claudetools/clients/ucryo/onboarding-baselines/WIN-709JUVCJ2DQ-20260603T004420.md

Onboarding Diagnostic Baseline - WIN-709JUVCJ2DQ

• Grade: RED

• Host: WIN-709JUVCJ2DQ

• Client: Universal Cryogenics (ucryo)

• Collected (UTC): 2026-06-03T00:43:19Z

• Agent ID: b7311d8a-6c5e-4aa5-9abf-79212d344009

• Command ID: 48bd8684-226b-448f-af5f-9d9db61dd01c

• Findings: 2 critical / 4 warning / 13 info / 2 unknown

• OS: Microsoft Windows Server 2012 R2 Essentials (build 9600)

---

CRITICAL (2)

SMBv1 is ENABLED

• Category: security
• ID: sec.exposure.smb1
• SMBv1 is an obsolete, insecure protocol (WannaCry/EternalBlue vector). Disable it: Set-SmbServerConfiguration -EnableSMB1Protocol $false and remove the SMB1 feature.

Get-SmbServerConfiguration EnableSMB1Protocol=True

Disk critically low: E: at 4.1% free

• Category: health
• ID: health.disk_space.E
• Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.

E: free 40.4 GB of 983.6 GB (4.1%)

WARNING (4)

Defender status unavailable

• Category: security
• ID: sec.defender.unavailable
• Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).

Get-MpComputerStatus returned null

RDP is enabled

• Category: security
• ID: sec.exposure.rdp_on
• Remote Desktop is enabled (NLA required). Confirm it is restricted to VPN or specific source IPs and not exposed to the internet.

fDenyTSConnections=0; UserAuthentication=1

Uptime is 36.5 days

• Category: health
• ID: health.reboot_uptime.long_uptime
• Uptime exceeds 30 days. Long uptime usually means pending updates have not been applied (reboots deferred). Schedule maintenance.

LastBootUpTime=2026-04-27 05:14:06Z

4 auto-start service(s) not running

• Category: health
• ID: health.failed_services.stopped
• These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.

VeeamBackupSvc (Veeam Backup Service) = Stopped
VeeamCatalogSvc (Veeam Guest Catalog Service) = Stopped
VeeamCloudSvc (Veeam Cloud Connect Service) = Stopped
VeeamMountSvc (Veeam Mount Service) = Stopped

INFO (13)

No AV products registered in Security Center

• Category: security
• ID: sec.av_products.none_registered
• SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.

root\SecurityCenter2 AntiVirusProduct: none

No competitor/leftover management agents detected

• Category: security
• ID: sec.foreign_agents.none
• No known competitor RMM or unmanaged remote-access agents found in installed programs or services.

Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service

Expected ACG management tooling present: ScreenConnect / ConnectWise Control

• Category: security
• ID: sec.foreign_agents.acg.screenconnect_connectwise_control
• This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running

Expected ACG management tooling present: Splashtop (SOS/Streamer)

• Category: security
• ID: sec.foreign_agents.acg.splashtop_sos_streamer_
• This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

program: Splashtop Software Updater 1.5.6.19
program: Splashtop Streamer 3.5.0.2
service: SplashtopRemoteService (Splashtop? Remote Service) Running
service: SSUService (Splashtop Software Updater Service) Running

Expected ACG management tooling present: Syncro / Kabuto

• Category: security
• ID: sec.foreign_agents.acg.syncro_kabuto
• This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.

program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running

All firewall profiles enabled

• Category: security
• ID: sec.firewall.ok
• Domain, Private, and Public firewall profiles are all enabled.

Private=True; Domain=True; Public=True

Local administrators (5)

• Category: security
• ID: sec.local_admins.list
• Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).

Administrator
Guru
Jacobs
localadmin
paul

Last hotfix: KB5031003

• Category: security
• ID: sec.patch.last_hotfix
• Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).

KB5031003 installed 2023-10-12T07:00:00Z

LAPS not detected

• Category: security
• ID: sec.exposure.no_laps
• No LAPS (Windows LAPS or legacy AdmPwd) detected. Without LAPS, the local admin password is likely static/shared across the fleet. Consider deploying LAPS to randomize and escrow local admin passwords.

No LAPS registry keys, CSE, or service found

No stability events in the last 14 days

• Category: health
• ID: health.stability.clean
• No unexpected shutdowns, BSODs, or disk errors logged.

Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0

Not domain-joined (workgroup)

• Category: health
• ID: health.domain.workgroup
• This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.

PartOfDomain=False; Domain=WORKGROUP

Time service source

• Category: health
• ID: health.time.source
• Current Windows Time service source.

Source=The following error occurred: The service has not been started. (0x80070426)

Backup agent installed and running

• Category: health
• ID: health.backup.present
• A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).

Veeam: VeeamBackupSvc = Stopped
Veeam: VeeamCatalogSvc = Stopped
Veeam: VeeamCloudSvc = Stopped
Veeam: VeeamDeploySvc = Running
Veeam: VeeamHvIntegrationSvc = Running
Veeam: VeeamMountSvc = Stopped
Veeam: VeeamNFSSvc = Running
Veeam: VeeamTransportSvc = Running

UNKNOWN (2)

BitLocker status unavailable

• Category: security
• ID: sec.bitlocker.unavailable
• Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).

MountPoint=C:, Get-BitLockerVolume returned null

OS build not in EOL map: 9600

• Category: security
• ID: sec.patch.os_build_unknown
• The build number is not in the local EOL reference map. Verify support status manually. This may be a Server SKU or a build newer than the map.

Microsoft Windows Server 2012 R2 Essentials build 9600

---

Inventory Baseline Summary

• Manufacturer / Model: Dell Inc. / PowerEdge 2950
• Serial: 762F0G1
• CPU: Intel(R) Xeon(R) CPU E5450 @ 3.00GHz (4 cores / 4 logical)
• RAM (GB): 32
• BIOS: 2.3.1 (2008-04-29)
• Chassis is laptop: false
• TPM present / Secure Boot: ? / ?
• Domain joined: false (WORKGROUP)
• OS activation licensed: true
• Uptime (days): 36.5
• Pending reboot: false
• Installed software count: 48
• Scheduled tasks (non-MS, enabled): 6
• Local administrators: Administrator, Guru, Jacobs, localadmin, paul

Fixed volumes

• <EFBFBD>: - 0.1 GB free of 0.3 GB (20.6%)
• F: - 464.8 GB free of 1395.7 GB (33.3%)
• M: - 4417.1 GB free of 4657.5 GB (94.8%)
• C: - 837.8 GB free of 878.6 GB (95.4%)
• E: - 40.4 GB free of 983.6 GB (4.1%)

Network adapters

• Hyper-V Virtual Ethernet Adapter #2 - IP: 172.29.0.4, fe80::a8c1:e232:97d6:976 - DNS: 8.8.8.8, 4.4.8.8 - DHCP: false

---

Diff vs Prior Baseline

• No prior baseline found for this host. This is the first baseline.

---

Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: WIN-709JUVCJ2DQ-20260603T004420.json (immutable).