Customer Support Ticket Workflow

Match the caller to a current contact in ConnectWise PSA / Autotask / Halo. Confirm they are still authorized — terminated employees calling with old credentials is a common social-engineering vector. Capture which client tier they fall under, since SLA targets and after-hours rates differ.

Note the affected hostname, user UPN, and any related assets from the RMM inventory. A ticket without an asset link can't be reported on cleanly at the QBR — link the device record before moving on.

Apply impact × urgency. P1 is a site-wide outage or revenue-blocking; P2 is a single user blocked from work; P3 is degraded but workable; P4 is a request. Misclassifying P3 as P1 burns the on-call budget; misclassifying P1 as P3 breaches contract.

Before opening a new diagnostic path, check Auvik / PRTG / Datadog and Microsoft / Cisco / vendor status pages. If the symptom maps to a known incident, link the ticket as a child of the parent incident rather than chasing it solo.

Create or update the ticket in the PSA with the company, contact, asset, priority, and a concise problem statement. The first response timer starts here for SLA reporting.

Open a ScreenConnect or Splashtop session and reproduce the user's path. "Works on my machine" is not a diagnosis — see it fail on the user's profile, on the user's network, with the user's permissions.

Review Datto RMM / NinjaOne / Automate logs for the device: patches applied in the last 14 days, software installs, GPO changes, profile updates. Most "sudden" tickets line up with a Tuesday patch or a GPO push from the prior weekend.

Check CrowdStrike / SentinelOne / Defender for Endpoint for blocks, quarantines, or active detections on the host. A blocked DLL is often the real cause behind a vague "the app won't open" complaint.

Search IT Glue or Hudu for the client's documented configurations, exceptions, and prior tickets on the same symptom. Per-client quirks (custom transport rules, conditional access policies, legacy line-of-business apps) live here, not in vendor docs.

Escalate when the issue requires production change rights, AD schema knowledge, firewall config, or vendor-side coordination — Tier 1 should not be touching domain controllers or core firewall rules. Document what you've already tried so Tier 2 doesn't repeat the same diagnostic loop.

Reassign the PSA ticket to the Tier 2 queue with a structured summary: symptom, reproduction steps, diagnostics already run, and ruled-out causes. Page the on-call engineer if priority is P1 or P2 and SLA response is at risk.

Run the fix in a remote session with the user present where possible. For changes that touch shared infrastructure (GPO, firewall, mailbox transport rules), confirm change-management requirements before pushing — a P3 ticket should not become an emergency change.

Have the user perform the original failing action while you're still on the session. Verbal "yeah it seems fine" is not verification — watch the workflow complete end-to-end.

Glance at the affected device and any dependent services in PRTG / Auvik / LogicMonitor. Make sure the fix didn't trigger a new alert downstream — a service restart can light up dependent checks for a few minutes.

Write the resolution as a future technician would want to read it: root cause, exact commands or settings changed, and references to KB articles or vendor advisories. "Fixed it" is not documentation.

Send a plain-English summary of what was wrong and what was done. Keep root-cause language at the user's level; save the technical detail for the internal ticket notes.

If verification failed, reopen the ticket with notes on what didn't work and route back through diagnosis or to Tier 2 — do not close as resolved. Resolution-rate metrics get gamed when techs close-and-reopen instead of leaving the ticket open through the second attempt.

Trigger the CSAT survey from the PSA on ticket close. CSAT trend by client and by technician feeds the QBR; skipping the survey on "easy" tickets biases the dataset toward hard ones.

Confirm time entries are billable / non-billable per the MSA, and flag any SLA breaches for the service coordinator. Unbilled labor is the silent margin killer on co-managed accounts.

If this ticket exposed an undocumented configuration, exception, or recurring symptom, add or update the IT Glue runbook for the client. Documentation debt is what turns a 30-minute ticket into a two-hour ticket the next time around.

Final close requires a resolution code (used for QBR trending), the technician's sign-off, and any closure notes about follow-on work to track separately (replacement device ordered, license true-up needed, change request raised).