# Onboarding Diagnostic Baseline - LEGALASST - **Grade:** RED - **Host:** LEGALASST - **Client:** Rednour Law Offices (`rednour`) - **Collected (UTC):** 2026-05-29T20:05:50Z - **Agent ID:** 18825ea7-df58-47bb-b492-822cb16fb5ec - **Command ID:** beb27c88-4161-4183-a2b9-c43ec1ea0c0b - **Findings:** 4 critical / 5 warning / 9 info / 3 unknown - **OS:** Microsoft Windows 10 Pro (build 19045) --- ## CRITICAL (4) ### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control - **Category:** security - **ID:** `sec.foreign_agents.screenconnect_connectwise_control` - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. ``` program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running ``` ### Foreign management/remote-access agent: Splashtop (SOS/Streamer) - **Category:** security - **ID:** `sec.foreign_agents.splashtop_sos_streamer_` - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. ``` program: Splashtop Streamer 3.8.2.0 service: SplashtopRemoteService (Splashtop? Remote Service) Running ``` ### Foreign management/remote-access agent: Syncro / Kabuto - **Category:** security - **ID:** `sec.foreign_agents.syncro_kabuto` - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it. ``` program: Syncro 1.0.201.18410 service: Syncro (Syncro) Running ``` ### OS build is end-of-life: Win10 22H2 - **Category:** security - **ID:** `sec.patch.os_eol` - This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. ``` Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 ``` ## WARNING (5) ### 1 pending Windows updates - **Category:** security - **ID:** `sec.patch.pending` - Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. ``` Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 ``` ### Stability events present in the last 14 days - **Category:** health - **ID:** `health.stability.some` - One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. ``` Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1 ``` ### Reboot pending - **Category:** health - **ID:** `health.reboot_uptime.pending` - A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. ``` PendingFileRenameOperations ``` ### Uptime is 43.1 days - **Category:** health - **ID:** `health.reboot_uptime.long_uptime` - Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance. ``` LastBootUpTime=2026-04-16 10:07:07Z ``` ### 3 auto-start service(s) not running - **Category:** health - **ID:** `health.failed_services.stopped` - These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. ``` WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped GoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped ``` ## INFO (9) ### Defender active and current - **Category:** security - **ID:** `sec.defender.ok` - Real-time protection on, service running, signatures current. ``` RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True ``` ### Defender is the only registered AV - **Category:** security - **ID:** `sec.av_products.defender_only` - Only Microsoft/Windows Defender is registered in Security Center. ``` Windows Defender ``` ### Local administrators (4) - **Category:** security - **ID:** `sec.local_admins.list` - Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). ``` LEGALASST\Administrator LEGALASST\Ale LEGALASST\Emma LEGALASST\localadmin ``` ### Last hotfix: KB5075039 - **Category:** security - **ID:** `sec.patch.last_hotfix` - Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). ``` KB5075039 installed 2026-03-04T07:00:00Z ``` ### SMBv1 disabled - **Category:** security - **ID:** `sec.exposure.smb1_off` - SMBv1 server protocol is disabled. ``` EnableSMB1Protocol=False ``` ### LAPS detected - **Category:** security - **ID:** `sec.exposure.laps_present` - A LAPS mechanism is present. ``` Windows LAPS reg key ``` ### Not domain-joined (workgroup) - **Category:** health - **ID:** `health.domain.workgroup` - This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies. ``` PartOfDomain=False; Domain=WORKGROUP ``` ### Time service source - **Category:** health - **ID:** `health.time.source` - Current Windows Time service source. ``` Source=time.windows.com,0x9 ``` ### No backup agent detected - **Category:** health - **ID:** `health.backup.none` - No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. ``` No matching backup service in Win32_Service ``` ## UNKNOWN (3) ### Check failed: Windows Firewall profiles - **Category:** security - **ID:** `sec.firewall.error` - The probe could not complete this check. Manual review recommended. ``` Invalid class ``` ### BitLocker status unavailable - **Category:** security - **ID:** `sec.bitlocker.unavailable` - Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status). ``` MountPoint=C:, Get-BitLockerVolume returned null ``` ### Physical disk health unavailable - **Category:** health - **ID:** `health.disk_smart.unavailable` - Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools. ``` Get-PhysicalDisk returned null ``` --- ## Inventory Baseline Summary - **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M. - **Serial:** To Be Filled By O.E.M. - **CPU:** AMD Ryzen 3 3200G with Radeon Vega Graphics (4 cores / 4 logical) - **RAM (GB):** 5.9 - **BIOS:** P3.50 (2019-05-15) - **Chassis is laptop:** false - **TPM present / Secure Boot:** ? / ? - **Domain joined:** false (WORKGROUP) - **OS activation licensed:** ? - **Uptime (days):** 43.1 - **Pending reboot:** true - **Installed software count:** 68 - **Scheduled tasks (non-MS, enabled):** 13 - **Local administrators:** LEGALASST\Administrator, LEGALASST\Ale, LEGALASST\Emma, LEGALASST\localadmin ### Fixed volumes ### Network adapters - Realtek PCIe GbE Family Controller - IP: 192.168.10.213 - DNS: 192.168.10.1 - DHCP: true --- ## Diff vs Prior Baseline - No prior baseline found for this host. This is the first baseline. --- _Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LEGALASST-20260529T200647.json` (immutable)._