Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: ConnectWise Automate
Environment: Huntress integration
Summary: Setup guide for the ConnectWise Automate Remote Monitor integration with Huntress to monitor orphaned agents.
February 2023: Due to a recent change with how we handle orphaned agents and the complexity that comes with integrating scripts into RMM's we're unable to offer any support for this script. The preferred method to handle unresponsive agents now is to follow this KB on Unresponsive Agents.
This guide will go through creating a remote monitor (exe monitor) in ConnectWise Automate to allow you to monitor if an Agent has been Orphaned. It is a single-line PowerShell command that looks for the status code 401 associated with orphaned agents (more on that in our Orphaned Agents KB)
Automate remote monitors require a single command line to run, which means we had to encode the PowerShell script to fit. We're big on open source, so feel free to peek at the source code here!
This guide was created in a controlled environment. There may be instances where the monitor may not function as expected. The best places for help on these issues are ConnectWise University Automate Documentation, MSPGeek, and r/labtech. If you have any enhancements you'd like for us to share with other Partners, feel free to email support@huntress.io.
If you're having problems with your existing monitor, please update it's script with the code in Step 2 of Creating Monitor
Creating Advanced Search Group
If you have already created a search group either by following Automate to Manage Billing, or creating one on your own, you can skip to section 2.
- Go to Automation > Advanced Searches and create a new search
- Customize the search to your liking, below is what we recommend. Save the search as "Software\Software - Huntress" (or something similar).
- Go to BrowseGroups. Right-click on "Groups" and hit "create group"
- Set the "Computers" under "AutoJoin Searches." And add the "Huntress" product we created earlier under the "Managed Services" Tab.
Creating the Monitor
- Open the group created in Section 1. Go to Computer > Remote Monitors. Click Add at the bottom. Select Monitor the results of an Executable.
- Copy the code block below into Executable / Arguments
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded W1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygoJ3siU2NyaXB0IjoiSkdacGJHVWdQU0FpUXpwY1VISnZaM0poYlNCR2FXeGxjeUFvZURnMktWeElkVzUwY21WemMxeElkVzUwY21WemMwRm5aVzUwTG14dlp5SUthV1lnS0MxdWIzUW9WR1Z6ZEMxUVlYUm9JQzFRWVhSb0lDUm1hV3hsSUMxUVlYUm9WSGx3WlNCTVpXRm1LU2tnZXdvZ0lDQWdKR1pwYkdVZ1BTQWlRenBjVUhKdlozSmhiU0JHYVd4bGMxeElkVzUwY21WemMxeElkVzUwY21WemMwRm5aVzUwTG14dlp5SUtJQ0FnSUVkbGRDMURiMjUwWlc1MElDUm1hV3hsSUMxVVlXbHNJREl3SUh3Z1JtOXlSV0ZqYUMxUFltcGxZM1FnZXlCcFppQW9KRjhnTFd4cGEyVWdJaXBpWVdRZ2MzUmhkSFZ6SUdOdlpHVTZJRFF3TVNvaUtTQjdSV05vYnlBaVQxSlFTRUZPUlVRaWZYMEtJSDBnWld4elpTQjdDaUJIWlhRdFEyOXVkR1Z1ZENBa1ptbHNaU0F0VkdGcGJDQXlNQ0I4SUVadmNrVmhZMmd0VDJKcVpXTjBJSHNnYVdZZ0tDUmZJQzFzYVd0bElDSXFZbUZrSUhOMFlYUjFjeUJqYjJSbE9pQTBNREVxSWlrZ2UwVmphRzhnSWs5U1VFaEJUa1ZFSW4xOUNpQjkifScgfCBDb252ZXJ0RnJvbS1Kc29uKS5TY3JpcHQpKSB8IGlleA==
This PowerShell command might look shady, but fear not, it's just a Base64 encoded PowerShell script (click here to see the base code). - Change Comparison Function to Does Not Contain and enter in "
ORPHANED
" - Choose your desired check interval (Daily should be more than enough).
- Choose your desired Alert Template settings (Create Manage ticket, send email, raise alert, do nothing, etc.)
- Create your desired alert message. We suggest something like:
%NAME% %STATUS% on %CLIENTNAME%\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.
- Give it a name. We just went with "Huntress Agent Orphan Detector"
- If you double click the line-item, it will show all the Agent it has been installed on and their status (it may take a few minutes before it starts reaching computers)
How to decode / encode Base64 in PowerShell
There are many great websites that can help you convert, but you can use the tools built right into Windows so fire up a PowerShell window! From the text you paste into ConnectWise we can see the basic parts: telling CW to run PowerShell (yellow), the encoded command (green), and the final output (red). We'll be using [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("")) to do our decoding.
Now we see the Base64 encoded commands are actually double encoded, so let's decode again to see the final exposed code (yellow identifying the type of encoded command, green being the encoded commands, and red being the decoded commands):
You can even do the reverse (output highlight yellow for readability):
Finally you can run the script either encoded or decoded to test it (there will be no output if the local agent isn't orphaned):