# Onboarding Diagnostic Baseline - LILO - **Grade:** RED - **Host:** LILO - **Client:** Universal Cryogenics (`ucryo`) - **Collected (UTC):** 2026-06-03T00:52:27Z - **Agent ID:** 5d0bdfc0-cb58-496f-b9bd-d585eb643d85 - **Command ID:** c3002dde-bb3b-4ce5-b54c-e8ea4714a071 - **Findings:** 2 critical / 5 warning / 16 info / 0 unknown - **OS:** Microsoft Windows 10 Pro (build 19045) --- ## CRITICAL (2) ### OS volume is NOT encrypted with BitLocker - **Category:** security - **ID:** `sec.bitlocker.unencrypted` - The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key. ``` Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors= ``` ### OS build is end-of-life: Win10 22H2 - **Category:** security - **ID:** `sec.patch.os_eol` - This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade. ``` Microsoft Windows 10 Pro build 19045; EOL 2025-10-14 ``` ## WARNING (5) ### 1 pending Windows updates - **Category:** security - **ID:** `sec.patch.pending` - Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. ``` Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 ``` ### RDP is enabled - **Category:** security - **ID:** `sec.exposure.rdp_on` - Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet. ``` fDenyTSConnections=0; UserAuthentication=1 ``` ### Reboot pending - **Category:** health - **ID:** `health.reboot_uptime.pending` - A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. ``` PendingFileRenameOperations ``` ### Uptime is 82.3 days - **Category:** health - **ID:** `health.reboot_uptime.long_uptime` - Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance. ``` LastBootUpTime=2026-03-12 10:25:21Z ``` ### 3 auto-start service(s) not running - **Category:** health - **ID:** `health.failed_services.stopped` - These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. ``` gpsvc (Group Policy Client) = Stopped Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped LPlatSvc (Lenovo Platform Service) = Stopped ``` ## INFO (16) ### Defender active and current - **Category:** security - **ID:** `sec.defender.ok` - Real-time protection on, service running, signatures current. ``` RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True ``` ### Defender is the only registered AV - **Category:** security - **ID:** `sec.av_products.defender_only` - Only Microsoft/Windows Defender is registered in Security Center. ``` Windows Defender ``` ### No competitor/leftover management agents detected - **Category:** security - **ID:** `sec.foreign_agents.none` - No known competitor RMM or unmanaged remote-access agents found in installed programs or services. ``` Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service ``` ### Expected ACG management tooling present: ScreenConnect / ConnectWise Control - **Category:** security - **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` - This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. ``` program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running ``` ### Expected ACG management tooling present: Splashtop (SOS/Streamer) - **Category:** security - **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` - This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. ``` program: Splashtop Streamer 3.8.2.0 service: SplashtopRemoteService (Splashtop? Remote Service) Running ``` ### Expected ACG management tooling present: Syncro / Kabuto - **Category:** security - **ID:** `sec.foreign_agents.acg.syncro_kabuto` - This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. ``` program: Syncro 1.0.201.18410 service: Syncro (Syncro) Running ``` ### All firewall profiles enabled - **Category:** security - **ID:** `sec.firewall.ok` - Domain, Private, and Public firewall profiles are all enabled. ``` Private=True; Domain=True; Public=True ``` ### Local administrators (5) - **Category:** security - **ID:** `sec.local_admins.list` - Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). ``` LILO\Administrator LILO\localadmin LILO\me LILO\paul UCRYO\Domain Admins ``` ### Last hotfix: KB5072653 - **Category:** security - **ID:** `sec.patch.last_hotfix` - Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). ``` KB5072653 installed 2025-11-18T07:00:00Z ``` ### SMBv1 disabled - **Category:** security - **ID:** `sec.exposure.smb1_off` - SMBv1 server protocol is disabled. ``` EnableSMB1Protocol=False ``` ### LAPS detected - **Category:** security - **ID:** `sec.exposure.laps_present` - A LAPS mechanism is present. ``` Windows LAPS reg key ``` ### No stability events in the last 14 days - **Category:** health - **ID:** `health.stability.clean` - No unexpected shutdowns, BSODs, or disk errors logged. ``` Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0 ``` ### Domain secure channel healthy - **Category:** health - **ID:** `health.domain.secure_channel_ok` - Machine trust relationship with the domain is intact. ``` Domain=ucryo.local ``` ### Time service source - **Category:** health - **ID:** `health.time.source` - Current Windows Time service source. ``` Source=UC2-SERVER.ucryo.local ``` ### Battery present - **Category:** health - **ID:** `health.battery.present` - Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.) ``` EstimatedChargeRemaining=99%; BatteryStatus=2 ``` ### No backup agent detected - **Category:** health - **ID:** `health.backup.none` - No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it. ``` No matching backup service in Win32_Service ``` --- ## Inventory Baseline Summary - **Manufacturer / Model:** LENOVO / 20EQS12M00 - **Serial:** PC0G9X3B - **CPU:** Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz (4 cores / 8 logical) - **RAM (GB):** 31.8 - **BIOS:** N1EETA2W (1.75 ) (2024-03-18) - **Chassis is laptop:** true - **TPM present / Secure Boot:** true / true - **Domain joined:** true (ucryo.local) - **OS activation licensed:** true - **Uptime (days):** 82.3 - **Pending reboot:** true - **Installed software count:** 105 - **Scheduled tasks (non-MS, enabled):** 21 - **Local administrators:** LILO\Administrator, LILO\localadmin, LILO\me, LILO\paul, UCRYO\Domain Admins ### Fixed volumes - [unlabeled] - 0.1 GB free of 0.6 GB (13.8%) - [Recovery] - 0.5 GB free of 0.5 GB (97.4%) - [unlabeled] - 0.1 GB free of 0.1 GB (72%) - C: - 679.3 GB free of 930.3 GB (73%) ### Network adapters - Intel(R) Dual Band Wireless-AC 8260 - IP: 172.29.0.129, fe80::a46c:9046:12ba:7f13 - DNS: 172.29.0.5, 8.8.8.8 - DHCP: true --- ## Diff vs Prior Baseline - No prior baseline found for this host. This is the first baseline. --- _Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LILO-20260603T005456.json` (immutable)._