5.5 KiB
DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)
Date: 2026-04-17
Technician: Howard Enos
Machine: DESKTOP-QNP3ON5 (Lenovo desktop, Owner)
Audit script: workstation_audit.ps1 v2.0.2 (schema 2.0)
JSON artifact: clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json (when uploaded)
Critical — fix this week
-
Ownerlocal account requires no password — anyone with physical access gets a full admin shell. Fix:Set-LocalUser -Name Owner -PasswordRequired $true $p = Read-Host -AsSecureString "New password for Owner" Set-LocalUser -Name Owner -Password $pHand the new password to the user directly. Store nothing in the script.
-
Two real-time AV engines installed and active — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) and Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.
-
Secure Boot DISABLED — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.
-
Windows 11 Home (not Pro) — for a business workstation, Pro is the right SKU. Without Pro:
- No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
- No GPO, no Group Policy Editor
- No remote management of inactivity timeout, USB lockdown, etc.
- Limits Bitdefender / Defender hardening
Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (
changepk.exe). Cost: ~$99/license retail, less via volume.
High — fix this month
-
Defender Tamper Protection OFF — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.
-
Defender ASR rules: only 1 rule configured, all disabled — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).
-
localadmin+guru— two MSP backdoor accounts on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault. -
Memory at 85% used (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.
-
NETLOGON 3095 errors on a WORKGROUP machine — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:
Get-Service Netlogon | Format-List Name, Status, StartType nltest /sc_query:WORKGROUPIf Netlogon is running or set to Auto, change to Manual + Stopped.
Medium — schedule
- No screen lock / inactivity timeout configured — set
MachineInactivityLimit = 900(15 min) via local policy. - USB storage unrestricted — depending on what AT Trebesch handles, lock down via local policy.
- AutoPlay not disabled — disable to reduce USB-borne malware risk.
- HOSTS file has 17 active entries — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
- Cached logons count = 10 — lower to 4 for security on a single-user workstation.
- NTLM LmCompatibilityLevel blank — set explicitly to 5.
- TLS protocols all "OS Default" — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.
Cleanup
- Classic Shell 4.3.1 — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
- ExplorerPatcher — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
- Windows 11 Installation Assistant — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
- Bluetooth Network Connection adapter — usually unused. Disable adapter if not actively used.
Time source / Last syncblank — verify withw32tm /query /statusfrom elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.
Working well — call out the wins
- Bitdefender EDR running, all 4 services up
- Carbonite cloud backup installed (Dec 2025 build)
- Firewall enabled on all 3 profiles
- LSA Protection (RunAsPPL) enabled
- WDigest cleartext disabled
- 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
- 0 Defender detections in last 30 days
- Updates current (KB5088467 + KB5083769 from 4/15)
- Disk healthy with 598 GB / 953 GB free
Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)
- Section 38 flagged
SyncroOvermind(legitimate Syncro RMM agent atC:\ProgramData\Syncro\bin\). Need to add Syncro to the path allowlist alongside the Defender Platform exception. - Section 35 displayed
Full scan age: d(cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).