FEATURE_UPDATE_REQUIRED, QUALITY_UPDATE_REQUIRED, or preview remediation when configured.
2
UNKNOWN_LOCAL_RELEASE, CHECK_INCOMPLETE, or policy/source problem.
3
ABOVE_BROAD_TARGET_OR_SPECIAL_RELEASE.
10
CLI argument error.
RMM Defaults
Setting
Recommendation
Source mode
Use default public signed policy URL.
WUA
Keep off for fast compliance checks; enable for diagnostics.
Output
Use JSON or JSON-pretty.
Production gate
Use --strict-production.
Cache
Accept as degraded evidence, not production green in strict mode.
JSON Fields To Watch
Field
Meaning
status
Primary verdict.
candidate_status
Local candidate verdict when strict source gating masks it.
local_scope_status
Out-of-scope candidate for Windows 10/Server in strict degraded paths.
source_status
Remote/cache/bundled/unavailable source state.
is_source_check_complete
Whether source requirements were fully satisfied.
policy_signature_status
Signature trust state.
feed_age_days
Age of live policy feed where available.
Default JSON compacts bulky local Panther/setup log tails and emits omission markers such as content_omitted, content_chars, and content_bytes_utf8. Use --include-raw-local-diagnostics only when troubleshooting needs the raw bounded local log tails. Panther/setup logs are administrator troubleshooting evidence only; they never decide compliance or override the signed public policy verdict. Panther reads use fixed known paths, per-file tail reads, and a deliberately generous global collection guard to keep IO predictable without constraining normal trusted troubleshooting.