SCCM Audit Reports Who Initiated CMPivot Query | ConfigMgr

0
SCCM Audit Reports Who Initiated CMPivot Query ConfigMgr

Let’s check who initiated CMPivot query. CMPivot is a real-time reporting tool available for SCCM admins. Microsoft introduced CMPivot with ConfigMgr version 1806.

The CMPivot is a new in-console (stand-alone tool also available) utility that now provides access to real-time state of Windows 10 devices using the fast channel mechanism.

The CMPivot helps to run a query (Kusto Query) on all currently connected devices in the target collection and returns the results.

More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the process of audit reporting.

Who Initiated CMPivot Query?

It’s important to track who initiated CMPivot Query.

  • Open the SQL Management Studio.
  • Click on the New Query button.
  • Select the CM_MEM database from the drop-down menu.
    • MEM is the ConfigMgr site code.
  • Copy the following SQL query to find the Legacy version of Edge.
  • Click on the Execute button.
select * from vStatusMessagesWithStrings where MessageID = '40805'
  • Let’s find the results of the query.
Who Initiated CMPivot Query SCCM ConfigMgr
Who Initiated CMPivot Query – SCCM ConfigMgr

Status Message Query

  • Launch ConfigMgr Console
  • Navigate to Monitoring > System Status > Status Message Queries.
  • You can run All Audit status Messages for a Specific UserAll Audit status Messages for a Specific Site, or create your own status message query.
MessageId 40805: User <UserName> ran script <Script-Guid> with hash <Script-Hash> on collection <Collection-ID>.

Results

MachineIDMachineNameModuleNameWin32ErrorTimeSiteCodeTopLevelSiteCodeComponentProcessIDThreadIDSeverityMessageIDReportFunctionSuccessfulTransactionPartOfTransactionPerClientMessageTypeInsStrValue1InsStrValue2InsStrValue3InsStrValue4InsStrValue5InsStrValue6InsStrValue7InsStrValue8InsStrValue9InsStrValue10
NULLCMMEMCM.memcm.comSMS Provider043:40.3MEMMicrosoft.ConfigurationManagement.exe4900130361.07E+09408050000768MEMCM\anoopMEMCM\anoopA66E52B0-4289-49CD-BBF8-DC20AF6BC120B140D2798BB2EF5CC70F7FBC389FA4D51490645F43DAABEBB6C19EEC9BF4A474MEM000140NULLNULLNULLNULL

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.