claudetools/clients/ucryo/onboarding-baselines/DESKTOP-PMML1JC-20260603T004601.md

# Onboarding Diagnostic Baseline - DESKTOP-PMML1JC

- **Grade:** RED
- **Host:** DESKTOP-PMML1JC
- **Client:** Universal Cryogenics (`ucryo`)
- **Collected (UTC):** 2026-06-03T00:39:57Z
- **Agent ID:** 286cf717-86ac-4985-b0a6-0254fba0dfdb
- **Command ID:** a8871fc1-4667-4d2f-8a12-784747b820cc
- **Findings:** 3 critical / 3 warning / 15 info / 0 unknown

- **OS:** Microsoft Windows 11 Pro (build 26200)

---

## CRITICAL (3)

### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. This is a laptop (portable chassis), so the data-at-rest risk if lost or stolen is high. Enable BitLocker and escrow the recovery key.

```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```

### Recurring stability events in the last 14 days
- **Category:** health
- **ID:** `health.stability.recurring`
- Three or more of one event class (unexpected shutdown, BSOD, or disk error) in 14 days indicates a hardware or driver problem. Investigate memory, disk, PSU, and drivers.

```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=3
```

### Domain secure channel is BROKEN
- **Category:** health
- **ID:** `health.domain.secure_channel_broken`
- Test-ComputerSecureChannel returned false. The machine trust relationship with the domain is broken (Group Policy, Kerberos, and domain logon will fail). Repair with Test-ComputerSecureChannel -Repair or rejoin.

```
PartOfDomain=True; Test-ComputerSecureChannel=False; Domain=ucryo.local
```


## WARNING (3)

### 2 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.

```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
```

### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.

```
PendingFileRenameOperations
```

### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.

```
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
IntelAudioService (Intel(R) Audio Service) = Stopped
```


## INFO (15)

### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.

```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```

### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.

```
Windows Defender
```

### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.

```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```

### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```

### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```

### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```

### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.

```
Private=True; Domain=True; Public=True
```

### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).

```
Administrator
localadmin
Richard
```

### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.

```
Microsoft Windows 11 Pro build 26200
```

### Last hotfix: KB5089573
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).

```
KB5089573 installed 2026-05-27T07:00:00Z
```

### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.

```
EnableSMB1Protocol=False
```

### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.

```
Windows LAPS reg key
```

### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.

```
Source=Free-running System Clock
```

### Battery present
- **Category:** health
- **ID:** `health.battery.present`
- Battery detected. (Wear-level / design-vs-full-capacity requires a powercfg battery report, not collected here.)

```
EstimatedChargeRemaining=100%; BatteryStatus=2
```

### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.

```
No matching backup service in Win32_Service
```


---

## Inventory Baseline Summary

- **Manufacturer / Model:** LENOVO / 81Y8
- **Serial:** PF2G2VPV
- **CPU:** Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz (6 cores / 12 logical)
- **RAM (GB):** 31.9
- **BIOS:** EFCN58WW (2022-11-15)
- **Chassis is laptop:** true
- **TPM present / Secure Boot:** true / true
- **Domain joined:** true (ucryo.local)
- **OS activation licensed:** true
- **Uptime (days):** 6.6
- **Pending reboot:** true
- **Installed software count:** 73
- **Scheduled tasks (non-MS, enabled):** 23
- **Local administrators:** Administrator, localadmin, Richard

### Fixed volumes

- [unlabeled] - 0.1 GB free of 0.1 GB (64%)
- D: - 931.3 GB free of 931.5 GB (100%)
- C: - 634.3 GB free of 930.3 GB (68.2%)
- [unlabeled] - 0.1 GB free of 1.1 GB (10%)

### Network adapters

- OpenVPN Data Channel Offload - IP: 10.100.0.2, fe80::564:408d:e02a:124a - DNS: 103.86.96.100, 103.86.99.100 - DHCP: false
- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.0.5, fe80::7eb3:304d:8df9:2e0f - DNS: 192.168.0.1, 205.171.2.25 - DHCP: true
- NordLynx Tunnel - IP: 10.5.0.2, fe80::564:408d:e02a:124a - DNS:  - DHCP: false

---

## Diff vs Prior Baseline

- No prior baseline found for this host. This is the first baseline.

---

_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-PMML1JC-20260603T004601.json` (immutable)._