Files
claudetools/clients/at-trebesch/reports/2026-04-17-initial-audit-DESKTOP-QNP3ON5.md
Howard Enos 0a7f3368a6 sync: auto-sync from ACG-TECH03L at 2026-04-17 19:47:15
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-17 19:47:15
2026-04-17 19:47:20 -07:00

5.5 KiB

DESKTOP-QNP3ON5 — initial audit findings (AT Trebesch)

Date: 2026-04-17 Technician: Howard Enos Machine: DESKTOP-QNP3ON5 (Lenovo desktop, Owner) Audit script: workstation_audit.ps1 v2.0.2 (schema 2.0) JSON artifact: clients/at-trebesch/diagnostics/DESKTOP-QNP3ON5_workstation_audit_2026-04-17.json (when uploaded)

Critical — fix this week

  1. Owner local account requires no password — anyone with physical access gets a full admin shell. Fix:

    Set-LocalUser -Name Owner -PasswordRequired $true
    $p = Read-Host -AsSecureString "New password for Owner"
    Set-LocalUser -Name Owner -Password $p
    

    Hand the new password to the user directly. Store nothing in the script.

  2. Two real-time AV engines installed and active — Bitdefender Endpoint Security Tools 8.26.4.628 (primary) and Malwarebytes 5.5.4.252 are both registered with Security Center and running real-time. Two engines fight over file scans, cause file-lock errors, slow boot, and occasionally bluescreen. Confirm Bitdefender is the intended primary (it is, per our MSP standard) and either uninstall Malwarebytes or set it to scheduled/manual scan only.

  3. Secure Boot DISABLED — UEFI machine with TPM 2.0 ready. No reason to be off; turn on in BIOS. Also unblocks BitLocker enrollment if/when this machine moves to Win 11 Pro.

  4. Windows 11 Home (not Pro) — for a business workstation, Pro is the right SKU. Without Pro:

    • No real BitLocker (only "Device Encryption" auto-mode tied to Microsoft account)
    • No GPO, no Group Policy Editor
    • No remote management of inactivity timeout, USB lockdown, etc.
    • Limits Bitdefender / Defender hardening

    Recommend upgrade path: in-place upgrade to Win 11 Pro via license key (changepk.exe). Cost: ~$99/license retail, less via volume.

High — fix this month

  1. Defender Tamper Protection OFF — registry value 4 = explicitly disabled. Even though Defender is in passive mode, Tamper Protection prevents an attacker from twiddling Defender settings if they ever take over. Enable in Windows Security → Virus & threat protection → Manage settings.

  2. Defender ASR rules: only 1 rule configured, all disabled — apply Microsoft's Standard preset rules even in passive mode (sets a fallback baseline if Defender ever becomes primary).

  3. localadmin + guru — two MSP backdoor accounts on the same machine. Pick one as standard, retire the other. Confirm chosen account's password is current and in the SOPS vault.

  4. Memory at 85% used (2.3 GB free of 15.3 GB) with only 263 processes — investigate top procs (in JSON) for the offender. Likely candidate: Bitdefender + Malwarebytes overlap (item 2 above) or a leaking app. Reboot + monitor.

  5. NETLOGON 3095 errors on a WORKGROUP machine — multiple NETLOGON failures on 2026-04-14. NETLOGON should not be doing anything on a non-domain-joined PC. Verify:

    Get-Service Netlogon | Format-List Name, Status, StartType
    nltest /sc_query:WORKGROUP
    

    If Netlogon is running or set to Auto, change to Manual + Stopped.

Medium — schedule

  1. No screen lock / inactivity timeout configured — set MachineInactivityLimit = 900 (15 min) via local policy.
  2. USB storage unrestricted — depending on what AT Trebesch handles, lock down via local policy.
  3. AutoPlay not disabled — disable to reduce USB-borne malware risk.
  4. HOSTS file has 17 active entries — unusual on a clean workgroup workstation. Pull from JSON and review what's there. Could be legit dev mappings, ad-blocker entries, or worth investigating further.
  5. Cached logons count = 10 — lower to 4 for security on a single-user workstation.
  6. NTLM LmCompatibilityLevel blank — set explicitly to 5.
  7. TLS protocols all "OS Default" — Win 11 25H2 defaults are reasonable; explicit policy is better but low priority.

Cleanup

  1. Classic Shell 4.3.1 — abandoned (last release 2017). Replace with maintained fork "Open-Shell-Menu", or remove if Win 11 default Start menu is acceptable to user.
  2. ExplorerPatcher — third-party shell mod, sometimes breaks after Windows feature updates and occasionally flagged by AV. Confirm intentional with user. Likely paired with Classic Shell for Win 10 look.
  3. Windows 11 Installation Assistant — leftover from Win 10 → Win 11 upgrade. Safe to uninstall.
  4. Bluetooth Network Connection adapter — usually unused. Disable adapter if not actively used.
  5. Time source / Last sync blank — verify with w32tm /query /status from elevated prompt. Either parsing failure in the audit script or W32time service isn't healthy.

Working well — call out the wins

  • Bitdefender EDR running, all 4 services up
  • Carbonite cloud backup installed (Dec 2025 build)
  • Firewall enabled on all 3 profiles
  • LSA Protection (RunAsPPL) enabled
  • WDigest cleartext disabled
  • 0 suspicious scheduled tasks, 0 IFEO debugger hijacks, 0 suspicious recently-modified files
  • 0 Defender detections in last 30 days
  • Updates current (KB5088467 + KB5083769 from 4/15)
  • Disk healthy with 598 GB / 953 GB free

Audit script false positives noted (to fix in v2.0.3, NOT findings on this machine)

  • Section 38 flagged SyncroOvermind (legitimate Syncro RMM agent at C:\ProgramData\Syncro\bin\). Need to add Syncro to the path allowlist alongside the Defender Platform exception.
  • Section 35 displayed Full scan age: d (cosmetic — empty value rendering when full scan never ran; JSON value is correctly null).