Enhanced Audit Status Message Queries

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

First published on TECHNET on Mar 18, 2019

Authored by Brandon McMillan


Hello everyone!  My name is Brandon McMillan and I am a System Center Configuration Manager (ConfigMgr) PFE.  I have found that Status Message Queries can be one of the more underappreciated features of ConfigMgr.  The information you can gather in a quick and easy query can be very powerful in helping you determine the root cause analysis of an issue.  I hope this blog will provide you with additional Status Message Queries and how you can quickly export/import some examples into your environment.

First let’s break down the different Status Message Types :





























ID


Status Message Type


Description


256


Milestones


Use this type at the end of an operation to indicate the operation's success or failure. If the operation was successful, use the Milestone type in an informational message. If the operation failed, use a milestone message type in a warning or error message.


512


Details


Use this type to illustrate the steps in a complex operation. Often, detail messages are meaningful only within the context of the sequence of status messages representing a complex operation.


768


Audits


Use this type for informational messages that provides a trail of actions taken by the Configuration Manager administrator. An audit message also depicts an operation that results in objects being added, modified, or deleted. You do not need to create audit messages; the provider automatically generates these messages for you.


1024


NT Events


Reference: SMS_StatusMessage WMI Class

Here is a quick overview of Status Message Queries :








Status Message Queries


Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events.

You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.


Reference: Use Alerts and the Status System

Enumerating Status Message Strings


How can we obtain a full listing of Status Message ID’s?  If you are unsure what Status Message ID’s to use to create a specific Status Message Query, you can export all the Status Messages ConfigMgr provides by using a PowerShell script from an article by SaudM .  The script and an example of an excel output from a ConfigMgr 2012 R2 environment can be found here: Enumerate Status Messages .

Here’s an example of how you can leverage the script and export the Status Messages based on type: Client, Provider, or Server Messages
Client Messages

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\climsgs.dll" -stringOutputCSV ExportClientMsgs.csv

Provider Messages

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\provmsgs.dll" -stringOutputCSV ExportProviderMsgs.csv

Server Messages

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\srvmsgs.dll" -stringOutputCSV ExportServerMsgs.csv

Default Status Message Queries


We provide many out of box queries that are delivered with the product; however, there are many Message ID’s that you can leverage which could help you build your own specific queries for your environment. Some of the default Status Message Queries you may already be familiar with are below:

  1. All Audit Status Messages for a Specific User

    • Message Type: 768

    • Message Attribute ID: 403



  2. All Audit Status Messages from a Specific Site

    • Message Type: 768



  3. Boundaries Created, Modified, or Deleted

    • Message IDs: 40600-40602



  4. Client Component Configuration Changes

    • Message IDs: 30042-30047



  5. Collections Created, Modified, or Deleted

    • Message IDs: 30015-30017



  6. Collection Member Resources Manually Deleted

    • Message IDs: 30066-30067



  7. Deployments Created, Modified, or Deleted

    • Message IDs: 30006-30008



  8. Packages Created, Modified, or Deleted

    • Includes Package Conversion Status

    • Message IDs: 30000-30002



  9. Programs Created, Modified, or Deleted

    • Includes Package Conversion Status

    • Message IDs: 30003-30005



  10. Queries Created, Modified, or Deleted

    • Message IDs: 30063-30065



  11. Remote Control Activity at a Specific Site, User, or System (4 Total)

    • Message IDs: 30069-30087



  12. Security Scopes Created, Modified, Deleted, or Imported

    • Message IDs: 31200-31202 / 31220-31222 / 31207



  13. Server Component Configuration Changes

    • Message IDs: 30033-30035 / 30039-30041

    • Site Control Changes



  14. Site Addresses Created, Modified, or Deleted

    • Message IDs: 30018-30020




Enhanced Audit Status Message Queries


Now what if you need something more specific?  The following list may help you quickly determine what specific activities are occurring within your environment.  A direct link to TechNet gallery of the exported Status Message Queries is located here: Enhanced Audit Status Message Queries .  This was last updated from a ConfigMgr version 1810 environment.

  1. Audit - All Alert Actions

    • Includes DRS Alerts

    • Message IDs: 30240-30244



  2. Audit - All Application Actions

    • Message IDs: 30226-30228 / 49003-49005 / 52300



  3. Audit - All Application Catalog Actions

    • Message IDs: 30800-30805 / 50000-50004



  4. Audit - All Asset Intelligence Actions

    • Message IDs: 30208-30209 / 31001



  5. Audit - All Azure and Co-Management Actions

    • Message IDs: 53001-53005 / 53401-53403 / 53501-53503



  6. Audit - All Boundary Group Actions

    • Message IDs: 40500-40505



  7. Audit - All Client and Collection Miscellaneous Actions

    • Includes Update Membership, Device Imports, Clear PXE Deployments

    • Message IDs: 30104 / 30213 / 42021



  8. Audit - All Client Configuration Requests (CCRs)

    • Client Push actions.

    • Message IDs: 30106-30111



  9. Audit - All Client Operations Actions

    • Includes “Right Click” actions.

    • Message IDs: 40800-40804



  10. Audit - All Client Settings Actions

    • Includes Antimalware Policies.

    • Message IDs: 40300-40305



  11. Audit - All CMPivot and Script Actions

    • Message IDs: 40805-40806 / 52500-52505



  12. Audit - All Conditional Access Actions

    • Includes Exchange Online, SharePoint Online, and On-Prem Exchange actions.

    • Message IDs: 30340-30341



  13. Audit - All ConfigMgr Actions in Console

    • Checks components: Microsoft.ConfigurationManagement.exe / AdminUI.PS.Provider.dll



  14. Audit - All Configuration Baseline Actions

    • Message IDs: 30168 / 30193-30198



  15. Audit - All Configuration Items

    • Configuration Items Created, Modified, and Deleted. Includes Applications, Operating Systems, Drivers, Compliance Settings, and Endpoint Protection actions.

      • Compliance Settings

        • Configuration Items, Configuration Baselines, User Data and Profiles, Remote Connection Profiles, Compliance Policies, Company and Resource Access: Certificate Profiles, Email Profiles, VPN Profiles, Wi-Fi Profiles, Windows Hello for Business Profiles, Terms and Conditions, Microsoft Edge Browser Profiles, Windows 10 Edition Upgrade



      • Endpoint Protection

        • Windows Defender Firewall Policies, Windows Defender ATP Policies, Windows Defender Exploit Guard, Windows Defender Application Guard, Windows Defender Application Control



      • Message IDs: 30152-30167





  16. Audit - All Content Library Actions

    • Includes Content Library changes

    • Message IDs: 30080 / 30189-30191



  17. Audit - All Distribution Point Actions

    • Message IDs: 30009-30011 / 30068 / 30109 / 30125 / 30500-30503 / 40409-40410



  18. Audit - All Distribution Point Changes



    • Message IDs: 40400-40409 / 40506



  19. Audit - All Folder Actions

    • Message IDs: 30113-30117



  20. Audit - All Messages

  21. Audit - All Messages (Specified Message ID)

  22. Audit - All Messages (Specified Timeline)

  23. Audit - All Migration Actions

    • Message IDs: 30900-30907



  24. Audit - All Mobile Device Management Actions

    • Message IDs: 40200-40206 / 45000-45004 / 47000-47002 / 48000-48003 / 49003-49005 / 51000-51006 / 52000-52020



  25. Audit - All Phased Deployment Actions

    • Message IDs: 53601-53603



  26. Audit - All Query Actions

    • Message IDs: 30063-30065 / 30302-30303



  27. Audit - All Report Actions

    • Message IDs: 30091-30093 / 31000-31002



  28. Audit - All Search Folder Actions

    • Message IDs: 30700-30702



  29. Audit - All Secondary Site Actions

    • Message IDs: 30012-30014 / 30021-30023



  30. Audit - All Site Server Boundary Actions

    • Message IDs: 30054-30056



  31. Audit - All Site Server Definition Actions

    • Message IDs: 30030-30032



  32. Audit - All Site Server Property Actions

    • Message IDs: 30024-30029



  33. Audit - All Site Server Role Actions

    • Message IDs: 30036-30038



  34. Audit - All Site Server Security Actions

    • Message IDs: 30057-30062 / 30210-30212 / 31200-31242 / 31203-31249



  35. Audit - All Site Server SQL Actions

    • Includes Site Maintenance Tasks

    • Message IDs: 30048-30053



  36. Audit - All Software Metering Rules Actions

    • Message IDs: 30094-30095 / 30105



  37. Audit - All Software Update Actions

    • Message IDs: 30112 / 30118-30124 / 30135-30137 / 30172 / 30183-30188 / 30196-30198 / 30219-30221 / 30229-30231 / 30506-30507 / 42031-42033 / 4900-49002



  38. Audit - All User Object Actions

    • Message IDs: 30600-30606




Script to Import Status Message Queries


param(  
    [Parameter(Mandatory=$True)]  
    [string]$XMLPath  
)  
  
# Imports ConfigMgr Module 
Import-Module "$env:SMS_ADMIN_UI_PATH\..\ConfigurationManager.psd1" 
 
# Get SiteCode 
$SiteCode = Get-PSDrive -PSProvider CMSITE 
Set-location $SiteCode":" 
 
# Imports XML 
Try { 
    $CMStatusMsgs = Import-Clixml $XMLPath 

Catch { 
    Write-Host -ForegroundColor Red "Invalid file path or file type.  Please try again." 
    Exit 

 
foreach ($Query in $CMStatusMsgs) { 
      Try {   
           $StatusQuery = @{ 
                Name = $Query.Name 
                Expression = $Query.Expression 
                Comments = $Query.Comments   
            } 
            New-CMStatusMessageQuery @StatusQuery 
            Write-Host -ForegroundColor Green $Query.Name "was created successfully." 
      }  
      Catch { 
            Write-Host -ForegroundColor Red $Query.Name "already exists." 
      }       
}

Export Status Message Queries to XML


What if you wish to export your own Status Message Queries to another environment?  You can leverage the ConfigMgr PowerShell cmdlets: Get-CMStatusMessageQuery and Export-Clixml .
NOTE: Requires the ConfigMgr PowerShell Module

Export all Queries
Get-CMStatusMessageQuery | Export-Clixml <path>\StatusMsgQueries.xml

Export only Queries beginning with the name “Audit”
Get-CMStatusMessageQuery -Name Audit* | Export-Clixml <path>\Audit_StatusMsgQueries.xml

References: Get-CMStatusMessageQuery, Export-Clixml

I hope this information will help you in becoming a true detective within your environment.  Very special thanks for SaudM on the “ Enumerating Status Message Strings ” script along with Kevin Kasalonis on his assistance with the content of this blog.

Thank you again for reading!

Brandon McMillan, Premier Field Engineer

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use .

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.