https://github.com/osquery/osquery logo
Title
a

asparamancer

01/15/2021, 4:29 PM
When running the query
select user_account_control as value from windows_security_center;
via osqueryi it returns
Good
, but when run from a tls config it consistently returns
Poor
I've checked these within a few minutes of the query running, anyone seen this?
z

zwass

01/15/2021, 4:31 PM
Possibly osquery running as a different user causes different results?
t

terracatta

01/15/2021, 4:37 PM
^^ this. Unfortunately Microsoft's documentation on this API isn't very detailed on why you might be getting "poor". That said, I would check every user account on the system's UAC settings. It's possible one of them is disabled.
what I can say confidently is we run this query at Kolide on tons of devices via TLS and seeing a "poor" is very rare
a

asparamancer

01/15/2021, 5:26 PM
Thank you, looks like the service setup had changed was running as a different user