{ "host": "UC2-SERVER", "collected_at_utc": "2026-06-03T00:41:48Z", "os": { "caption": "Microsoft Windows Server 2012 R2 Essentials", "version": "6.3.9600", "build": "9600", "install_date": "2016-05-27T08:40:20Z", "last_boot_utc": "2026-04-27T12:16:28Z", "architecture": "64-bit" }, "facts": { "builtin_admin_enabled": null, "defender": { "available": false }, "pending_updates": 0, "pending_reboot": true, "uptime_days": 36.5, "acg_managed_tools": [ "ScreenConnect / ConnectWise Control", "Splashtop (SOS/Streamer)", "Syncro / Kabuto" ], "hardware": { "model": "Virtual Machine", "manufacturer": "Microsoft Corporation", "bios_date": "2012-05-23", "cpu_logical": 6, "bios_version": "090006 ", "cpu_cores": 6, "ram_gb": 18, "serial": "4644-9206-3161-7423-6607-4293-62", "cpu": "Intel(R) Xeon(R) CPU E5450 @ 3.00GHz" }, "local_administrators": [ "Accounting", "Administrator", "arthur", "Domain Admins", "Enterprise Admins", "greg", "kirby", "localadmin", "paul", "richard", "VPND", "William" ], "os_build": "9600", "secure_boot": null, "backup_agents": null, "autoruns_run_keys": [], "physical_disks": [ { "health": "Healthy", "model": "PhysicalDisk0", "media_type": "UnSpecified" }, { "health": "Healthy", "model": "PhysicalDisk1", "media_type": "UnSpecified" } ], "scheduled_tasks_count": 8, "volumes": [ { "drive": "\u0000:", "size_gb": 0.3, "free_pct": 20.6, "free_gb": 0.1 }, { "drive": "E:", "size_gb": 931.5, "free_pct": 39, "free_gb": 363.3 }, { "drive": "C:", "size_gb": 499.7, "free_pct": 74.8, "free_gb": 374 } ], "network_adapters": [ { "dhcp": false, "description": "Microsoft Hyper-V Network Adapter", "gateway": [ "172.29.0.1" ], "mac": "00:15:5D:00:04:01", "ip": [ "172.29.0.5", "fe80::ed92:3fe4:fb92:fef6" ], "dns": [ "172.29.0.5", "8.8.8.8" ] } ], "failed_autostart_services": [ { "name": "CertSvc", "display": "Active Directory Certificate Services", "state": "Stopped" }, { "name": "IISADMIN", "display": "IIS Admin Service", "state": "Stopped" }, { "name": "ShellHWDetection", "display": "Shell Hardware Detection", "state": "Stopped" } ], "stability_14d": { "unexpected_shutdowns": 0, "disk_errors": 0, "bugchecks": 0 }, "exposure": { "smb1_enabled": true, "laps_present": false, "rdp_enabled": true, "uac_enabled": true, "rdp_nla": true }, "accounts_password_never_expires": [], "installed_software": [ { "publisher": "Adobe Systems Incorporated", "name": "Adobe Flash Player 11 ActiveX", "version": "11.3.300.268" }, { "publisher": "Piriform", "name": "Defraggler", "version": "2.22" }, { "publisher": "Google LLC", "name": "Google Chrome", "version": "109.0.5414.168" }, { "publisher": "Google Inc.", "name": "Google Update Helper", "version": "1.3.25.5" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Silverlight", "version": "5.1.50918.0" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2005 Redistributable", "version": "8.0.61001" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17", "version": "9.0.30729" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", "version": "9.0.30729.6161" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", "version": "10.0.40219" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", "version": "11.0.61030.0" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", "version": "11.0.61030" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", "version": "11.0.61030" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", "version": "12.0.30501.0" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", "version": "12.0.30501.0" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005", "version": "12.0.21005" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005", "version": "12.0.21005" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", "version": "12.0.21005" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", "version": "12.0.21005" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24212", "version": "14.0.24212.0" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2015 x86 Additional Runtime - 14.0.24212", "version": "14.0.24212" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2015 x86 Minimum Runtime - 14.0.24212", "version": "14.0.24212" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112", "version": "14.44.35112.1" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112", "version": "14.44.35112" }, { "publisher": "Microsoft Corporation", "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112", "version": "14.44.35112" }, { "publisher": "Arizona Computer Guru", "name": "Online Backup 8.6", "version": "8.6" }, { "publisher": "Intuit Inc.", "name": "QuickBooks", "version": "24.0.4003.2403" }, { "publisher": "Intuit Inc.", "name": "QuickBooks", "version": "30.0.4006.3000" }, { "publisher": "Intuit Inc.", "name": "QuickBooks Runtime Redistributable", "version": "1.00.0000" }, { "publisher": "Intuit Inc.", "name": "QuickBooks Server 2014", "version": "24.0.4003.2403" }, { "publisher": "Intuit Inc.", "name": "QuickBooks Server 2020", "version": "30.0.4006.3000" }, { "publisher": "ScreenConnect Software", "name": "ScreenConnect Client (1912bf3444b41a08)", "version": "26.1.24.9579" }, { "publisher": "Dassault Systemes SolidWorks Corp", "name": "SOLIDWORKS SolidNetWork License Manager", "version": "27.30.0052" }, { "publisher": "Splashtop Inc.", "name": "Splashtop Streamer", "version": "3.5.8.0" }, { "publisher": "Servably, Inc.", "name": "Syncro", "version": "1.0.0.0" }, { "publisher": "Servably, Inc.", "name": "Syncro", "version": "1.0.201.18410" }, { "publisher": "Helios", "name": "TextPad 8", "version": "8.0.2" }, { "publisher": "win.rar GmbH", "name": "WinRAR 7.22 (64-bit)", "version": "7.22.0" }, { "publisher": "Antibody Software", "name": "WizTree v4.31", "version": "4.31" }, { "publisher": "Fresh Software", "name": "X-NetStat Pro 5.63", "version": "5.63" } ], "tpm": { "enabled": false, "ready": false, "present": false }, "local_groups": [], "battery": { "present": false }, "activation": { "edition": "Microsoft Windows Server 2012 R2 Essentials", "description": "Windows(R) Operating System, OEM_COA_NSLP channel", "licensed": true, "license_status_code": 1 }, "time_source": "VM IC Time Synchronization Provider", "chassis_types": [ 3 ], "last_hotfix": { "hotfix_id": "KB5031003", "installed_on": "2026-06-02T07:00:00Z" }, "scheduled_tasks": [ { "path": "\\", "name": "Adobe Flash Player Updater", "state": "Ready" }, { "path": "\\", "name": "GoogleUpdateTaskMachineCore", "state": "Ready" }, { "path": "\\", "name": "GoogleUpdateTaskMachineUA", "state": "Ready" }, { "path": "\\", "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1108", "state": "Ready" }, { "path": "\\", "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-1117", "state": "Ready" }, { "path": "\\", "name": "Optimize Start Menu Cache Files-S-1-5-21-1051390473-2587535097-844096240-500", "state": "Ready" }, { "path": "\\", "name": "ShadowCopyVolume{a863bf0a-2533-11e6-80bd-806e6f6e6963}", "state": "Ready" }, { "path": "\\", "name": "ShadowCopyVolume{bc8958b8-23e3-11e6-80b4-806e6f6e6963}", "state": "Ready" } ], "antivirus_products": [], "domain_joined": true, "local_users": [], "bitlocker": { "available": false, "os_volume": "C:" }, "is_laptop": false, "installed_software_count": 39, "secure_channel_ok": null, "firewall_profiles": { "Private": true, "Domain": true, "Public": true }, "domain": "ucryo.local", "foreign_agents": null }, "findings": [ { "id": "sec.defender.unavailable", "category": "security", "severity": "warning", "title": "Defender status unavailable", "detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).", "evidence": "Get-MpComputerStatus returned null" }, { "id": "sec.av_products.none_registered", "category": "security", "severity": "info", "title": "No AV products registered in Security Center", "detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.", "evidence": "root\\SecurityCenter2 AntiVirusProduct: none" }, { "id": "sec.foreign_agents.none", "category": "security", "severity": "info", "title": "No competitor/leftover management agents detected", "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" }, { "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", "category": "security", "severity": "info", "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" }, { "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", "category": "security", "severity": "info", "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", "evidence": "program: Splashtop Streamer 3.5.8.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" }, { "id": "sec.foreign_agents.acg.syncro_kabuto", "category": "security", "severity": "info", "title": "Expected ACG management tooling present: Syncro / Kabuto", "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", "evidence": "program: Syncro 1.0.201.18410\nprogram: Syncro 1.0.0.0\nservice: Syncro (Syncro) Running" }, { "id": "sec.firewall.ok", "category": "security", "severity": "info", "title": "All firewall profiles enabled", "detail": "Domain, Private, and Public firewall profiles are all enabled.", "evidence": "Private=True; Domain=True; Public=True" }, { "id": "sec.bitlocker.unavailable", "category": "security", "severity": "unknown", "title": "BitLocker status unavailable", "detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).", "evidence": "MountPoint=C:, Get-BitLockerVolume returned null" }, { "id": "sec.local_admins.list", "category": "security", "severity": "info", "title": "Local administrators (12)", "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", "evidence": "Accounting\nAdministrator\narthur\nDomain Admins\nEnterprise Admins\ngreg\nkirby\nlocaladmin\npaul\nrichard\nVPND\nWilliam" }, { "id": "sec.patch.os_build_unknown", "category": "security", "severity": "unknown", "title": "OS build not in EOL map: 9600", "detail": "The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.", "evidence": "Microsoft Windows Server 2012 R2 Essentials build 9600" }, { "id": "sec.patch.last_hotfix", "category": "security", "severity": "info", "title": "Last hotfix: KB5031003", "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", "evidence": "KB5031003 installed 2026-06-02T07:00:00Z" }, { "id": "sec.exposure.rdp_on", "category": "security", "severity": "warning", "title": "RDP is enabled", "detail": "Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.", "evidence": "fDenyTSConnections=0; UserAuthentication=1" }, { "id": "sec.exposure.smb1", "category": "security", "severity": "critical", "title": "SMBv1 is ENABLED", "detail": "SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.", "evidence": "Get-SmbServerConfiguration EnableSMB1Protocol=True" }, { "id": "sec.exposure.no_laps", "category": "security", "severity": "info", "title": "LAPS not detected", "detail": "No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.", "evidence": "No LAPS registry keys, CSE, or service found" }, { "id": "health.stability.clean", "category": "health", "severity": "info", "title": "No stability events in the last 14 days", "detail": "No unexpected shutdowns, BSODs, or disk errors logged.", "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0" }, { "id": "health.reboot_uptime.pending", "category": "health", "severity": "warning", "title": "Reboot pending", "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", "evidence": "CBS RebootPending; WU RebootRequired; PendingFileRenameOperations" }, { "id": "health.reboot_uptime.long_uptime", "category": "health", "severity": "warning", "title": "Uptime is 36.5 days", "detail": "Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.", "evidence": "LastBootUpTime=2026-04-27 05:16:28Z" }, { "id": "health.failed_services.stopped", "category": "health", "severity": "warning", "title": "3 auto-start service(s) not running", "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", "evidence": "CertSvc (Active Directory Certificate Services) = Stopped\nIISADMIN (IIS Admin Service) = Stopped\nShellHWDetection (Shell Hardware Detection) = Stopped" }, { "id": "health.time.source", "category": "health", "severity": "info", "title": "Time service source", "detail": "Current Windows Time service source.", "evidence": "Source=VM IC Time Synchronization Provider" }, { "id": "health.backup.none", "category": "health", "severity": "info", "title": "No backup agent detected", "detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.", "evidence": "No matching backup service in Win32_Service" } ] }