March 2022: There is a new version of this script that fixes a bug with false positives
This guide will go through creating a remote monitor (exe monitor) in ConnectWise Automate to allow you to monitor if an Agent has been Orphaned. It is a single-line PowerShell command that looks for the status code 401 associated with orphaned agents (more on that in our Orphaned Agents KB)
Automate remote monitors require a single command line to run, which means we had to encode the PowerShell script to fit. We're big on open source, so feel free to peek at the source code here!
This guide was created in a controlled environment. There may be instances where the monitor may not function as expected. The best places for help on these issues are ConnectWise University Automate Documentation, MSPGeek, and r/labtech. If you have any enhancements you'd like for us to share with other Partners, feel free to email firstname.lastname@example.org.
Creating Advanced Search Group
If you have already created a search group either by following Automate to Manage Billing, or creating one on your own, you can skip to section 2.
- Go to AutomationAdvanced Searches and create a new search
- Customize the search to your liking, below is what we recommend. Save the search as "Software\Software - Huntress" (or something similar).
- Go to BrowseGroups. Right-click on "Groups" and hit "create group"
- Set the "Computers" under "AutoJoin Searches." And add the "Huntress" product we created earlier under the "Managed Services" Tab.
Creating the Monitor
- Open the group created in Section 1. Go to ComputerRemote Monitors. Click Add at the bottom. Select Monitor the results of an Executable.
- Copy the code block below into Executable / Arguments
This PowerShell command might look shady, but fear not, it's just a Base64 encoded PowerShell script (click here to see the base code).
- Change Comparison Function to Does Not Contain and enter in "
- Choose your desired check interval (Daily should be more than enough).
- Choose your desired Alert Template settings (Create Manage ticket, send email, raise alert, do nothing, etc.)
- Create your desired alert message. We suggest something like:
%NAME% %STATUS% on %CLIENTNAME%\%COMPUTERNAME% at %LOCATIONNAME% for %FIELDNAME% result %RESULT%.
- Give it a name. We just went with "Huntress Agent Orphan Detector"
- If you double click the line-item, it will show all the Agent it has been installed on and their status (it may take a few minutes before it starts reaching computers)
How to decode / encode Base64 in PowerShell
There are many great websites that can help you convert, but you can use the tools built right into Windows so fire up a PowerShell window! From the text you paste into ConnectWise we can see the basic parts: telling CW to run PowerShell (yellow), the encoded command (green), and the final output (red). We'll be using [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("")) to do our decoding.
Now we see the Base64 encoded commands are actually double encoded, so let's decode again to see the final exposed code (yellow identifying the type of encoded command, green being the encoded commands, and red being the decoded commands):
You can even do the reverse (output highlight yellow for readability):
Finally you can run the script either encoded or decoded to test it (there will be no output if the local agent isn't orphaned):