Windows - Maintenance Tasks - Tag Automox Devices with Lansweeper Data

What the Lansweeper to Automox tag sync does

This Automox Worklet™ pulls asset attributes from a Lansweeper Cloud site and writes them onto matching Automox endpoints as tags. The Worklet calls the Lansweeper GraphQL API at https://api.lansweeper.com/api/v2/graphql with a Personal Application token, paginates through every asset on the specified site ID, and captures the assetBasicInfo, assetCustom, and bitLockerRecoveryKeys fields the script knows how to map. It then calls the Automox console API at https://console.automox.com/api/servers to enumerate every endpoint in the target organization and joins the two data sets on serial number.

For each match, the Worklet reads the Lansweeper fields you named in the lsFields array, deduplicates them against the endpoint's existing tag list, and issues a PUT to /api/servers/{deviceId} with the merged tag set. Existing Automox tags stay intact; the script only adds values, never strips them. The lsFields parameter accepts any combination of model, manufacturer, location, department, branchOffice, building, fqdn, domain, ipAddress, userName, userDomain, type, typeGroup, subType, bitLockerRecoveryKeys, lastPatched, mac, name, description, assetUnique, serialNumber, or url.

All four credentials (axApiKey, axOrgID, lsToken, lsSiteID) load through Automox console policy variables marked as Shared Secrets, so no plaintext keys appear in the script body. The evaluation phase exits 2 to trigger remediation as soon as a single serial number match is detected. The remediation phase uses Invoke-RestMethod with a Bearer token header against the Automox API and a Token header against the Lansweeper API.

Why mirror Lansweeper CMDB data into Automox tags

Lansweeper is the source of truth for asset metadata on most fleets that run both products: department, physical location, branch office, building, manufacturer, model, last-known user, BitLocker recovery key custody. Automox is the source of truth for what runs on the endpoint right now. Without a sync, the two views drift, and admins end up exporting CSVs, eyeballing serial numbers, and rebuilding the same groups by hand every quarter. Mirroring the Lansweeper fields onto Automox tags makes "all endpoints in the Denver office," "all Dell OptiPlex 7090s," or "all finance-department laptops" a one-line endpoint filter in Automox instead of an out-of-band lookup.

Aligning Automox endpoint metadata with the CMDB of record (Lansweeper, in this case) means a patch policy can target by site, business unit, or asset role rather than guessing from hostname conventions. This Worklet runs on a single host endpoint, sweeps the Lansweeper site through paginated GraphQL queries, and pushes the resulting tag set to every matched Automox endpoint on the same schedule the rest of your maintenance policies use, so the CMDB enrichment stays current without a one-off sync script.

How the Lansweeper tag sync works

1. Evaluation phase: The script verifies that the axApiKey, axOrgID, lsToken, and lsSiteID variables resolved from policy-level Shared Secrets, then runs Invoke-RestMethod against https://api.lansweeper.com/api/v2/graphql with the Authorization Token header to fetch a 100-asset page through site(id).assetResources. In parallel, it pages through https://console.automox.com/api/servers?o={axOrgID} to collect every endpoint in the organization. The script joins the two sets on Lansweeper assetCustom.serialNumber and Automox serial_number. If any match is found, evaluation writes "Matching Automox device(s) found. Flagging for remediation." to the activity log and exits with code 2 to signal non-compliance and trigger remediation.

2. Remediation phase: Remediation paginates the full Lansweeper site through cursor-based GraphQL calls in 500-asset batches and rebuilds the endpoint join. For each matched endpoint, it reads the lsFields array from the script body, extracts the corresponding Lansweeper attribute value, skips null or whitespace values with a Write-Warning, and joins array values (such as BitLocker recovery keys) with a comma separator. The script then splits the endpoint's existing comma-delimited tags string, concatenates the new values, runs Select-Object -Unique to drop duplicates, and issues a PUT to https://console.automox.com/api/servers/{deviceId}?o={axOrgID} with a JSON body that sets server_group_id, tags, custom_name, and exception. Existing tags are preserved in full.

Lansweeper tag sync requirements

• Lansweeper Cloud subscription (Starter, Pro, or Enterprise) with a configured Personal Application and a generated API token

• Lansweeper Site ID for the single site whose assets you want to project onto Automox tags

• Automox console API key with read access to /api/servers and write access to PUT /api/servers/{id}, plus the Automox Organization ID

• All four credentials registered as Automox Shared Secrets with these exact variable names: axApiKey, axOrgID, lsToken, lsSiteID

• Worklet scoped to a single host endpoint through device targeting; the script is API-driven and should not fan out across the fleet

• Endpoints must report matching serial numbers in both Lansweeper assetCustom.serialNumber and Automox serial_number for the join to fire

• Set lsFields in remediation.ps1 to the Lansweeper attributes you want as tags: any subset of assetUnique, bitLockerRecoveryKeys, branchOffice, building, department, description, domain, fqdn, ipAddress, lastPatched, location, mac, manufacturer, model, name, serialNumber, subType, type, typeGroup, url, userDomain, userName

• Optional: uncomment $VerbosePreference = 'Continue' in remediation.ps1 to surface per-asset progress in the Automox activity log during initial rollout

Expected Automox tag state after the sync

After a successful run, every Automox endpoint with a matching Lansweeper serial number carries the configured Lansweeper attribute values as tags. If lsFields is set to @( 'model', 'manufacturer', 'department' ), a Dell OptiPlex 7090 assigned to the Finance department in Lansweeper shows up in Automox with three new tags: Dell, OptiPlex 7090, Finance, alongside any tags it already had. Endpoints with no Lansweeper match are untouched, and any Lansweeper field that is null or whitespace is skipped with a Write-Warning so you can spot incomplete CMDB records.

Validate by opening the Automox console, filtering the device list by one of the new tag values, and confirming the membership matches what Lansweeper reports for the same attribute. For the API path, call GET https://console.automox.com/api/servers/{deviceId}?o={axOrgID} and inspect the tags array on the response body. Automox activity logs from this Worklet include lines such as "Existing Tags: …", "New Tags: …", and "Tagging Device ID: …" for every endpoint touched, which gives you a per-device audit trail of the merge. Schedule the policy on whatever cadence matches your CMDB refresh; because the evaluation phase always triggers remediation when matches exist, a daily or weekly cadence is the typical choice.