SCCM Audit Reports Who Initiated CMPivot Query | ConfigMgr

Let’s check who initiated CMPivot query. CMPivot is a real-time reporting tool available for SCCM admins. Microsoft introduced CMPivot with ConfigMgr version 1806.

The CMPivot is a new in-console (stand-alone tool also available) utility that now provides access to real-time state of Windows 10 devices using the fast channel mechanism.

The CMPivot helps to run a query (Kusto Query) on all currently connected devices in the target collection and returns the results.

Patch My PC

More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the process of audit reporting.

Who Initiated CMPivot Query?

Manage Engine

It’s important to track who initiated CMPivot Query.

  • Open the SQL Management Studio.
  • Click on the New Query button.
  • Select the CM_MEM database from the drop-down menu.
    • MEM is the ConfigMgr site code.
  • Copy the following SQL query to find the Legacy version of Edge.
  • Click on the Execute button.
select * from vStatusMessagesWithStrings where MessageID = '40805'
  • Let’s find the results of the query.
Who Initiated CMPivot Query SCCM ConfigMgr
Who Initiated CMPivot Query – SCCM ConfigMgr

Status Message Query

  • Launch ConfigMgr Console
  • Navigate to Monitoring > System Status > Status Message Queries.
  • You can run All Audit status Messages for a Specific UserAll Audit status Messages for a Specific Site, or create your own status message query.
MessageId 40805: User <UserName> ran script <Script-Guid> with hash <Script-Hash> on collection <Collection-ID>.


NULLCMMEMCM.memcm.comSMS Provider043:40.3MEMMicrosoft.ConfigurationManagement.exe4900130361.07E+09408050000768MEMCM\anoopMEMCM\anoopA66E52B0-4289-49CD-BBF8-DC20AF6BC120B140D2798BB2EF5CC70F7FBC389FA4D51490645F43DAABEBB6C19EEC9BF4A474MEM000140NULLNULLNULLNULL


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.