clients/jimmy: BLASTER2 onboarding remediation note (2026-06-19) — NLA, Kaseya removal, MSP360 backup retention + console handoff
This commit is contained in:
60
clients/jimmy/reports/2026-06-19-blaster2-remediation.md
Normal file
60
clients/jimmy/reports/2026-06-19-blaster2-remediation.md
Normal file
@@ -0,0 +1,60 @@
|
||||
# Blaster2 — Onboarding Remediation (2026-06-19)
|
||||
|
||||
**Client:** Jimmy Company (`jimmy`) · **Site:** Main (SILVER-LION-5647)
|
||||
**Machine:** BLASTER2 — Windows 10 Pro 22H2 (build 19045), Lenovo, i5-3470 / 3.8 GB RAM
|
||||
**RMM agent:** `abddc0ce-a226-48f1-b913-263a81013389` (v0.6.66)
|
||||
**Tech:** Mike Swanson · **Onboarding grade:** RED (baseline: `onboarding-baselines/BLASTER2-20260619T191759.md`)
|
||||
|
||||
## Actions completed
|
||||
|
||||
### Security
|
||||
- **RDP NLA enabled** — set `UserAuthentication=1` on `RDP-Tcp`. RDP was on with NLA off
|
||||
(pre-auth exposure, critical). RDP left enabled, now requires Network Level Authentication.
|
||||
- **Kaseya leftover removed** — deleted service `KaseyaConnectAPIService` (kav2srv.exe),
|
||||
install dir `C:\Program Files (x86)\Kaseya\ECGRP939762241516006`, and registry hives
|
||||
`HKLM\SOFTWARE\Kaseya` + `HKLM\SOFTWARE\WOW6432Node\Kaseya\Agent`. Post-removal sweep
|
||||
clean: no services, no dir, no scheduled tasks, no other references. (Leftover foreign-RMM
|
||||
agent from a prior provider — control/security risk.)
|
||||
|
||||
### Cleanup / health scan
|
||||
- **Machine is clean.** C: = 159 GB used / 70.8 GB free. Temp/junk negligible (Windows Temp
|
||||
0.05 GB, user temps 0.12 GB, SoftwareDistribution/Recycle Bin ~0; no Windows.old / hiberfil
|
||||
/ MEMORY.dmp). No real bloatware among 80 installed programs — only a dead "Google Toolbar
|
||||
for Internet Explorer" (left in place; removable on request).
|
||||
|
||||
### Backup (MSP360 / mspbackups)
|
||||
- **Root problem:** external backup drive **E: full** — 7.45 TB, 0.74 GB free. Two **local**
|
||||
MSP360 plans failing with `NotEnoughSpaceOnLocalDestination` (image-based + file). The
|
||||
**cloud (Backblaze B2)** plan is healthy.
|
||||
- **90-day retention applied** to both local plans (`cbb editBackupPlan` / `editBackupIBBPlan
|
||||
-purge "3m"`; plans are new-backup-format). Confirmed "Retention time is set to 90 days."
|
||||
- **Space NOT yet reclaimed — blocked by provider policy.** Agent-side deletion (`cbb delete`)
|
||||
is refused: *"File deletion on backup storage is restricted due to your service provider
|
||||
policy."* The MBS REST API is monitoring-only. The full disk also deadlocks the automatic
|
||||
retention purge (no successful pass can run). **Reclamation must be done provider-side in the
|
||||
MSP360 management console.**
|
||||
|
||||
## E: storage breakdown (6.7 TB MSP360 + 0.7 TB legacy + 0.7 TB non-MSP360)
|
||||
- Active NBF generations: image `aae0be51` 3.24 TB, file `5277ed3c` 2.48 TB (history back to 2024).
|
||||
- Orphaned legacy bunches (pre-2024, no plan, dead weight): "Image Based" 793 GB (last 2022-07-24),
|
||||
"C:" folder 216 GB.
|
||||
- Non-MSP360 squatters on E:: VeeamBackup 543 GB, "My backups" 98 GB, FileHistory 81 GB.
|
||||
|
||||
## Console purge worklist (handed to Mike, cutoff 2026-03-21 = 90 days)
|
||||
1. Lift the MSP360 "restrict backup deletion" provider policy (or delete from the console Storage view).
|
||||
2. Image plan: keep restore points 2026-06-07 / 05-04 / 04-06; delete 2026-03-01 and older (~20).
|
||||
3. File plan: keep 2026-03-23 onward; delete 2026-03-17 and older (~65).
|
||||
4. Delete the 2 orphaned legacy bunches ("Image Based" 793 GB, "C:" 216 GB).
|
||||
5. Optional (Explorer, not MSP360, only if abandoned): E:\VeeamBackup, E:\My backups, E:\FileHistory (722 GB).
|
||||
6. After space frees, the 90-day retention keeps both plans bounded — re-run both Local plans to confirm Success.
|
||||
|
||||
## Still open (not addressed today)
|
||||
- **Win10 22H2 is EOL** (end-of-servicing 2025-10-14) on weak 2012-era hardware (i5-3470, 3.8 GB RAM,
|
||||
2013 BIOS) — realistically a **machine replacement**, not in-place upgrade.
|
||||
- 5 pending Windows updates + pending reboot; 2 unexpected shutdowns (event 41) in 14 days.
|
||||
- BitLocker status unavailable (likely unencrypted — verify), firewall-profile + SMART checks
|
||||
returned "unknown" in the diagnostic (manual follow-up).
|
||||
|
||||
## References
|
||||
- RMM write ops alerted to #dev-alerts. Provider-policy delete blocker logged to `errorlog.md`.
|
||||
- Vault: `clients/jimmy/gururmm-site-main.sops.yaml` (enrollment key); MSP360 API `msp-tools/msp360-api.sops.yaml`.
|
||||
Reference in New Issue
Block a user