Workflow Templates for Systems Administration: Help Desk Ticket Handling Checklist

Initial User Contact

Verify the caller's identity

Confirm the caller against the directory in Entra ID / AD before discussing any account detail or resetting credentials. For phone/chat contact, use a callback to the number on file or a second-channel confirmation (Teams DM, manager verification) — vishing impersonation of executives is a common pretext for password resets.

Capture the issue in the user's words

Let the user describe the symptom before you interpret it. Note the exact error text, what they were doing when it occurred, whether it is reproducible, and how many users are affected. Verbatim quotes are more useful in the ticket than your paraphrase.

Set the ticket priority and SLA

Apply the contracted SLA matrix — P1 (system down / multi-user), P2 (single user blocked), P3 (degraded), P4 (request). MSPs: confirm the client's contract tier in the PSA before committing a response time.

Open the ticket in the PSA or ITSM

Create the ticket in ConnectWise PSA, Autotask, ServiceNow, Freshservice, or whichever PSA/ITSM is the system of record. Tag the affected user, asset (from RMM/CMDB), category, and source channel so reporting and time tracking line up.

Problem Diagnosis

Record error messages and event IDs

Pull exact error text, Windows Event Viewer IDs, macOS unified log entries, or app-side stack traces. Screenshots beat retyped errors — a digit transposed in a hex code wastes 30 minutes of search.

Check recent changes against the CMDB

Recent patch ring, GPO push, Intune policy change, or Conditional Access rule? Cross-reference the change calendar and RMM patch history for the affected machine. New issue immediately after Patch Tuesday is the most common false-mystery in this queue.

Connect via remote support and reproduce

Use ScreenConnect, Splashtop, or the RMM's built-in remote session. Reproducing in the user's session rules out profile-specific issues; reproducing in a fresh local account isolates whether the cause is profile, machine, or environment.

Search the knowledge base for prior fixes

Search IT Glue, Hudu, Confluence, or your KB for the error code and symptom. MSPs: also search across other clients with the same vendor stack — same VPN client, same EDR agent, same M365 tenant model often hit the same regressions.

Confirm whether Tier 1 can resolve

Decision point: is this within Tier 1 scope (password reset, MFA re-enrollment, printer mapping, Outlook profile rebuild) or does it require Tier 2/3 (server-side, network, security incident)? Escalating early on out-of-scope tickets is cheaper than burning two hours before handoff.

Resolution

Apply the documented fix

Follow the KB runbook step for step. If you deviate, document why in the ticket so the next technician hitting the same symptom benefits. Avoid registry edits or GPO changes without a peer review — undocumented fixes become tomorrow's incidents.

Escalate to Tier 2 with diagnostic notes

When escalating, include: reproduction steps, error text, what you've already tried, RMM asset link, and user impact. A bare "please assist" handoff bounces back. Set the queue/owner per the escalation matrix (network → networking queue, M365 → messaging queue).

Page the on-call engineer for P1 incidents

P1 means system-down or multi-user impact. Page via PagerDuty / Opsgenie / built-in PSA paging — do not rely on email or chat for P1 wake-ups. Open the incident bridge and post the ticket number in the #incident channel.

Test the fix in the user's session

Have the user reproduce the original workflow with you watching, not just "try it now and let me know." A fix that works for the technician but not the user (cached credential, profile path, group membership) is the most common reopen.

Closure and Follow-Up

Document root cause and resolution

Write the resolution note for the next technician, not the user — name the system, the setting, the command, the KB ID. "Rebooted and it worked" is not a resolution; "Cleared Outlook autodiscover cache via Ctrl+right-click → Test E-mail AutoConfiguration; KB 4567" is.

Update the knowledge base article

If this issue lacked a KB or the existing one was wrong, file or edit the article in IT Glue / Hudu / Confluence. New patterns spotted in the queue are the highest-leverage KB additions — the third repeat of an issue should not require fresh diagnosis.

Log time and close the ticket

Enter accurate time entries in the PSA before closing — billing and SLA reporting depend on this. Mark resolution category (incident vs. request vs. problem) so trend reporting is usable at the QBR.

Send the satisfaction survey

Most PSAs auto-send a CSAT survey on closure (Smileback, BrightGauge, native). Confirm the trigger fired. For VIP users or P1 incidents, follow up with a personal note in addition to the automated survey.