This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
First published on TECHNET on Mar 18, 2019Authored by Brandon McMillan
Hello everyone! My name is Brandon McMillan and I am a System Center Configuration Manager (ConfigMgr) PFE. I have found that Status Message Queries can be one of the more underappreciated features of ConfigMgr. The information you can gather in a quick and easy query can be very powerful in helping you determine the root cause analysis of an issue. I hope this blog will provide you with additional Status Message Queries and how you can quickly export/import some examples into your environment.
First let’s break down the different Status Message Types :
ID |
Status Message Type |
Description |
256 |
Milestones |
Use this type at the end of an operation to indicate the operation's success or failure. If the operation was successful, use the Milestone type in an informational message. If the operation failed, use a milestone message type in a warning or error message. |
512 |
Details |
Use this type to illustrate the steps in a complex operation. Often, detail messages are meaningful only within the context of the sequence of status messages representing a complex operation. |
768 |
Audits |
Use this type for informational messages that provides a trail of actions taken by the Configuration Manager administrator. An audit message also depicts an operation that results in objects being added, modified, or deleted. You do not need to create audit messages; the provider automatically generates these messages for you. |
1024 |
NT Events |
Reference: SMS_StatusMessage WMI Class
Here is a quick overview of Status Message Queries :
Status Message Queries |
Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events.You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection. |
Reference: Use Alerts and the Status System
Enumerating Status Message Strings
How can we obtain a full listing of Status Message ID’s? If you are unsure what Status Message ID’s to use to create a specific Status Message Query, you can export all the Status Messages ConfigMgr provides by using a PowerShell script from an article by SaudM . The script and an example of an excel output from a ConfigMgr 2012 R2 environment can be found here: Enumerate Status Messages .
Here’s an example of how you can leverage the script and export the Status Messages based on type: Client, Provider, or Server Messages
Client Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\climsgs.dll" -stringOutputCSV ExportClientMsgs.csv
Provider Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\provmsgs.dll" -stringOutputCSV ExportProviderMsgs.csv
Server Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\srvmsgs.dll" -stringOutputCSV ExportServerMsgs.csv
Default Status Message Queries
We provide many out of box queries that are delivered with the product; however, there are many Message ID’s that you can leverage which could help you build your own specific queries for your environment. Some of the default Status Message Queries you may already be familiar with are below:
-
All Audit Status Messages for a Specific User
- Message Type: 768
- Message Attribute ID: 403
-
All Audit Status Messages from a Specific Site
- Message Type: 768
-
Boundaries Created, Modified, or Deleted
- Message IDs: 40600-40602
-
Client Component Configuration Changes
- Message IDs: 30042-30047
-
Collections Created, Modified, or Deleted
- Message IDs: 30015-30017
-
Collection Member Resources Manually Deleted
- Message IDs: 30066-30067
-
Deployments Created, Modified, or Deleted
- Message IDs: 30006-30008
-
Packages Created, Modified, or Deleted
- Includes Package Conversion Status
- Message IDs: 30000-30002
-
Programs Created, Modified, or Deleted
- Includes Package Conversion Status
- Message IDs: 30003-30005
-
Queries Created, Modified, or Deleted
- Message IDs: 30063-30065
-
Remote Control Activity at a Specific Site, User, or System (4 Total)
- Message IDs: 30069-30087
-
Security Scopes Created, Modified, Deleted, or Imported
- Message IDs: 31200-31202 / 31220-31222 / 31207
-
Server Component Configuration Changes
- Message IDs: 30033-30035 / 30039-30041
- Site Control Changes
-
Site Addresses Created, Modified, or Deleted
- Message IDs: 30018-30020
Enhanced Audit Status Message Queries
Now what if you need something more specific? The following list may help you quickly determine what specific activities are occurring within your environment. A direct link to TechNet gallery of the exported Status Message Queries is located here: Enhanced Audit Status Message Queries . This was last updated from a ConfigMgr version 1810 environment.
-
Audit - All Alert Actions
- Includes DRS Alerts
- Message IDs: 30240-30244
-
Audit - All Application Actions
- Message IDs: 30226-30228 / 49003-49005 / 52300
-
Audit - All Application Catalog Actions
- Message IDs: 30800-30805 / 50000-50004
-
Audit - All Asset Intelligence Actions
- Message IDs: 30208-30209 / 31001
-
Audit - All Azure and Co-Management Actions
- Message IDs: 53001-53005 / 53401-53403 / 53501-53503
-
Audit - All Boundary Group Actions
- Message IDs: 40500-40505
-
Audit - All Client and Collection Miscellaneous Actions
- Includes Update Membership, Device Imports, Clear PXE Deployments
- Message IDs: 30104 / 30213 / 42021
-
Audit - All Client Configuration Requests (CCRs)
- Client Push actions.
- Message IDs: 30106-30111
-
Audit - All Client Operations Actions
- Includes “Right Click” actions.
- Message IDs: 40800-40804
-
Audit - All Client Settings Actions
- Includes Antimalware Policies.
- Message IDs: 40300-40305
-
Audit - All CMPivot and Script Actions
- Message IDs: 40805-40806 / 52500-52505
-
Audit - All Conditional Access Actions
- Includes Exchange Online, SharePoint Online, and On-Prem Exchange actions.
- Message IDs: 30340-30341
-
Audit - All ConfigMgr Actions in Console
- Checks components: Microsoft.ConfigurationManagement.exe / AdminUI.PS.Provider.dll
-
Audit - All Configuration Baseline Actions
- Message IDs: 30168 / 30193-30198
-
Audit - All Configuration Items
-
Configuration Items Created, Modified, and Deleted. Includes Applications, Operating Systems, Drivers, Compliance Settings, and Endpoint Protection actions.
-
Compliance Settings
- Configuration Items, Configuration Baselines, User Data and Profiles, Remote Connection Profiles, Compliance Policies, Company and Resource Access: Certificate Profiles, Email Profiles, VPN Profiles, Wi-Fi Profiles, Windows Hello for Business Profiles, Terms and Conditions, Microsoft Edge Browser Profiles, Windows 10 Edition Upgrade
-
Endpoint Protection
- Windows Defender Firewall Policies, Windows Defender ATP Policies, Windows Defender Exploit Guard, Windows Defender Application Guard, Windows Defender Application Control
- Message IDs: 30152-30167
-
Compliance Settings
-
Configuration Items Created, Modified, and Deleted. Includes Applications, Operating Systems, Drivers, Compliance Settings, and Endpoint Protection actions.
-
Audit - All Content Library Actions
- Includes Content Library changes
- Message IDs: 30080 / 30189-30191
-
Audit - All Distribution Point Actions
- Message IDs: 30009-30011 / 30068 / 30109 / 30125 / 30500-30503 / 40409-40410
- Audit - All Distribution Point Changes
-
- Message IDs: 40400-40409 / 40506
-
Audit - All Folder Actions
- Message IDs: 30113-30117
- Audit - All Messages
- Audit - All Messages (Specified Message ID)
- Audit - All Messages (Specified Timeline)
-
Audit - All Migration Actions
- Message IDs: 30900-30907
-
Audit - All Mobile Device Management Actions
- Message IDs: 40200-40206 / 45000-45004 / 47000-47002 / 48000-48003 / 49003-49005 / 51000-51006 / 52000-52020
-
Audit - All Phased Deployment Actions
- Message IDs: 53601-53603
-
Audit - All Query Actions
- Message IDs: 30063-30065 / 30302-30303
-
Audit - All Report Actions
- Message IDs: 30091-30093 / 31000-31002
-
Audit - All Search Folder Actions
- Message IDs: 30700-30702
-
Audit - All Secondary Site Actions
- Message IDs: 30012-30014 / 30021-30023
-
Audit - All Site Server Boundary Actions
- Message IDs: 30054-30056
-
Audit - All Site Server Definition Actions
- Message IDs: 30030-30032
-
Audit - All Site Server Property Actions
- Message IDs: 30024-30029
-
Audit - All Site Server Role Actions
- Message IDs: 30036-30038
-
Audit - All Site Server Security Actions
- Message IDs: 30057-30062 / 30210-30212 / 31200-31242 / 31203-31249
-
Audit - All Site Server SQL Actions
- Includes Site Maintenance Tasks
- Message IDs: 30048-30053
-
Audit - All Software Metering Rules Actions
- Message IDs: 30094-30095 / 30105
-
Audit - All Software Update Actions
- Message IDs: 30112 / 30118-30124 / 30135-30137 / 30172 / 30183-30188 / 30196-30198 / 30219-30221 / 30229-30231 / 30506-30507 / 42031-42033 / 4900-49002
-
Audit - All User Object Actions
- Message IDs: 30600-30606
Script to Import Status Message Queries
param(
[Parameter(Mandatory=$True)]
[string]$XMLPath
)
# Imports ConfigMgr Module
Import-Module "$env:SMS_ADMIN_UI_PATH\..\ConfigurationManager.psd1"
# Get SiteCode
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-location $SiteCode":"
# Imports XML
Try {
$CMStatusMsgs = Import-Clixml $XMLPath
}
Catch {
Write-Host -ForegroundColor Red "Invalid file path or file type. Please try again."
Exit
}
foreach ($Query in $CMStatusMsgs) {
Try {
$StatusQuery = @{
Name = $Query.Name
Expression = $Query.Expression
Comments = $Query.Comments
}
New-CMStatusMessageQuery @StatusQuery
Write-Host -ForegroundColor Green $Query.Name "was created successfully."
}
Catch {
Write-Host -ForegroundColor Red $Query.Name "already exists."
}
}
Export Status Message Queries to XML
What if you wish to export your own Status Message Queries to another environment? You can leverage the ConfigMgr PowerShell cmdlets: Get-CMStatusMessageQuery and Export-Clixml .
NOTE: Requires the ConfigMgr PowerShell Module
Export all Queries
Get-CMStatusMessageQuery | Export-Clixml <path>\StatusMsgQueries.xml
Export only Queries beginning with the name “Audit”
Get-CMStatusMessageQuery -Name Audit* | Export-Clixml <path>\Audit_StatusMsgQueries.xml
References: Get-CMStatusMessageQuery, Export-Clixml
I hope this information will help you in becoming a true detective within your environment. Very special thanks for SaudM on the “ Enumerating Status Message Strings ” script along with Kevin Kasalonis on his assistance with the content of this blog.
Thank you again for reading!
Brandon McMillan, Premier Field Engineer
Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use .