This document outlines how to create a Ticket Automation you can use to automatically bill for Windows updates. 

Step 1: Create an Event Log Policy

1. Navigate to the Policies tab.
2. From the Policy Modules button menu in the upper right, select “Event Log Monitoring.” 
3. Click +New Event Log Policy.
4. Click +New Event Log Query:
   
5. In the pop-up window that appears, configure ONLY the following fields:
   1. Name: Windows Update Install
   2. Event ID: 19
   3. Source: Microsoft-Windows-WindowsUpdateClient (click “Additional Fields” first)
      IMPORTANT: Leave all other fields blank.
6. Click Create Event Log Query.
7. Name the Event Log Policy something meaningful, like “Update Installed.”
8. In the Custom Queries section, check the box next to Event ID 19, which you just created:
   
9. Scroll to the bottom and click Save Event Policy.
10. Navigate back to the Policies tab:
    1. Click +New Policy and give your policy a meaningful name.
    2. From the left navigation of the Policy Builder, select Monitors, then add an Event Logs monitor.
    3. From the Add Event Log dropdown menu, select “Update Installed” (or whatever you named the Event Log Policy you created above).
    4. Click Save Policy.
11. Assign this Policy to any Assets you want to bill for the Windows Updates.

See also: Work with Event Log Policies and Assign a Policy.

Step 2: Create a Script

Tip: You can also import this script from the Community Script Library. Type “Installed Windows Updates” into the search bar and click Import to My Scripts.

1. Navigate to the Scripts tab.
2. Click +Create New Script and give it a meaningful name, like “Installed Windows Updates - Auto Create Ticket/Time Options.”
3. Click Add Script Variables and add the following four variables:
   
   
   • ticketTime: Dropdown variable; click Edit Dropdown Values to provide options (e.g., 15, 30, etc.) and set a default; you can always add more.
   • techEmail: Runtime variable; this will be a Syncro User's email (e.g., a Technician) who will log the ticket time.
   • ticketNumber: Runtime variable; this will be {{ticket_number}} in the Automated Remediation.
   • billForTime: Dropdown variable; click Edit Dropdown Values to provide options for True and False so you can choose whether to charge for the time.
4. Copy the Example PowerShell Code into the Script field.
5. Click Create Script.

Example PowerShell Code

Import-Module $env:SyncroModule

<#
Create-Syncro-Ticket-TimerEntry cmdlet uses the default Labor Rate, this is not changeable. You might have to REABLE this product 
if you disabled it in the past. If you want to be fancy you can rename it to Automation Labor
#>

write-output "Variables passed into Script are ticketNumber:$ticketNumber ticketTime:$ticketTime techEmail:$techEmail billForTime:$billForTime "
$body = "Installed Updates"

# Create Starting time and Add time to ticket
$startAt = (Get-Date).AddMinutes(-15).toString("o")
write-output " this is the startAt variable $startAt"

if($ticketTime -ne "No Time"){
     Create-Syncro-Ticket-TimerEntry -TicketIdOrNumber $ticketNumber -StartTime $startAt -DurationMinutes $ticketTime -Notes "Updates Installed" -UserIdOrEmail "$techEmail" -ChargeTime "$billForTime"
}
else{ Write-output "Skipping Time Entry"}

# Add ticket notes
Create-Syncro-Ticket-Comment -TicketIdOrNumber $ticketNumber -Subject "Windows Update Installed" -Body "$body" -Hidden $False -DoNotEmail $True

See also: Manage Scripts and Use Scripts.

Step 3: Create the Automated Remediation

1. Navigate to the Assets & RMM tab.
2. From the View dropdown menu, select “Automated Remediation.”
3. Click +New Automated Remediation and Name it something meaningful, like “Billing for Windows Update Installs.”
4. In the Condition section, click the + icon and create the following Condition(s):
   1. (Required): Trigger Category, is, Update Installed (i.e., the name of your Event Log Policy from step 1).
   2. (Optional): Rate Limit, 1 Times, Per 7 Days. 
      Tips: 
      • The Rate Limit is so that if multiple Windows Update Event IDs fire, only one billable ticket is created a week. This is an optional way to build out this automation and a good example of how to use the Rate Limit Condition.
      • Another option would be to have the remediation run once a weak, matching with whatever update schedule you've created. This could reduce the number of individual tickets with small increments of time charged, and you can guesstimate with a single ticket.
5. In the Run the Following Actions for the Matching RMM Alerts section, click the + icon and create the following three Actions:
   1. Action: Clear Alert (Needed if you want to run this automated remediation continuously; automated remediations do not re-run on already-opened alerts.
   2. Action: Run Script
      • Script: Installed Windows Updates - Auto Create Ticket/Time Options (i.e., the name of the script you created in step 2).
      • Delay Minutes: 0 
      • Enter/select values for the script's four variables. For example: 
        • ${{ticketTime}}= 15
        • ${{techEmail}}= your Tech's email
        • ${{ticketNumber}} = {{ticket_number}} 
        • ${{billforTime}}= true
   3. Action: Convert to Ticket
      • Subject: Windows Update Installed - {{rmm_alert_computer_name}}
      • Priority: 3 Low
      • Assignee: the name of your Tech (whose email you provided above)
      • Status: Resolved
      • Ticket Issue Type: Other
      • (Optional) Ticket Tags: “automation,” “updates” (This is so these tickets can flow into a Ticket View focused on automated tickets, should you want that.)
      • (Optional) Private/Public Comment: If you want, you can see which update install triggered the alert by adding the template tag {{rmm_alert_formatted_output}}into either of these fields.

See also: Create Automations for Alerts, Automated Remediations Reference, and Template Tags Reference.