Mike Swanson
df9be01065
/rmm diagnose: dispatches a Windows security/health probe to a newly onboarded agent, grades RED/AMBER/GREEN, writes an immutable per-client baseline (clients/<slug>/onboarding-baselines/), diffs vs prior, and alerts CRITICALs to #dev-alerts. Probe is PS5.1/ASCII/SYSTEM-safe, never-abort, base64 chunked upload around the agent command-size cap. Code-reviewed (no blockers); folded in immutability guard, severity-independent finding ids, Defender-unknown sentinel, expanded competitor/backup detection. First baselines captured: Rednour FRONTDESKRECEPT + LEGALASST (both RED - prior MSP ScreenConnect/Splashtop/Syncro still live; LEGALASST OS EOL). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
7.9 KiB
7.9 KiB
Onboarding Diagnostic Baseline - LEGALASST
-
Grade: RED
-
Host: LEGALASST
-
Client: Rednour Law Offices (
rednour) -
Collected (UTC): 2026-05-29T20:05:50Z
-
Agent ID: 18825ea7-df58-47bb-b492-822cb16fb5ec
-
Command ID: beb27c88-4161-4183-a2b9-c43ec1ea0c0b
-
Findings: 4 critical / 5 warning / 9 info / 3 unknown
-
OS: Microsoft Windows 10 Pro (build 19045)
CRITICAL (4)
Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
- Category: security
- ID:
sec.foreign_agents.screenconnect_connectwise_control - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
Foreign management/remote-access agent: Splashtop (SOS/Streamer)
- Category: security
- ID:
sec.foreign_agents.splashtop_sos_streamer_ - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
Foreign management/remote-access agent: Syncro / Kabuto
- Category: security
- ID:
sec.foreign_agents.syncro_kabuto - A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
OS build is end-of-life: Win10 22H2
- Category: security
- ID:
sec.patch.os_eol - This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
WARNING (5)
1 pending Windows updates
- Category: security
- ID:
sec.patch.pending - Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
Stability events present in the last 14 days
- Category: health
- ID:
health.stability.some - One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
Reboot pending
- Category: health
- ID:
health.reboot_uptime.pending - A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
PendingFileRenameOperations
Uptime is 43.1 days
- Category: health
- ID:
health.reboot_uptime.long_uptime - Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.
LastBootUpTime=2026-04-16 10:07:07Z
3 auto-start service(s) not running
- Category: health
- ID:
health.failed_services.stopped - These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped
GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped
GoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped
INFO (9)
Defender active and current
- Category: security
- ID:
sec.defender.ok - Real-time protection on, service running, signatures current.
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
Defender is the only registered AV
- Category: security
- ID:
sec.av_products.defender_only - Only Microsoft/Windows Defender is registered in Security Center.
Windows Defender
Local administrators (4)
- Category: security
- ID:
sec.local_admins.list - Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
LEGALASST\Administrator
LEGALASST\Ale
LEGALASST\Emma
LEGALASST\localadmin
Last hotfix: KB5075039
- Category: security
- ID:
sec.patch.last_hotfix - Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
KB5075039 installed 2026-03-04T07:00:00Z
SMBv1 disabled
- Category: security
- ID:
sec.exposure.smb1_off - SMBv1 server protocol is disabled.
EnableSMB1Protocol=False
LAPS detected
- Category: security
- ID:
sec.exposure.laps_present - A LAPS mechanism is present.
Windows LAPS reg key
Not domain-joined (workgroup)
- Category: health
- ID:
health.domain.workgroup - This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
PartOfDomain=False; Domain=WORKGROUP
Time service source
- Category: health
- ID:
health.time.source - Current Windows Time service source.
Source=time.windows.com,0x9
No backup agent detected
- Category: health
- ID:
health.backup.none - No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
No matching backup service in Win32_Service
UNKNOWN (3)
Check failed: Windows Firewall profiles
- Category: security
- ID:
sec.firewall.error - The probe could not complete this check. Manual review recommended.
Invalid class
BitLocker status unavailable
- Category: security
- ID:
sec.bitlocker.unavailable - Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
MountPoint=C:, Get-BitLockerVolume returned null
Physical disk health unavailable
- Category: health
- ID:
health.disk_smart.unavailable - Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.
Get-PhysicalDisk returned null
Inventory Baseline Summary
- Manufacturer / Model: To Be Filled By O.E.M. / To Be Filled By O.E.M.
- Serial: To Be Filled By O.E.M.
- CPU: AMD Ryzen 3 3200G with Radeon Vega Graphics (4 cores / 4 logical)
- RAM (GB): 5.9
- BIOS: P3.50 (2019-05-15)
- Chassis is laptop: false
- TPM present / Secure Boot: ? / ?
- Domain joined: false (WORKGROUP)
- OS activation licensed: ?
- Uptime (days): 43.1
- Pending reboot: true
- Installed software count: 68
- Scheduled tasks (non-MS, enabled): 13
- Local administrators: LEGALASST\Administrator, LEGALASST\Ale, LEGALASST\Emma, LEGALASST\localadmin
Fixed volumes
Network adapters
- Realtek PCIe GbE Family Controller - IP: 192.168.10.213 - DNS: 192.168.10.1 - DHCP: true
Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: LEGALASST-20260529T200647.json (immutable).