[GH-ISSUE #1337] Task scheduled can be manually removed from endpoint, trmm skips the task silently without warning. #2777

New issue

Open

opened 2026-03-14 05:26:57 +03:00 by kerem · 0 comments

kerem commented

2026-03-14 05:26:57 +03:00

Owner

Originally created by @Madeiner on GitHub (Oct 28, 2022).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1337

Server Info (please complete the following information):

OS: Debian 11.5
Browser: Chrome
RMM Version (as shown in top left of web UI): 0.15.1

Installation Method:

Standard
Docker

Agent Info (please complete the following information):

Agent version (as shown in the 'Summary' tab of the agent from web UI): 2.4.0
Agent OS: [e.g. Win 10 v2004, Server 2012 R2] Win 10

Describe the bug
A TRMM task that is manually edited, removed or paused from the endpoint itself becomes unsynced on trmm, but TRMM does not report anything and thinks all is fine.

To Reproduce
Steps to reproduce the behavior:

Create a scheduled task on TRMM.
Disable/edit/delete the task in windows scheduler.
Check TRMM. The task stops being executed, but no error is shown. TRMM says task is "synced with agent" in "Tasks" UI, but this is not true. TRMM reports last success state, with a date that is fixed (correctly) at last execution time. Note you can still manually execute the task, which will work even if the task is disabled in windows scheduler.

Expected behavior
TRMM should, in order of importance:

recognize that the task has been missed while the agent was online and warn the user of that, to allow for manual fix. I believe this is of critical importance.
verify that the existing scheduled task has not been edited manually on the endpoint.
have a mechanism to automatically recreate the missed or manually edited task.

Additional context
This can be also considered a security issue. If a malicious actor (or an administrator on the client machine) changes, removes or edits the task, TRMM will not report on it. A malware could delete tasks in windows scheduler (especially since they have a tacticalrmm identifier), and TRMM will not report anything wrong on any checks, including antivirus checks. They will silently stop working.

Originally created by @Madeiner on GitHub (Oct 28, 2022). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1337 **Server Info (please complete the following information):** - OS: Debian 11.5 - Browser: Chrome - RMM Version (as shown in top left of web UI): 0.15.1 **Installation Method:** - [X] Standard - [ ] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI): 2.4.0 - Agent OS: [e.g. Win 10 v2004, Server 2012 R2] Win 10 **Describe the bug** A TRMM task that is manually edited, removed or paused from the endpoint itself becomes unsynced on trmm, but TRMM does not report anything and thinks all is fine. **To Reproduce** Steps to reproduce the behavior: 1. Create a scheduled task on TRMM. 2. Disable/edit/delete the task in windows scheduler. 3. Check TRMM. The task stops being executed, but no error is shown. TRMM says task is "synced with agent" in "Tasks" UI, but this is not true. TRMM reports last success state, with a date that is fixed (correctly) at last execution time. Note you can still manually execute the task, which will work even if the task is disabled in windows scheduler. **Expected behavior** TRMM should, in order of importance: - recognize that the task has been missed while the agent was online and warn the user of that, to allow for manual fix. **I believe this is of critical importance.** - verify that the existing scheduled task has not been edited manually on the endpoint. - have a mechanism to automatically recreate the missed or manually edited task. **Additional context** This can be also considered a security issue. If a malicious actor (or an administrator on the client machine) changes, removes or edits the task, TRMM will not report on it. A malware could delete tasks in windows scheduler (especially since they have a tacticalrmm identifier), and TRMM will not report anything wrong on any checks, including antivirus checks. They will silently stop working.