onboarding-diagnostic.ps1: add a PowerShell-version guard. The probe is PS3+ by
design (Get-CimInstance, [ordered], ConvertTo-Json); on stock PS2 (Win7 SP1 /
2008 R2 without WMF) it crashed with cryptic [ordered] errors and emitted empty
DIAG-JSON (first hit: AMT-PC). Now on PS<3 it emits a legible, parseable result
inside the DIAG-JSON markers (hand-built JSON) with a WMF 5.1 / KB3191566
remediation hint instead. Parses clean. True PS2-native probe stays an RMM Thought.
memory: add feedback_windows_quote_stripping (+ index) consolidating the two
recent embedded-double-quote incidents (PowerShell->curl.exe CommandLineToArgvW,
RMM->cmd.exe shutdown /c) into one root cause + fix, so future ref= entries land.
errorlog: the two self-logged entries from #32333 (preview-skip friction,
AMT-PC/Scileppi conflation correction).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both surfaced on GND-SERVER (Server 2019 DC), would mis-grade every Windows Server:
1. OS EOL: build numbers are SHARED between client and server SKUs (17763 = Win10
1809 AND Server 2019; 14393 = 1607/Server2016; 26100 = 24H2/Server2025). The map
only had client dates, so Server 2019 (supported to 2029) was flagged EOL-2020 =
false critical. Now branch on SKU ($caption -match 'Server') with a Server EOL map.
2. Stability disk errors: ids 7/51/153 are shared across providers; provider 'disk'
= real I/O error, but 'Microsoft-Windows-Kernel-Boot' id 153 = "VBS disabled" boot
noise. The unfiltered fallback counted that noise as disk errors (false warning on
healthy boxes). Now count only true storage providers, no unfiltered fallback.
Parses clean. Re-run on GND-SERVER should drop from RED to AMBER (both false findings gone).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Require SecurityCenter2 productState RTP-enabled bit before treating a
registered AV as active (lapsed/disabled AV no longer suppresses the
critical Defender finding), and tighten the Datto fallback to AV/EDR
services only — excluding Datto RMM/Backup/Workplace/Continuity/File so
non-AV Datto products can't masquerade as antivirus. Fix misleading comment.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The probe flagged ACG's own MSP tooling (ScreenConnect/ConnectWise Control,
Splashtop, Syncro, Datto RMM, Datto EDR/AV) as CRITICAL "foreign agent" and
flagged Defender-off as CRITICAL even when a 3rd-party AV had legitimately
disabled it. Now: allowlisted tools emit an INFO "expected ACG tooling"
finding (genuinely-foreign tools still CRITICAL); Defender-off is downgraded
to INFO only when a 3rd-party AV is active. JSON contract + grading unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
/rmm diagnose: dispatches a Windows security/health probe to a newly onboarded
agent, grades RED/AMBER/GREEN, writes an immutable per-client baseline
(clients/<slug>/onboarding-baselines/), diffs vs prior, and alerts CRITICALs to
#dev-alerts. Probe is PS5.1/ASCII/SYSTEM-safe, never-abort, base64 chunked upload
around the agent command-size cap. Code-reviewed (no blockers); folded in
immutability guard, severity-independent finding ids, Defender-unknown sentinel,
expanded competitor/backup detection.
First baselines captured: Rednour FRONTDESKRECEPT + LEGALASST (both RED - prior
MSP ScreenConnect/Splashtop/Syncro still live; LEGALASST OS EOL).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
