First published on TECHNET on Mar 18, 2019
Authored by Brandon McMillan
Hello everyone! My name is Brandon McMillan and I am a Microsoft Endpoint Configuration Manager (ConfigMgr) CE. I have found that Status Message Queries can be one of the more underappreciated features of ConfigMgr. The information you can gather in a quick and easy query can be very powerful in helping you determine the root cause analysis of an issue. I hope this blog will provide you with additional Status Message Queries and how you can quickly export/import some examples into your environment.
If you would like to go direct to the GitHub resource to import custom status messages queries, please go here: GitHub - EnhancedAuditStatusMsgQueries. For more information on status messages and how it can help you with discovering activities in your environment, please continue below.
Last Updated: April 14th, 2021 - A fellow CE, Daniel Lovely provided feedback that the EnumerateStatusMessages link from TechNet Gallery is no longer active since TechNet Gallery has been retired. I uploaded a copy of the original script to extract status messages from SaudM should you be interested in using it.
First let’s break down the different Status Message Types:
ID |
Status Message Type |
Description |
256 |
Milestones |
Use this type at the end of an operation to indicate the operation's success or failure. If the operation was successful, use the Milestone type in an informational message. If the operation failed, use a milestone message type in a warning or error message. |
512 |
Details |
Use this type to illustrate the steps in a complex operation. Often, detail messages are meaningful only within the context of the sequence of status messages representing a complex operation. |
768 |
Audits |
Use this type for informational messages that provides a trail of actions taken by the Configuration Manager administrator. An audit message also depicts an operation that results in objects being added, modified, or deleted. You do not need to create audit messages; the provider automatically generates these messages for you. |
1024 |
NT Events |
Reference: SMS_StatusMessage WMI Class
Here is a quick overview of Status Message Queries:
Status Message Queries |
Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events.You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection. |
Reference: Use Alerts and the Status System
Enumerating Status Message Strings
How can we obtain a full listing of Status Message ID’s? If you are unsure what Status Message ID’s to use to create a specific Status Message Query, you can export all the Status Messages ConfigMgr provides by using a PowerShell script from an article by SaudM. The script originally was hosted on TechNet Gallery and currently I'm unsure if/where it may had been migrated to, if at all. I have a previous copy of the script which can be found here: EnumerateStatusMessages.
Here’s an example of how you can leverage the script and export the Status Messages based on type: Client, Provider, or Server Messages.
Client Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\climsgs.dll" -stringOutputCSV ExportClientMsgs.csv
Provider Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\provmsgs.dll" -stringOutputCSV ExportProviderMsgs.csv
Server Messages
.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\srvmsgs.dll" -stringOutputCSV ExportServerMsgs.csv
Default Status Message Queries
We provide many out of box queries that are delivered with the product; however, there are many Message ID’s that you can leverage which could help you build your own specific queries for your environment. Some of the default Status Message Queries you may already be familiar with are below:
Query Title | Query Details |
All Audit Status Messages for a Specific User | Message Type: 768 Message Attribute ID: 403 |
All Audit Status Messages from a Specific Site | Message Type: 768 |
Boundaries Created, Modified, or Deleted | Message IDs: 40600-40602 |
Client Component Configuration Changes | Message IDs: 30042-30047 |
Collections Created, Modified, or Deleted | Message IDs: 30015-30017 |
Collection Member Resources Manually Deleted | Message IDs: 30066-30067 |
Deployments Created, Modified, or Deleted | Message IDs: 30006-30008 |
Packages Created, Modified, or Deleted | Includes Package Conversion Status Message IDs: 30000-30002 |
Programs Created, Modified, or Deleted | Includes Package Conversion Status Message IDs: 30003-30005 |
Queries Created, Modified, or Deleted | Message IDs: 30063-30065 |
Remote Control Activity at a Specific Site, User, or System (4 Total) | Message IDs: 30069-30087 |
Security Scopes Created, Modified, Deleted, or Imported | Message IDs: 31200-31202 / 31220-31222 / 31207 |
Server Component Configuration Changes | Message IDs: 30033-30035 / 30039-30041 Site Control Changes |
Site Addresses Created, Modified, or Deleted | Message IDs: 30018-30020 |
Enhanced Audit Status Message Queries
Now what if you need something more specific? The following list may help you quickly determine what specific activities are occurring within your environment. You can download the XML file and script resources here on GitHub: Enhanced Audit Status Message Queries.
Query Title | Query Details |
Audit - All Alert Actions | Includes DRS Alerts Message IDs: 30240-30244 |
Audit - All Application Actions | Message IDs: 30226-30228 / 49003-49005 / 52300 |
Audit - All Application Catalog Actions | Message IDs: 30800-30805 / 50000-50004 |
Audit - All Asset Intelligence Actions | Message IDs: 30208-30209 / 31001 |
Audit - All Azure and Co-Management Actions | Message IDs: 53001-53005 / 53401-53403 / 53501-53503 |
Audit - All Boundary Group Actions | Message IDs: 40500-40505 |
Audit - All Client and Collection Miscellaneous Actions | Includes Update Membership, Device Imports, Clear PXE Deployments Message IDs: 30104 / 30213 / 42021 |
Audit - All Client Configuration Requests (CCRs) | Client Push actions. Message IDs: 30106-30111 |
Audit - All Client Operations Actions | Includes “Right Click” actions. Message IDs: 40800-40804 |
Audit - All Client Settings Actions | Includes Antimalware Policies. Message IDs: 40300-40305 |
Audit - All CMPivot and Script Actions | Message IDs: 40805-40806 / 52500-52505 |
Audit - All Conditional Access Actions | Includes Exchange Online, SharePoint Online, and On-Prem Exchange actions. Message IDs: 30340-30341 |
Audit - All ConfigMgr Actions in Console | Checks components: Microsoft.ConfigurationManagement.exe / AdminUI.PS.Provider.dll |
Audit - All Configuration Baseline Actions | Message IDs: 30168 / 30193-30198 |
Audit - All Configuration Items | Includes Compliance Settings and Endpoint Protection policy actions. Message IDs: 30152-30167 |
Audit - All Content Library Actions | Includes Content Library changes Message IDs: 30080 / 30189-30191 |
Audit - All Distribution Point Actions | Message IDs: 30009-30011 / 30068 / 30109 / 30125 / 30500-30503 / 40409-40410 |
Audit - All Distribution Point Changes | Message IDs: 40400-40409 / 40506 |
Audit - All Folder Actions | Message IDs: 30113-30117 |
Audit - All Messages | |
Audit - All Messages (Specified Message ID) | |
Audit - All Messages (Specified Timeline) | |
Audit - All Migration Actions | Message IDs: 30900-30907 |
Audit - All Mobile Device Management Actions | Message IDs: 40200-40206 / 45000-45004 / 47000-47002 / 48000-48003 / 49003-49005 / 51000-51006 / 52000-52020 |
Audit - All Phased Deployment Actions | Message IDs: 53601-53603 |
Audit - All Query Actions | Message IDs: 30063-30065 / 30302-30303 |
Audit - All Report Actions | Message IDs: 30091-30093 / 31000-31002 |
Audit - All Search Folder Actions | Message IDs: 30700-30702 |
Audit - All Secondary Site Actions | Message IDs: 30012-30014 / 30021-30023 |
Audit - All Site Server Boundary Actions | Message IDs: 30054-30056 |
Audit - All Site Server Definition Actions | Message IDs: 30030-30032 |
Audit - All Site Server Property Actions | Message IDs: 30024-30029 |
Audit - All Site Server Role Actions | Message IDs: 30036-30038 |
Audit - All Site Server Security Actions | Message IDs: 30057-30062 / 30210-30212 / 31200-31242 / 31203-31249 |
Audit - All Site Server SQL Actions | Includes Site Maintenance Tasks Message IDs: 30048-30053 |
Audit - All Software Metering Rules Actions | Message IDs: 30094-30095 / 30105 |
Audit - All Software Update Actions | Message IDs: 30112 / 30118-30124 / 30135-30137 / 30172 / 30183-30188 / 30196-30198 / 30219-30221 / 30229-30231 / 30506-30507 / 42031-42033 / 4900-49002 |
Audit - All User Object Actions | Message IDs: 30600-30606 |
Script to Import Enhanced Status Message Queries
Here is an example of executing the script to import the status message queries.
Import-CMStatusMessageQueries.ps1 -XMLPath C:\Queries\Enhanced_StatMsgQueries.xml
Script Details
param(
[Parameter(Mandatory=$True)]
[string]$XMLPath
)
# Imports ConfigMgr Module
Import-Module "$env:SMS_ADMIN_UI_PATH\..\ConfigurationManager.psd1"
# Get SiteCode
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-location $SiteCode":"
# Imports XML
try
{
$CMStatusMsgs = Import-Clixml $XMLPath
}
catch
{
Write-Host -ForegroundColor Red "Invalid file path or file type. Please try again."
Exit
}
foreach ($Query in $CMStatusMsgs)
{
try
{
$StatusQuery = @{
Name = $Query.Name
Expression = $Query.Expression
Comments = $Query.Comments
}
New-CMStatusMessageQuery @StatusQuery | Out-Null
Write-Host -ForegroundColor Green $Query.Name "was created successfully."
}
catch
{
Write-Host -ForegroundColor Red $Query.Name "already exists."
}
}
Export Status Message Queries to XML
What if you wish to export your own Status Message Queries to another environment? You can leverage the ConfigMgr PowerShell cmdlets: Get-CMStatusMessageQuery and Export-Clixml.
NOTE: Requires the ConfigMgr PowerShell Module
Export all Queries
Get-CMStatusMessageQuery | Export-Clixml <path>\StatusMsgQueries.xml
Export only Queries beginning with the name “Audit”
Get-CMStatusMessageQuery -Name Audit* | Export-Clixml <path>\Audit_StatusMsgQueries.xml
References: Get-CMStatusMessageQuery, Export-Clixml
I hope this information will help you in becoming a true detective within your environment. Very special thanks for SaudM on the “Enumerating Status Message Strings” script along with Kevin Kasalonis and Daniel Lovely on their feedback with the content of this blog.
Thank you again for reading!
Brandon McMillan, Customer Engineer
Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use.