **Collected (UTC):** 2026-05-29T20:21:21Z +- **Agent ID:** 8e4e2221-7e2a-4a6f-9eda-864568539961 +- **Command ID:** e46f35e2-1809-46b4-b2ee-624e6b4fbd44 +- **Findings:** 8 critical / 9 warning / 7 info / 0 unknown + +- **OS:** Microsoft Windows 10 Pro (build 19045) + +--- + +## CRITICAL (8) + +### Defender real-time protection is OFF +- **Category:** security +- **ID:** `sec.defender.rtp_off` +- Real-time protection is disabled. The endpoint is unprotected against active threats. Re-enable immediately or confirm a managed 3rd-party AV is providing real-time protection. + +``` +RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False +``` + +### Defender antimalware service is not running +- **Category:** security +- **ID:** `sec.defender.amservice_off` +- The Defender antimalware service is not active. If no 3rd-party AV is present, this endpoint has no antivirus protection. + +``` +RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False +``` + +### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.screenconnect_connectwise_control` +- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Foreign management/remote-access agent: Datto RMM +- **Category:** security +- **ID:** `sec.foreign_agents.datto_rmm` +- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. + +``` +program: Datto RMM 4.4.11616.11616 +service: CagService (Datto RMM) Running +``` + +### Foreign management/remote-access agent: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.splashtop_sos_streamer_` +- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. + +``` +program: Splashtop Streamer 3.8.2.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Foreign management/remote-access agent: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.syncro_kabuto` +- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### OS build is end-of-life: Win10 22H2 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 +``` + +### RDP enabled WITHOUT Network Level Authentication +- **Category:** security +- **ID:** `sec.exposure.rdp_no_nla` +- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP. + +``` +fDenyTSConnections=0; UserAuthentication=0 +``` + + +## WARNING (9) + +### Defender tamper protection is OFF +- **Category:** security +- **ID:** `sec.defender.tamper_off` +- Tamper protection is disabled, so malware or a local admin can silently disable Defender. Enable tamper protection (typically via Intune / Security Center). + +``` +RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False +``` + +### Third-party AV present: Datto AV +- **Category:** security +- **ID:** `sec.av_products.third_party` +- A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection. + +``` +Registered AV: Windows Defender, Datto AV +``` + +### OS volume is NOT encrypted with BitLocker +- **Category:** security +- **ID:** `sec.bitlocker.unencrypted` +- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key. + +``` +Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= +``` + +### 1 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 +``` + +### Disk low: C: at 11.7% free +- **Category:** health +- **ID:** `health.disk_space.C` +- Less than 15 percent free. Plan cleanup or expansion. + +``` +C: free 54.4 GB of 465.1 GB (11.7%) +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 2 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped +NetMsmqActivator (Net.Msmq Listener Adapter) = Stopped +``` + +### Time source is local CMOS clock (not NTP) +- **Category:** health +- **ID:** `health.time.local_cmos` +- The system is not syncing time from an NTP source. Clock drift breaks Kerberos and certificate validation. Configure a reliable time source (domain hierarchy or pool.ntp.org). + +``` +Source=Local CMOS Clock +``` + + +## INFO (7) + +### All firewall profiles enabled +- **Category:** security +- **ID:** `sec.firewall.ok` +- Domain, Private, and Public firewall profiles are all enabled. + +``` +Private=True; Domain=True; Public=True +``` + +### Local administrators (4) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +REDNOURCARRIEVI\Administrator +REDNOURCARRIEVI\Carrie +REDNOURCARRIEVI\emma +REDNOURCARRIEVI\localadmin +``` + +### Last hotfix: KB5072653 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5072653 installed 2025-12-20T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Not domain-joined (workgroup) +- **Category:** health +- **ID:** `health.domain.workgroup` +- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. + +``` +PartOfDomain=False; Domain=WORKGROUP +``` + +### No backup agent detected +- **Category:** health +- **ID:** `health.backup.none` +- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. + +``` +No matching backup service in Win32_Service +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M. +- **Serial:** To Be Filled By O.E.M. +- **CPU:** Intel(R) Core(TM) i3-9100 CPU @ 3.60GHz (4 cores / 4 logical) +- **RAM (GB):** 7.7 +- **BIOS:** P4.10 (2019-04-01) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** ? / ? +- **Domain joined:** false (WORKGROUP) +- **OS activation licensed:** ? +- **Uptime (days):** 0.2 +- **Pending reboot:** true +- **Installed software count:** 151 +- **Scheduled tasks (non-MS, enabled):** 19 +- **Local administrators:** REDNOURCARRIEVI\Administrator, REDNOURCARRIEVI\Carrie, REDNOURCARRIEVI\emma, REDNOURCARRIEVI\localadmin + +### Fixed volumes + +- [unlabeled] - 0.1 GB free of 0.1 GB (71.7%) +- C: - 54.4 GB free of 465.1 GB (11.7%) +- [unlabeled] - 0 GB free of 0.5 GB (8.5%) + +### Network adapters + +- ZeroTier Virtual Port - IP: 10.147.17.253, fe80::c624:d955:2579:a9e4, fcfb:1c63:8659:2d21:d189::1 - DNS: - DHCP: false +- Intel(R) Ethernet Connection (7) I219-V - IP: 192.168.10.194, fe80::e42e:510a:5261:a8dd - DNS: 192.168.10.1 - DHCP: true + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `REDNOURCARRIEVI-20260529T202250.json` (immutable)._