Security & Continuity

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.

What This Category Covers

Security and continuity issues need evidence before containment or recovery work. Separate detection, policy, identity, endpoint state, backup/recovery status, and business impact.

First Layer to Isolate

Security signal first, then scope, containment, recovery path, and business priority.

Useful Tools, Logs, and Portals

  • Security portal
  • RMM/EDR logs
  • Backup console
  • Identity logs
  • Change history
  • Incident notes

Before You Escalate

  • Impact and scope captured
  • Security owner notified where needed
  • Recovery point verified
  • Changes documented

Articles in This Path

Pick the closest symptom and work from there.

ACME challenge path accessible publicly but renewal validation still failsACME renewal works on standby node not active nodeApplication aware backup disabled itself after patchingBackup copy job finishes but offsite repository missing newest restore pointsBackup job completes with warnings because application log truncation skippedBackup notifications arrive, but failure subject lines always show successBackup repository free space looks healthy while synthetic full job still failsBackups & Recovery alerts indicate success while end-user experience never changesBackups & Recovery configuration survives testing but resets after restart or syncBackups & Recovery credential or certificate rotation breaks an existing integrationBackups & Recovery feature works in web app but fails in desktop clientBackups & Recovery healthy dashboard status masks a failing production workflowBackups & Recovery new deployment works for pilot group but not for production rolloutBackups & Recovery policy change applies in admin console but target users never receive itBackups & Recovery quarantine or protection action triggers but recovery workflow failsBackups & Recovery workflow succeeds for one account but fails for shared or delegated accessBackups completing with warnings but not restorableBare metal restore media boots but cannot see RAID volumeBare-metal recovery media boots on BIOS hardware but not UEFI replacementBitLocker key rotates but inventory system shows old key IDBitLocker network unlock not working after certificate renewalBitLocker policy escrowed keys but startup PIN requirement never appliedBitLocker recovery key prompt after firmware updateBitLocker recovery repeats after docking station changesBitLocker recovery screen appears after firmware patch on multiple laptopsBitLocker suspended for maintenance and never resumedBitLocker to Go media prompts for recovery key after device policy refreshBrowser shows certificate warning on internal applianceBrowser trust warning appears only on mobile devicesCertificate auto-renewal failed silently on applianceCertificate chain valid on Windows not on macOSCertificate private key present on server but export option unavailableCertificate revocation check slows VPN login from remote regionsCertificates alerts indicate success while end-user experience never changesCertificates configuration survives testing but resets after restart or syncCertificates credential or certificate rotation breaks an existing integrationCertificates feature works in web app but fails in desktop clientCertificates healthy dashboard status masks a failing production workflowCertificates logging shows delivery yet the target workflow never completesCertificates new deployment works for pilot group but not for production rolloutCertificates policy change applies in admin console but target users never receive itCertificates quarantine or protection action triggers but recovery workflow failsCertificates workflow succeeds for one account but fails for shared or delegated accessCloud backup seed completes but daily incrementals resend full data setCloud backup throttled by ISP fair use policyCode signing certificate installed but build agent cannot use itCode signing certificate installed but signing pipeline cannot locate thumbprintConditional Access alerts indicate success while end-user experience never changesConditional Access blocks service account unexpectedlyConditional Access configuration survives testing but resets after restart or syncConditional Access connector health looks normal but data stops syncingConditional Access credential or certificate rotation breaks an existing integrationConditional Access feature works in web app but fails in desktop clientConditional Access healthy dashboard status masks a failing production workflowConditional Access logging shows delivery yet the target workflow never completesConditional Access new deployment works for pilot group but not for production rolloutConditional Access policy change applies in admin console but target users never receive itConditional Access policy exception fixes one case but similar workflows still failConditional Access quarantine or protection action triggers but recovery workflow failsConditional Access report-only logs differ from real enforcement outcome

Restored file permissions differ from source after cross-platform recovery

Submitted by Anonymous (not verified) on

Field Summary

Restored file permissions differ from source after cross-platform recovery is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Backup notifications arrive, but failure subject lines always show success

Submitted by Anonymous (not verified) on

Field Summary

Backup notifications arrive, but failure subject lines always show success is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Database backup chain intact until one copy job resets retention unexpectedly

Submitted by Anonymous (not verified) on

Field Summary

Database backup chain intact until one copy job resets retention unexpectedly is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Recovery test VM isolated correctly but restored DNS records leak into production

Submitted by Anonymous (not verified) on

Field Summary

Recovery test VM isolated correctly but restored DNS records leak into production is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Test by IP and by name so DNS is not confused with raw connectivity.

Granular mailbox restore starts but item-level search returns no results

Submitted by Anonymous (not verified) on

Field Summary

Granular mailbox restore starts but item-level search returns no results is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Backup repository free space looks healthy while synthetic full job still fails

Submitted by Anonymous (not verified) on

Field Summary

Backup repository free space looks healthy while synthetic full job still fails is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Cloud backup seed completes but daily incrementals resend full data set

Submitted by Anonymous (not verified) on

Field Summary

Cloud backup seed completes but daily incrementals resend full data set is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Bare-metal recovery media boots on BIOS hardware but not UEFI replacement

Submitted by Anonymous (not verified) on

Field Summary

Bare-metal recovery media boots on BIOS hardware but not UEFI replacement is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. The fastest path is to identify which layer changed and prove it with logs or a repeatable test.

Immutable backup copy created but restore portal cannot browse file versions

Submitted by Anonymous (not verified) on

Field Summary

Immutable backup copy created but restore portal cannot browse file versions is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Backup job completes with warnings because application log truncation skipped

Submitted by Anonymous (not verified) on

Field Summary

Backup job completes with warnings because application log truncation skipped is a Backups & Recovery ticket where the visible symptom can be misleading. Server and directory tickets need service state, event logs, DNS, authentication, replication, permissions, storage, and backup context before disruptive work. Reboots can hide evidence and create wider impact. Verify last good backup, repository health, and a safe restore target before declaring recovery available.

Subscribe to Security & Continuity