MSPercury
Sign in Start free
CheckUp & audits · · 4 min read

On-site IT CheckUp in 10 minutes — the field-tested checklist

The audit you can do standing in front of a server cabinet without a laptop. Thirty questions, four categories, photo-able findings — what we ask, in what order, and why.

LF
Lucas Flores
IT Systeme Flores UG

The on-site CheckUp is the most under-appreciated 10 minutes of any MSP-to-customer engagement. It’s where a quote stops being guesswork and starts being a document the customer can sign without flinching. We run one before every fixed-price proposal, and we built MSPercury’s CheckUp wizard around the version that works on a phone in front of a server cabinet.

This post is the checklist. Thirty questions, four categories, ordered the way we actually walk through a building.

Before you start

You need three numbers from the customer up front. Everything else falls out of them:

  • Workstations — how many people sit at a screen. Includes laptops.
  • Servers — physical and virtual, on-prem and colo. Excludes hosted M365.
  • Users — distinct human accounts that need authenticating. Often differs from workstations (shared roles, frontline staff).

Walk through with the customer’s lead IT contact and write the counts down before you go further. The quote engine multiplies these out later (per-workstation × RMM, per-server × backup, per-user × helpdesk), and any per-OS subdivisions (Windows / macOS / Linux / ChromeOS) you collect now save you a renegotiation in six months.

Category 1 — Identity & access (≈ 2 min)

The five questions that almost always surface a finding:

  1. Is MFA enforced for every admin account? “We have it available” doesn’t count.
  2. Is there a shared admin@ mailbox or a shared Windows admin account? Either is a finding.
  3. When did the last password rotation happen on shared service accounts? If the answer involves “I’d have to check,” log it.
  4. Is there a documented offboarding process? Ask for a recent example.
  5. Are there local admin rights on workstations? If yes — for everyone, or named exceptions?

Photograph the local admin policy in Group Policy / Intune if accessible. The screenshot is more persuasive in a quote than a sentence.

Category 2 — Endpoint & patching (≈ 2 min)

  1. What RMM is in use? None / unknown both count as no.
  2. Is patching automatic or manual? Automatic without rollback testing is also a finding.
  3. Are there workstations still on Windows 10 past the end-of-support date?
  4. Is there an EDR product or just plain AV? “Defender, but unmanaged” is its own bucket.
  5. Are admin tools (PsExec, PowerShell remoting) restricted?

Category 3 — Backup & continuity (≈ 2 min)

This is the section where most quotes find their justification.

  1. What’s backed up — files, databases, M365, full system images?
  2. What’s the restore frequency you’ve actually tested? Untested backups are findings, full stop.
  3. Where are backups stored — on-prem, off-site, immutable, all three?
  4. Is there a disaster-recovery runbook?
  5. What’s the documented RTO / RPO?

The 3-2-1 rule (3 copies, 2 media, 1 off-site) is the bar. Anything less is a finding.

Category 4 — Network, compliance, infrastructure (≈ 2 min)

  1. Is the firewall a managed appliance with a service contract?
  2. Is Wi-Fi segmented (guest / staff / IoT)?
  3. Are switches managed and monitored?
  4. Is there a documented network diagram? Photograph the rack if one isn’t already drawn — it’s the diagram.
  5. Any IoT / OT devices on the corporate VLAN?

Then the compliance pivot:

  1. DSGVO / GDPR — is there an Art. 30 record of processing?
  2. Is there a signed AVV / DPA with each subprocessor?
  3. Has a data breach occurred in the last 24 months? If yes — was it reported within 72 h?
  4. Where’s the German Telematikinfrastruktur attached, if applicable? (KIM, ePA-Anbindung — relevant for medical practices.)
  5. Is the fax line still in use for sensitive data?

Wrap-up (≈ 1-2 min)

  1. Any infrastructure the customer is unhappy with? This question alone often surfaces 2-3 findings.
  2. Anything they tried before and gave up on?
  3. Who pays the IT bill? Ops, founders, finance — the answer determines who you cc on the quote.
  4. Decision timeline?
  5. Photos of: server cabinet, network rack, primary user workstation, exterior of the IT closet door.

That last question is the one most MSPs skip. Don’t. Photos in the CheckUp report are what turn a 4-page proposal from “looks reasonable” into “we have to do this.” Every finding in MSPercury’s wizard takes a photo attachment for exactly that reason.

What you do with the answers

Each finding in MSPercury links to a service in your catalog. Once you’ve recorded the 30 answers, the quote builds itself: backup-untested → backup service line item, MFA-not-enforced → identity-management line item, end-of-life Windows → workstation-refresh service. The engine multiplies per-workstation / per-server / per-user automatically; you tweak quantities, apply a package template, send the PDF.

The whole loop — sit-down, audit, quote, sign — fits in one afternoon. That’s the bar we hold the wizard to. Anything that doesn’t is a feature gap and we want to hear about it.

Start a free workspace — the wizard is on every plan because the only plan is free.