A read-only PowerShell script that captures the highest-signal endpoint health + posture data to quickly classify common MSP tickets into likely buckets:
- Identity/Auth
- Network/DNS
- Updates/Reboot
- Disk/Performance
- Security Baseline
This is designed for: helpdesk + MSP workflows, where you need fast, consistent triage output you can paste into a ticket or attach from an RMM job.
Most MSP tickets are not “cool incidents.” They are repeatable friction:
- login/MFA confusion
- DNS/connectivity failures
- patch drift / pending reboot
- low disk / slow device
- baseline security hygiene
This script compresses the first ~5 minutes of investigation into a single artifact.
- OS caption/version
- model/manufacturer
- logged-on user
- uptime hours (reboot debt)
- system drive free/total
- memory utilization %
- CPU load %
dsregcmd /statuskey fields (Entra join, domain join, MDM URL where present)
w32tm /query /statussummary (time skew breaks sign-in/MFA)
- adapter snapshot (IP/gateway/DNS)
- WinHTTP proxy info
- VPN adapter detection (best-effort)
- DNS + TCP/443 tests to configurable hosts
- multiple “pending reboot” indicators
- most recent hotfix
- Defender status (if available)
- Windows Firewall profile enabled/disabled
- BitLocker status for system drive (if available)
The script produces:
-
Structured JSON (default) for:
- RMM job output capture
- attaching to tickets
- later analysis
-
Optional human-readable text summary for quick ticket notes.
It also returns an exit code (best-effort) that can be used by RMM tooling to route tickets.
.\Invoke-MspTriage.ps1