claudetools/clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md

# Onboarding Diagnostic Baseline - LEGALASST

- **Grade:** RED
- **Host:** LEGALASST
- **Client:** Rednour Law Offices (`rednour`)
- **Collected (UTC):** 2026-05-29T20:05:50Z
- **Agent ID:** 18825ea7-df58-47bb-b492-822cb16fb5ec
- **Command ID:** beb27c88-4161-4183-a2b9-c43ec1ea0c0b
- **Findings:** 4 critical / 5 warning / 9 info / 3 unknown

- **OS:** Microsoft Windows 10 Pro (build 19045)

---

## CRITICAL (4)

### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.screenconnect_connectwise_control`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.

```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```

### Foreign management/remote-access agent: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.splashtop_sos_streamer_`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.

```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```

### Foreign management/remote-access agent: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.syncro_kabuto`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.

```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```

### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.

```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```


## WARNING (5)

### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.

```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```

### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.

```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
```

### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.

```
PendingFileRenameOperations
```

### Uptime is 43.1 days
- **Category:** health
- **ID:** `health.reboot_uptime.long_uptime`
- Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.

```
LastBootUpTime=2026-04-16 10:07:07Z
```

### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.

```
WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped
GoogleUpdaterInternalService149.0.7814.0 (Google Updater Internal Service (GoogleUpdaterInternalService149.0.7814.0)) = Stopped
GoogleUpdaterService149.0.7814.0 (Google Updater Service (GoogleUpdaterService149.0.7814.0)) = Stopped
```


## INFO (9)

### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.

```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```

### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.

```
Windows Defender
```

### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).

```
LEGALASST\Administrator
LEGALASST\Ale
LEGALASST\Emma
LEGALASST\localadmin
```

### Last hotfix: KB5075039
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).

```
KB5075039 installed 2026-03-04T07:00:00Z
```

### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.

```
EnableSMB1Protocol=False
```

### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.

```
Windows LAPS reg key
```

### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.

```
PartOfDomain=False; Domain=WORKGROUP
```

### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.

```
Source=time.windows.com,0x9
```

### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.

```
No matching backup service in Win32_Service
```


## UNKNOWN (3)

### Check failed: Windows Firewall profiles
- **Category:** security
- **ID:** `sec.firewall.error`
- The probe could not complete this check. Manual review recommended.

```
Invalid class 
```

### BitLocker status unavailable
- **Category:** security
- **ID:** `sec.bitlocker.unavailable`
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).

```
MountPoint=C:, Get-BitLockerVolume returned null
```

### Physical disk health unavailable
- **Category:** health
- **ID:** `health.disk_smart.unavailable`
- Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.

```
Get-PhysicalDisk returned null
```


---

## Inventory Baseline Summary

- **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M.
- **Serial:** To Be Filled By O.E.M.
- **CPU:** AMD Ryzen 3 3200G with Radeon Vega Graphics     (4 cores / 4 logical)
- **RAM (GB):** 5.9
- **BIOS:** P3.50 (2019-05-15)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** ?
- **Uptime (days):** 43.1
- **Pending reboot:** true
- **Installed software count:** 68
- **Scheduled tasks (non-MS, enabled):** 13
- **Local administrators:** LEGALASST\Administrator, LEGALASST\Ale, LEGALASST\Emma, LEGALASST\localadmin

### Fixed volumes


### Network adapters

- Realtek PCIe GbE Family Controller - IP: 192.168.10.213 - DNS: 192.168.10.1 - DHCP: true

---

## Diff vs Prior Baseline

- No prior baseline found for this host. This is the first baseline.

---

_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `LEGALASST-20260529T200647.json` (immutable)._