Blog Post

Core Infrastructure and Security Blog
7 MIN READ

Enhanced Audit Status Message Queries

brmcmill's avatar
brmcmill
Icon for Microsoft rankMicrosoft
Feb 11, 2021

First published on TECHNET on Mar 18, 2019

Authored by Brandon McMillan


Hello everyone!  My name is Brandon McMillan and I am a Microsoft Endpoint Configuration Manager (ConfigMgr) CE.  I have found that Status Message Queries can be one of the more underappreciated features of ConfigMgr.  The information you can gather in a quick and easy query can be very powerful in helping you determine the root cause analysis of an issue.  I hope this blog will provide you with additional Status Message Queries and how you can quickly export/import some examples into your environment.

If you would like to go direct to the GitHub resource to import custom status messages queries, please go here: GitHub - EnhancedAuditStatusMsgQueries.  For more information on status messages and how it can help you with discovering activities in your environment, please continue below.

Last Updated: April 14th, 2021 - A fellow CE, Daniel Lovely provided feedback that the EnumerateStatusMessages link from TechNet Gallery is no longer active since TechNet Gallery has been retired.  I uploaded a copy of the original script to extract status messages from SaudM should you be interested in using it.

First let’s break down the different Status Message Types:

 


ID

Status Message Type

Description

256

Milestones
Use this type at the end of an operation to indicate the operation's success or failure. If the operation was successful, use the Milestone type in an informational message. If the operation failed, use a milestone message type in a warning or error message.

512

Details
Use this type to illustrate the steps in a complex operation. Often, detail messages are meaningful only within the context of the sequence of status messages representing a complex operation.

768

Audits
Use this type for informational messages that provides a trail of actions taken by the Configuration Manager administrator. An audit message also depicts an operation that results in objects being added, modified, or deleted. You do not need to create audit messages; the provider automatically generates these messages for you.

1024

NT Events
 


Reference: SMS_StatusMessage WMI Class

Here is a quick overview of Status Message Queries:

 


Status Message Queries
Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events.
You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.


Reference: Use Alerts and the Status System

 

Enumerating Status Message Strings

How can we obtain a full listing of Status Message ID’s?  If you are unsure what Status Message ID’s to use to create a specific Status Message Query, you can export all the Status Messages ConfigMgr provides by using a PowerShell script from an article by SaudM.  The script originally was hosted on TechNet Gallery and currently I'm unsure if/where it may had been migrated to, if at all.  I have a previous copy of the script which can be found here: EnumerateStatusMessages.


Here’s an example of how you can leverage the script and export the Status Messages based on type: Client, Provider, or Server Messages.

 

Client Messages

 

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\climsgs.dll" -stringOutputCSV ExportClientMsgs.csv

 

Provider Messages

 

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\provmsgs.dll" -stringOutputCSV ExportProviderMsgs.csv

 

Server Messages

 

.\Export-StatusMessages.ps1 -stringPathToDLL "<InstallDrive>:\Program Files\Microsoft Configuration Manager\bin\X64\system32\smsmsgs\srvmsgs.dll" -stringOutputCSV ExportServerMsgs.csv

 

 

Default Status Message Queries

We provide many out of box queries that are delivered with the product; however, there are many Message ID’s that you can leverage which could help you build your own specific queries for your environment. Some of the default Status Message Queries you may already be familiar with are below:

 

Query Title Query Details
All Audit Status Messages for a Specific User Message Type: 768
Message Attribute ID: 403
All Audit Status Messages from a Specific Site Message Type: 768
Boundaries Created, Modified, or Deleted Message IDs: 40600-40602
Client Component Configuration Changes Message IDs: 30042-30047
Collections Created, Modified, or Deleted Message IDs: 30015-30017
Collection Member Resources Manually Deleted Message IDs: 30066-30067
Deployments Created, Modified, or Deleted Message IDs: 30006-30008
Packages Created, Modified, or Deleted Includes Package Conversion Status
Message IDs: 30000-30002
Programs Created, Modified, or Deleted Includes Package Conversion Status
Message IDs: 30003-30005
Queries Created, Modified, or Deleted Message IDs: 30063-30065
Remote Control Activity at a Specific Site, User, or System (4 Total) Message IDs: 30069-30087
Security Scopes Created, Modified, Deleted, or Imported Message IDs: 31200-31202 / 31220-31222 / 31207
Server Component Configuration Changes Message IDs: 30033-30035 / 30039-30041
Site Control Changes
Site Addresses Created, Modified, or Deleted Message IDs: 30018-30020

 

Enhanced Audit Status Message Queries

Now what if you need something more specific?  The following list may help you quickly determine what specific activities are occurring within your environment.  You can download the XML file and script resources here on GitHub: Enhanced Audit Status Message Queries.

 

Query Title Query Details
Audit - All Alert Actions Includes DRS Alerts
Message IDs: 30240-30244
Audit - All Application Actions Message IDs: 30226-30228 / 49003-49005 / 52300
Audit - All Application Catalog Actions Message IDs: 30800-30805 / 50000-50004
Audit - All Asset Intelligence Actions Message IDs: 30208-30209 / 31001
Audit - All Azure and Co-Management Actions Message IDs: 53001-53005 / 53401-53403 / 53501-53503
Audit - All Boundary Group Actions Message IDs: 40500-40505
Audit - All Client and Collection Miscellaneous Actions Includes Update Membership, Device Imports, Clear PXE Deployments
Message IDs: 30104 / 30213 / 42021
Audit - All Client Configuration Requests (CCRs) Client Push actions.
Message IDs: 30106-30111
Audit - All Client Operations Actions Includes “Right Click” actions.
Message IDs: 40800-40804
Audit - All Client Settings Actions Includes Antimalware Policies.
Message IDs: 40300-40305
Audit - All CMPivot and Script Actions Message IDs: 40805-40806 / 52500-52505
Audit - All Conditional Access Actions Includes Exchange Online, SharePoint Online, and On-Prem Exchange actions.
Message IDs: 30340-30341
Audit - All ConfigMgr Actions in Console Checks components: Microsoft.ConfigurationManagement.exe / AdminUI.PS.Provider.dll
Audit - All Configuration Baseline Actions Message IDs: 30168 / 30193-30198
Audit - All Configuration Items Includes Compliance Settings and Endpoint Protection policy actions.
Message IDs: 30152-30167
Audit - All Content Library Actions Includes Content Library changes
Message IDs: 30080 / 30189-30191
Audit - All Distribution Point Actions Message IDs: 30009-30011 / 30068 / 30109 / 30125 / 30500-30503 / 40409-40410
Audit - All Distribution Point Changes Message IDs: 40400-40409 / 40506
Audit - All Folder Actions Message IDs: 30113-30117
Audit - All Messages  
Audit - All Messages (Specified Message ID)  
Audit - All Messages (Specified Timeline)  
Audit - All Migration Actions Message IDs: 30900-30907
Audit - All Mobile Device Management Actions Message IDs: 40200-40206 / 45000-45004 / 47000-47002 / 48000-48003 / 49003-49005 / 51000-51006 / 52000-52020
Audit - All Phased Deployment Actions Message IDs: 53601-53603
Audit - All Query Actions Message IDs: 30063-30065 / 30302-30303
Audit - All Report Actions Message IDs: 30091-30093 / 31000-31002
Audit - All Search Folder Actions Message IDs: 30700-30702
Audit - All Secondary Site Actions Message IDs: 30012-30014 / 30021-30023
Audit - All Site Server Boundary Actions Message IDs: 30054-30056
Audit - All Site Server Definition Actions Message IDs: 30030-30032
Audit - All Site Server Property Actions Message IDs: 30024-30029
Audit - All Site Server Role Actions Message IDs: 30036-30038
Audit - All Site Server Security Actions Message IDs: 30057-30062 / 30210-30212 / 31200-31242 / 31203-31249
Audit - All Site Server SQL Actions Includes Site Maintenance Tasks
Message IDs: 30048-30053
Audit - All Software Metering Rules Actions Message IDs: 30094-30095 / 30105
Audit - All Software Update Actions Message IDs: 30112 / 30118-30124 / 30135-30137 / 30172 / 30183-30188 / 30196-30198 / 30219-30221 / 30229-30231 / 30506-30507 / 42031-42033 / 4900-49002
Audit - All User Object Actions Message IDs: 30600-30606

 

Script to Import Enhanced Status Message Queries

Here is an example of executing the script to import the status message queries.

 

Import-CMStatusMessageQueries.ps1 -XMLPath C:\Queries\Enhanced_StatMsgQueries.xml

 

 

Script Details

 

param(
    [Parameter(Mandatory=$True)]
    [string]$XMLPath
)

# Imports ConfigMgr Module
Import-Module "$env:SMS_ADMIN_UI_PATH\..\ConfigurationManager.psd1"

# Get SiteCode
$SiteCode = Get-PSDrive -PSProvider CMSITE
Set-location $SiteCode":"

# Imports XML
try
{
    $CMStatusMsgs = Import-Clixml $XMLPath
}
catch
{
    Write-Host -ForegroundColor Red "Invalid file path or file type.  Please try again."
    Exit
}

foreach ($Query in $CMStatusMsgs)
{
    try
    {
        $StatusQuery = @{
            Name = $Query.Name
            Expression = $Query.Expression
            Comments = $Query.Comments
        }
        New-CMStatusMessageQuery @StatusQuery | Out-Null
        Write-Host -ForegroundColor Green $Query.Name "was created successfully."
    }
    catch
    {
        Write-Host -ForegroundColor Red $Query.Name "already exists."
    }
}

 

 

 

Export Status Message Queries to XML

What if you wish to export your own Status Message Queries to another environment?  You can leverage the ConfigMgr PowerShell cmdlets: Get-CMStatusMessageQuery and Export-Clixml.

 

NOTE: Requires the ConfigMgr PowerShell Module

 

Export all Queries

 

Get-CMStatusMessageQuery | Export-Clixml <path>\StatusMsgQueries.xml

 

 

Export only Queries beginning with the name “Audit”

 

Get-CMStatusMessageQuery -Name Audit* | Export-Clixml <path>\Audit_StatusMsgQueries.xml

 

 

References: Get-CMStatusMessageQuery, Export-Clixml

I hope this information will help you in becoming a true detective within your environment.  Very special thanks for SaudM on the “Enumerating Status Message Strings” script along with Kevin Kasalonis and Daniel Lovely on their feedback with the content of this blog.

Thank you again for reading!

Brandon McMillan, Customer Engineer 

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use.

Updated Apr 17, 2021
Version 29.0
  • Very useful information for troubleshooting, the status message query is so powerful. Thanks for your post.