Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Screenshot 2021-01-15 at 16.29.08.png

Screenshot 2021-01-15 at 16.27.22.png

Screenshot 2021-01-15 at 16.27.07.png

Screenshot 2021-01-15 at 16.26.58.png

When running the query `select user_account_control as value from windows_security_center;`  via osqueryi it returns `Good`, but when run from a tls config it consistently returns `Poor`

I've checked these within a few minutes of the query running, anyone seen this?

Possibly osquery running as a different user causes different results?

^^ this. Unfortunately Microsoft's documentation on this API isn't very detailed on why you might be getting "poor". That said, I would check every user account on the system's UAC settings. It's possible one of them is disabled.

what I can say confidently is we run this query at Kolide on tons of devices via TLS and seeing a "poor" is very rare

Thank you, looks like the service setup had changed was running as a different user