azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(rmm): onboarding diagnostic (Phase 1) - probe + triage + baseline

Browse Source 
/rmm diagnose: dispatches a Windows security/health probe to a newly onboarded
agent, grades RED/AMBER/GREEN, writes an immutable per-client baseline
(clients/<slug>/onboarding-baselines/), diffs vs prior, and alerts CRITICALs to
#dev-alerts. Probe is PS5.1/ASCII/SYSTEM-safe, never-abort, base64 chunked upload
around the agent command-size cap. Code-reviewed (no blockers); folded in
immutability guard, severity-independent finding ids, Defender-unknown sentinel,
expanded competitor/backup detection.

First baselines captured: Rednour FRONTDESKRECEPT + LEGALASST (both RED - prior
MSP ScreenConnect/Splashtop/Syncro still live; LEGALASST OS EOL).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-29 13:08:43 -07:00
parent 02c402ea78
commit df9be01065
7 changed files with 4033 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

774
clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.json Normal file
View File

@@ -0,0 +1,774 @@
{
"host": "FRONTDESKRECEPT",
"collected_at_utc": "2026-05-29T19:55:43Z",
"os": {
"caption": "Microsoft Windows 11 Pro",
"version": "10.0.26200",
"build": "26200",
"install_date": "2025-08-07T02:15:17Z",
"last_boot_utc": "2026-05-13T00:39:47Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2027-10-12",
"release": "Win11 25H2"
},
"pending_updates": 2,
"pending_reboot": true,
"uptime_days": 16.8,
"scheduled_tasks": [
{
"path": "\\",
"name": "CorelUpdateHelperTask-34FAD43C54B1AA7B7D45D9CFCA371A7C",
"state": "Ready"
},
{
"path": "\\",
"name": "CorelUpdateHelperTaskCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore1d8299e406acf5f",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1826020299-2037390372-3224229966-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1826020299-2037390372-3224229966-1001",
"state": "Ready"
},
{
"path": "\\GoogleSystem\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskSystem149.0.7814.0{A725F2F7-591B-48E3-A0A9-9AAD55F1DAF1}",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-1826020299-2037390372-3224229966-1001\\",
"name": "SoftLandingCreativeManagementTask",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-1826020299-2037390372-3224229966-1001\\",
"name": "SoftLandingDeferralTask-{0c3db634-1f6a-464d-bbe9-5526a48a6e15}",
"state": "Ready"
}
],
"hardware": {
"model": "OptiPlex 3080",
"manufacturer": "Dell Inc.",
"bios_date": "2025-12-01",
"cpu_logical": 12,
"bios_version": "2.34.0",
"cpu_cores": 6,
"ram_gb": 15.8,
"serial": "DPZK1G3",
"cpu": "Intel(R) Core(TM) i5-10505 CPU @ 3.20GHz"
},
"os_build": "26200",
"secure_boot": false,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "RtkAudUService",
"value": "\"C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\realtekservice.inf_amd64_a4555e9b35287491\\RtkAudUService64.exe\" -background"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "WavesSvc",
"value": "\"C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\wavesapo9de.inf_amd64_c6bfc5767fc0181c\\WavesSvc64.exe\" -Jack"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "QuickFinder Scheduler",
"value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2021\\Programs\\QFSCHD210.EXE\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Update Binary",
"value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Standalone Update Binary",
"value": "C:\\WINDOWS\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}",
"value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.83\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon"
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "KingFast",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2026-05-29",
"name": "guru",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 10,
"volumes": [
{
"drive": "[unlabeled]",
"size_gb": 0.1,
"free_pct": 35.9,
"free_gb": 0
},
{
"drive": "[unlabeled]",
"size_gb": 0.8,
"free_pct": 14.4,
"free_gb": 0.1
},
{
"drive": "[Recovery]",
"size_gb": 0.5,
"free_pct": 97.4,
"free_gb": 0.5
},
{
"drive": "C:",
"size_gb": 475.5,
"free_pct": 82.8,
"free_gb": 394
}
],
"network_adapters": [
{
"dhcp": true,
"description": "Realtek PCIe GbE Family Controller",
"gateway": [
"192.168.10.1"
],
"mac": "70:B5:E8:7A:80:7B",
"ip": [
"192.168.10.115",
"fe80::b17c:c1aa:150b:e65b"
],
"dns": [
"192.168.10.1"
]
}
],
"failed_autostart_services": [
{
"name": "GoogleUpdaterInternalService149.0.7814.0",
"display": "Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)",
"state": "Stopped"
},
{
"name": "GoogleUpdaterService149.0.7814.0",
"display": "Google Updater Service (GoogleUpdaterService149.0.7814.0)",
"state": "Stopped"
},
{
"name": "Intel(R) TPM Provisioning Service",
"display": "Intel(R) TPM Provisioning Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": false,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "148.0.3967.70"
},
{
"publisher": "Corel corporation",
"name": "Corel Update Manager",
"version": "2.16.673"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "148.0.7778.216"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft 365 Apps for business - en-us",
"version": "16.0.19929.20172"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Command Line Utilities 11 for SQL Server",
"version": "11.0.2270.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "148.0.3967.83"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "148.0.3967.83"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft ODBC Driver 11 for SQL Server",
"version": "11.0.2270.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.084.0504.0007"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "5.72.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86)",
"version": "7.1.00.00"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86) English",
"version": "7.1.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727",
"version": "11.0.50727.1"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727",
"version": "11.0.50727"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727",
"version": "11.0.50727"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.31119"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.31124"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.19929.20172"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.2.0"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Microsoft Corporation",
"name": "Teams Machine-Wide Installer",
"version": "1.4.0.32771"
},
{
"publisher": "PCLaw | Time Matters?",
"name": "Time Matters?",
"version": "21.0.0.123"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for Windows 10 for x64-based Systems (KB5001716)",
"version": "4.91.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows PC Health Check",
"version": "3.6.2204.08001"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.1.1.194"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files",
"version": "21.1.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files English",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM Content",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM Content TBYB ",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM TBYB",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files",
"version": "21.1.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files English",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files",
"version": "21.1.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files English",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Redists",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Setup Files",
"version": "21.1.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files",
"version": "21.1.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files English",
"version": "21.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WPD format Props x64",
"version": "21.0"
},
{
"publisher": " Corel Corporation",
"name": "WordPerfect Office 2021 - Writing Tools",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 32-bit",
"version": "1.8"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 64-bit",
"version": "1.8"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"OpenSSH Users",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"User Mode Hardware Operators",
"Users"
],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows 11 Pro",
"description": "Windows(R) Operating System, OEM_DM channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "time.windows.com,0x9",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5089549",
"installed_on": "2026-05-13T07:00:00Z"
},
"antivirus_products": [
"Windows Defender"
],
"domain_joined": false,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": false,
"installed_software_count": 58,
"local_administrators": [
"FRONTDESKRECEPT\\Administrator",
"FRONTDESKRECEPT\\guru",
"FRONTDESKRECEPT\\localadmin"
],
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "WORKGROUP",
"foreign_agents": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
]
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.screenconnect_connectwise_control",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: ScreenConnect / ConnectWise Control",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.splashtop_sos_streamer_",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: Splashtop (SOS/Streamer)",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.syncro_kabuto",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: Syncro / Kabuto",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "warning",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (3)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "FRONTDESKRECEPT\\Administrator\nFRONTDESKRECEPT\\guru\nFRONTDESKRECEPT\\localadmin"
},
{
"id": "sec.patch.os_supported",
"category": "security",
"severity": "info",
"title": "OS build supported: Win11 25H2",
"detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.",
"evidence": "Microsoft Windows 11 Pro build 26200"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "2 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5089549",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5089549 installed 2026-05-13T07:00:00Z"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.stability.clean",
"category": "health",
"severity": "info",
"title": "No stability events in the last 14 days",
"detail": "No unexpected shutdowns, BSODs, or disk errors logged.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "3 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped\nGoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=time.windows.com,0x9"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

240
clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md Normal file
View File

@@ -0,0 +1,240 @@
# Onboarding Diagnostic Baseline - FRONTDESKRECEPT
- **Grade:** RED
- **Host:** FRONTDESKRECEPT
- **Client:** Rednour Law Offices (`rednour`)
- **Collected (UTC):** 2026-05-29T19:55:43Z
- **Agent ID:** 04765560-3e8a-46e5-a507-c5f5f4ead6eb
- **Command ID:** 94966f79-74ea-4b47-98c5-6e0f33f819fa
- **Findings:** 3 critical / 4 warning / 12 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## CRITICAL (3)
### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.screenconnect_connectwise_control`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Foreign management/remote-access agent: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.splashtop_sos_streamer_`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Foreign management/remote-access agent: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.syncro_kabuto`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
## WARNING (4)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 2 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped
GoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
```
## INFO (12)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
FRONTDESKRECEPT\Administrator
FRONTDESKRECEPT\guru
FRONTDESKRECEPT\localadmin
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5089549
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5089549 installed 2026-05-13T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### No stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.clean`
- No unexpected shutdowns, BSODs, or disk errors logged.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x9
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** Dell Inc. / OptiPlex 3080
- **Serial:** DPZK1G3
- **CPU:** Intel(R) Core(TM) i5-10505 CPU @ 3.20GHz (6 cores / 12 logical)
- **RAM (GB):** 15.8
- **BIOS:** 2.34.0 (2025-12-01)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 16.8
- **Pending reboot:** true
- **Installed software count:** 58
- **Scheduled tasks (non-MS, enabled):** 10
- **Local administrators:** FRONTDESKRECEPT\Administrator, FRONTDESKRECEPT\guru, FRONTDESKRECEPT\localadmin
### Fixed volumes
- [unlabeled] - 0 GB free of 0.1 GB (35.9%)
- [unlabeled] - 0.1 GB free of 0.8 GB (14.4%)
- [Recovery] - 0.5 GB free of 0.5 GB (97.4%)
- C: - 394 GB free of 475.5 GB (82.8%)
### Network adapters
- Realtek PCIe GbE Family Controller - IP: 192.168.10.115, fe80::b17c:c1aa:150b:e65b - DNS: 192.168.10.1 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `FRONTDESKRECEPT-20260529T195614.json` (immutable)._

833
clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.json Normal file
View File

@@ -0,0 +1,833 @@
{
"host": "LEGALASST",
"collected_at_utc": "2026-05-29T20:05:50Z",
"os": {
"caption": "Microsoft Windows 10 Pro",
"version": "10.0.19045",
"build": "19045",
"install_date": "2020-10-14T20:37:24Z",
"last_boot_utc": "2026-04-16T17:07:07Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2025-10-14",
"release": "Win10 22H2"
},
"pending_updates": 1,
"pending_reboot": true,
"uptime_days": 43.1,
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "Launch Adobe CCXProcess",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1572446079-3930123124-3343558679-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1572446079-3930123124-3343558679-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-1572446079-3930123124-3343558679-1009",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1572446079-3930123124-3343558679-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1572446079-3930123124-3343558679-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-1572446079-3930123124-3343558679-1009",
"state": "Ready"
},
{
"path": "\\",
"name": "TM_Scheduled_Backup_Task",
"state": "Ready"
},
{
"path": "\\GoogleSystem\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskSystem149.0.7814.0{3238CEEE-C349-45C0-BB24-92859BBE402D}",
"state": "Ready"
}
],
"hardware": {
"model": "To Be Filled By O.E.M.",
"manufacturer": "To Be Filled By O.E.M.",
"bios_date": "2019-05-15",
"cpu_logical": 4,
"bios_version": "P3.50",
"cpu_cores": 4,
"ram_gb": 5.9,
"serial": "To Be Filled By O.E.M.",
"cpu": "AMD Ryzen 3 3200G with Radeon Vega Graphics "
},
"os_build": "19045",
"secure_boot": false,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\Windows\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Logitech Download Assistant",
"value": "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\System32\\LogiLDA.dll,LogiFetch"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "QuickFinder Scheduler",
"value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office X6\\Programs\\QFSCHD160.EXE\""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SunJavaUpdateSched",
"value": "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Adobe CCXProcess",
"value": "C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud Experience\\CCXProcess.exe"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Adobe Creative Cloud",
"value": "\"C:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" --showwindow=false --onOSstartup=true"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Update Binary",
"value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "Delete Cached Standalone Update Binary",
"value": "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"name": "msedge_cleanup_{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}",
"value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.83\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2022-05-17",
"name": "Ale",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2026-05-29",
"name": "Emma",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2020-10-14",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 13,
"volumes": {
"drive": "C:",
"size_gb": 465.1,
"free_pct": 75.2,
"free_gb": 349.6
},
"network_adapters": [
{
"dhcp": true,
"description": "Realtek PCIe GbE Family Controller",
"gateway": [
"192.168.10.1"
],
"mac": "70:85:C2:CD:6D:65",
"ip": [
"192.168.10.213"
],
"dns": [
"192.168.10.1"
]
}
],
"failed_autostart_services": [
{
"name": "WMPNetworkSvc",
"display": "Windows Media Player Network Sharing Service",
"state": "Stopped"
},
{
"name": "GoogleUpdaterInternalService149.0.7814.0",
"display": "Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)",
"state": "Stopped"
},
{
"name": "GoogleUpdaterService149.0.7814.0",
"display": "Google Updater Service (GoogleUpdaterService149.0.7814.0)",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 0,
"disk_errors": 1,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": false,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe",
"name": "Adobe Acrobat (64-bit)",
"version": "26.001.21483"
},
{
"publisher": "Adobe Inc.",
"name": "Adobe Creative Cloud",
"version": "6.9.1.1"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "148.0.3967.96"
},
{
"publisher": "Corel Corporation",
"name": "Corel Compatibility Pack",
"version": "12.4518.1018"
},
{
"publisher": "Eclipse Adoptium",
"name": "Eclipse Temurin JDK with Hotspot 17.0.2+8 (x64)",
"version": "17.0.2.8"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "148.0.7778.179"
},
{
"publisher": "Oracle Corporation",
"name": "Java 8 Update 341 (64-bit)",
"version": "8.0.3410.10"
},
{
"publisher": "Oracle Corporation",
"name": "Java Auto Updater",
"version": "2.8.341.10"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft 365 Apps for business - en-us",
"version": "16.0.19929.20106"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Command Line Utilities 11 for SQL Server",
"version": "11.0.2270.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "148.0.3967.83"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "148.0.3967.83"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft ODBC Driver 11 for SQL Server",
"version": "11.0.2270.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.078.0426.0002"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "3.74.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727",
"version": "11.0.50727.1"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030",
"version": "11.0.61030.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727",
"version": "11.0.50727"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727",
"version": "11.0.50727"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030",
"version": "11.0.61030"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.31119"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.31124"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Extensibility Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Licensing Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Localization Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.19929.20106"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.1.24.9579"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.2.0"
},
{
"publisher": "Stamps.com, Inc.",
"name": "Stamps.com",
"version": "20.0.1.5122"
},
{
"publisher": "Stamps.com, Inc.",
"name": "Stamps.com Classic",
"version": "20.8.0.10190"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "PCLaw | Time Matters?",
"name": "Time Matters?",
"version": "21.0.0.123"
},
{
"publisher": "Tweaking.com",
"name": "Tweaking.com - Windows Repair",
"version": "4.14.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for x64-based Windows Systems (KB5001716)",
"version": "8.94.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows PC Health Check",
"version": "3.6.2204.08001"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows PC Health Check",
"version": "4.0.2410.23001"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 32-bit",
"version": "1.4"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 64-bit",
"version": "1.4"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6",
"version": "16.0.0.429"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Common Files",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Common Files English",
"version": "16.3.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - IPM",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Lightning Files",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Lightning Files English",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Oxford",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Presentations Files",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Presentations Files English",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Quattro Pro Files",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Quattro Pro Files English",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - Setup Files",
"version": "16.3.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - System Files",
"version": "16.1"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - WordPerfect Files",
"version": "16.3"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office X6 - WordPerfect Files English",
"version": "16.3"
},
{
"publisher": " Corel Corporation",
"name": "WordPerfect Office X6 - WT",
"version": "16.1"
}
],
"tpm": {
"enabled": false,
"ready": false,
"present": false
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"Users"
],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows 10 Pro",
"description": "Windows(R) Operating System, RETAIL channel",
"licensed": false,
"license_status_code": 5
},
"time_source": "time.windows.com,0x9",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5075039",
"installed_on": "2026-03-04T07:00:00Z"
},
"antivirus_products": [
"Windows Defender"
],
"domain_joined": false,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"available": false,
"os_volume": "C:"
},
"is_laptop": false,
"installed_software_count": 68,
"local_administrators": [
"LEGALASST\\Administrator",
"LEGALASST\\Ale",
"LEGALASST\\Emma",
"LEGALASST\\localadmin"
],
"domain": "WORKGROUP",
"foreign_agents": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
]
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.screenconnect_connectwise_control",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: ScreenConnect / ConnectWise Control",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.splashtop_sos_streamer_",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: Splashtop (SOS/Streamer)",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: Splashtop Streamer 3.8.2.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.syncro_kabuto",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: Syncro / Kabuto",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.error",
"category": "security",
"severity": "unknown",
"title": "Check failed: Windows Firewall profiles",
"detail": "The probe could not complete this check. Manual review recommended.",
"evidence": "Invalid class "
},
{
"id": "sec.bitlocker.unavailable",
"category": "security",
"severity": "unknown",
"title": "BitLocker status unavailable",
"detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).",
"evidence": "MountPoint=C:, Get-BitLockerVolume returned null"
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (4)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "LEGALASST\\Administrator\nLEGALASST\\Ale\nLEGALASST\\Emma\nLEGALASST\\localadmin"
},
{
"id": "sec.patch.os_eol",
"category": "security",
"severity": "critical",
"title": "OS build is end-of-life: Win10 22H2",
"detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.",
"evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "1 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5075039",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5075039 installed 2026-03-04T07:00:00Z"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.disk_smart.unavailable",
"category": "health",
"severity": "unknown",
"title": "Physical disk health unavailable",
"detail": "Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.",
"evidence": "Get-PhysicalDisk returned null"
},
{
"id": "health.stability.some",
"category": "health",
"severity": "warning",
"title": "Stability events present in the last 14 days",
"detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.",
"evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.reboot_uptime.long_uptime",
"category": "health",
"severity": "warning",
"title": "Uptime is 43.1 days",
"detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.",
"evidence": "LastBootUpTime=2026-04-16 10:07:07Z"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "3 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped\nGoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped\nGoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=time.windows.com,0x9"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

258
clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md Normal file
View File

@@ -0,0 +1,258 @@
# Onboarding Diagnostic Baseline - LEGALASST
- **Grade:** RED
- **Host:** LEGALASST
- **Client:** Rednour Law Offices (`rednour`)
- **Collected (UTC):** 2026-05-29T20:05:50Z
- **Agent ID:** 18825ea7-df58-47bb-b492-822cb16fb5ec
- **Command ID:** beb27c88-4161-4183-a2b9-c43ec1ea0c0b
- **Findings:** 4 critical / 5 warning / 9 info / 3 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (4)
### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.screenconnect_connectwise_control`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Foreign management/remote-access agent: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.splashtop_sos_streamer_`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Foreign management/remote-access agent: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.syncro_kabuto`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
## WARNING (5)
### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### Uptime is 43.1 days
- **Category:** health
- **ID:** `health.reboot_uptime.long_uptime`
- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.
```
LastBootUpTime=2026-04-16 10:07:07Z
```
### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped
GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped
GoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped
```
## INFO (9)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
LEGALASST\Administrator
LEGALASST\Ale
LEGALASST\Emma
LEGALASST\localadmin
```
### Last hotfix: KB5075039
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5075039 installed 2026-03-04T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x9
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
## UNKNOWN (3)
### Check failed: Windows Firewall profiles
- **Category:** security
- **ID:** `sec.firewall.error`
- The probe could not complete this check. Manual review recommended.
```
Invalid class
```
### BitLocker status unavailable
- **Category:** security
- **ID:** `sec.bitlocker.unavailable`
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
```
MountPoint=C:, Get-BitLockerVolume returned null
```
### Physical disk health unavailable
- **Category:** health
- **ID:** `health.disk_smart.unavailable`
- Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.
```
Get-PhysicalDisk returned null
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M.
- **Serial:** To Be Filled By O.E.M.
- **CPU:** AMD Ryzen 3 3200G with Radeon Vega Graphics (4 cores / 4 logical)
- **RAM (GB):** 5.9
- **BIOS:** P3.50 (2019-05-15)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** ?
- **Uptime (days):** 43.1
- **Pending reboot:** true
- **Installed software count:** 68
- **Scheduled tasks (non-MS, enabled):** 13
- **Local administrators:** LEGALASST\Administrator, LEGALASST\Ale, LEGALASST\Emma, LEGALASST\localadmin
### Fixed volumes
### Network adapters
- Realtek PCIe GbE Family Controller - IP: 192.168.10.213 - DNS: 192.168.10.1 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LEGALASST-20260529T200647.json` (immutable)._