Windows - Data Collection & Auditing - Automox Agent & Remote Control Diagnostics

What the agent diagnostics Worklet does

This Automox Worklet™ performs in-depth diagnostics of factors that impact the Automox agent and Splashtop remote control components' ability to function normally. The Worklet is diagnostic-only by default, meaning it reports findings without modifying system state unless the ConfigureCipherSuites parameter is enabled.

The Worklet validates network reachability using TCP and HTTPS connections, measures response latency, and reports HTTP status codes. For HTTPS connections, it detects TLS handshake failures and categorizes error types such as cipher suite mismatches, certificate issues, protocol version errors, DNS failures, and connection timeouts.

The Worklet also inspects system TLS configuration by enumerating cipher suites and key exchange algorithms from both the registry and PowerShell cmdlets. It identifies which cipher suites are compatible with Automox infrastructure and flags incompatible configurations that may prevent communication.

Why diagnose agent connectivity issues

Automox agent communication failures often stem from network misconfiguration, firewall blocking, DNS resolution problems, or TLS handshake errors. Without proper diagnostics, IT operations teams must manually inspect event logs, test port connectivity, and review certificate stores–a time-consuming process that delays remediation.

This Worklet automates those troubleshooting steps, providing detailed output that identifies the exact point of failure. By running diagnostics regularly across your fleet, you gain visibility into connectivity patterns and can identify systemic issues before they affect agent functionality or remote control access.

Early detection of connectivity issues reduces agent downtime, enables faster troubleshooting of support tickets, and helps you maintain consistent security posture across endpoints.

How agent diagnostics testing works

1. Evaluation phase: The Worklet performs comprehensive system checks including PowerShell version verification, disk and memory availability, processor architecture compatibility, and Automox service status. It enumerates system TLS cipher suites and key exchange algorithms from the registry and PowerShell cmdlets. It then tests basic TCP connectivity and HTTPS connectivity to 22 network targets including Automox API endpoints, policy file servers, LaunchDarkly service, Microsoft Update infrastructure, and Splashtop relay servers. Each connection test includes DNS resolution, port reachability checks, and TLS handshake validation with categorized error reporting.

2. Remediation phase: If the ConfigureCipherSuites parameter is set to true, the Worklet configures missing cipher suites by writing to the registry at HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002. It adds required TLS 1.2 and TLS 1.3 cipher suites with appropriate priority ordering. By default, the Worklet operates in diagnostic-only mode and reports findings without making any changes.

Agent diagnostics requirements

• Windows Server 2012 R2 or later, or Windows 10 or later

• PowerShell 5.1 or later

• 100 MB free RAM and 70 MB free disk space minimum

• Network connectivity to internet for testing Automox and third-party endpoints

• Administrator privileges (elevated PowerShell) required to configure cipher suites via registry

• Optional: ConfigureCipherSuites parameter to enable cipher suite remediation (default is false for diagnostic-only mode)

Expected connectivity state after diagnostics

When running in diagnostic-only mode (default), no changes are made to the endpoint. You can verify this change by checking the specific setting this Worklet modifies. The Worklet generates output reporting the status of all system checks, network connectivity tests, and TLS configuration findings. You can review detailed pass/fail results for each check, including specific error messages for any connectivity failures.

If ConfigureCipherSuites is enabled and cipher suite configuration occurs, a system restart is required for changes to take effect. Required TLS 1.2 and TLS 1.3 cipher suites will be added to the registry with appropriate priority ordering, enabling proper TLS negotiation with Automox infrastructure and remote control services.

How to validate automox agent & remote control diagnostics changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for automox agent & remote control diagnostics.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as the evaluation and remediation scripts.

4. Validate remediation effects from script operations such as Write-DiagHeader, Write-Output, Write-DiagResult, then rerun evaluation for compliance.