SCCM CMPivot Architecture and Sample Queries

Let’s check SCCM CMPivot Architecture and Sample Queries in this post. CMPivot allows you to quickly assess the state of devices in your environment and take action.

Fast channel architecture changed the entire behavior of SCCM. Now it’s not at all a slow-moving server(SMS). You can make it run as fast as you can. The SCCM CMPivot Queries can be based on supported entities of each version of SCCM.

Entities – this is what Microsoft calls the querying objects of each SCCM client.

More details about SCCM 1810 Improvements and what is new with CMPivot are available below. Are you interested to see the first version of CMPivot? Following is my post-SCCM CB Preview version 1805.

Patch My PC

What is CMPivot

The CMPivot is a new in-console and standalone utility in ConfigMgr that now provides access to the real-time state of devices in your environment. You can run CMPivot as a standalone tool as well.

Prerequisite of SCCM CMPivot

Ensure you are running the latest version of the SCCM client and CMPivot (SCCM console). SCCM security permissions are required to run CMPivot, as Microsoft documented here.

Also, SCCM client devices should require PowerShell version 5.0. The Start CMPivot action doesn’t appear in the console when connected to an SCCM CAS site.

How does SCCM CMPivot Works in the Background?

The architecture of CMPivot is based on fast channel architecture. The steps explained below help to understand very high-level CMPivot architecture flow.

1. CMPivot sends queries to SCCM clients using SCCM Fast Channel
2. SCCM Clients return results via the similarly quick state message system
3. The CMPivot results are temporarily stored in the database (until the CMPivot window is open?)
4. A CMPivot Query will try to connect to machines that are not online for an hour. This retry happens only when the CMPivot window is open.

The following picture is the fast channel’s architecture flow, which I explained in the fast channel notification post.

Troubleshoot SCCM CB Fast Channel Notification Issues SCCM CMPivot Architecture and Sample Queries
Credits to Microsoft Docs for the original Picture SCCM CMPivot Architecture and Sample Queries 1

Video Tutorial – SCCM CMPivot Guide Overview

SCCM CMPivot Architecture and Sample Queries 2

How to Run Query in SCCM CMPivot?

  1. Go to the Assets and Compliance workspace in the SCCM CB 1806 or later console and select Device Collections. Select a target collection, and click Start CMPivot in the ribbon to launch the tool.
  2. CMPivot gets open as a different window. The CMPivot pane on the left lists the entities available to clients. Some entities rely upon WMI, while others use PowerShell to get data from clients.
    • Right-click an entity for the following actions:

Insert: Add the entity to the query at the current cursor position. The question doesn’t automatically run. This action is the default when you double-click an entity. Use this action when building a query.

Query all: Run a query for this entity, including all properties. Use this action to query for a single entity quickly.

Query by device: Run a question for this entity and group the results. For example, Disk | summarize dcount( Device ) by Name

SCCM CMPivot SCCM CMPivot Architecture and Sample Queries
SCCM CMPivot Architecture and Sample Queries 3

What are the Actions you can launch from SCCM CMPivot?

Apart from querying the online devices in almost real-time, what other actions can you take directly from CMPivot? Well, you can see some handy options available for you.

The SCCM CMPivot results pane displays the data returned by active clients for the query, and you have some right-click options, as I mentioned below.

  • The available columns vary based on the entity and the query.
  • Click a column name to sort the results by that property.
  • Right-click on any column name to group the results by the same information in that column or sort the results.
  • Right-click on a device name to take the following additional actions on the device.

1. Create a direct membership device collections
2. Export the CMPivot query report results to CSV
3. Export the CMPivot query report results to Clipboard
4. Run Remediation scripts to selected devices (SCCM client)
5. Take Remote Control of a device from CMPivot
6. Take Resource Explorer of an SCCM client device from CMPivot
7. Select a device and do Pivot to another entity to drill down the issues

SCCM CMPivot SCCM CMPivot Architecture and Sample Queries
SCCM CMPivot Architecture and Sample Queries 4

SCCM CMPivot Troubleshooting & Log files

OK. So the communication channel of CMPivot is the same as SCCM fast channel. I recommend reading my previous post to perform deep-dive troubleshooting of CMPivot issues.

Apart from that, log files are good friends of SCCM admins all the time, and for CMPivot also, it’s the same.

Make sure your basics are correct or not. Check out the request-id at the right bottom side of CMPivot windows. This id will help you to troubleshoot via log files.

Check out the collection from which you initiated the CMPivot at the bottom right side of the CMPivot windows.

Following are some of the log files you want to look at when you have trouble with CMPivot.

Server-side CMPivot Log

SmsProv.log
bgbServer.log
StateSys.log

Client-side CMPivot Log :

CcmNotificationAgent.log
Scripts.log
StateMessage.log

  • On the client, by default in C:\Windows\CCM\logs:
    • Scripts.log
    • CcmMessaging.log
  • On the MP, by default in C:\SMS_CCM\Logs: MP_RelayMsgMgr.log
  • On the site server, by default, in C:\Program Files\Configuration Manager\Logs: SMS_Message_Processing_Engine.log
SCCM CMPivot SCCM CMPivot Architecture and Sample Queries
SCCM CMPivot Architecture and Sample Queries 5

Any clients that returned Total, Failed, Offline – Query completed on 3 of 5 clients (2 clients offline and 0 failure)
Client Operation ID – id(16780221)
Collection Name – All Desktop and Server Clients
The total number of rows in the results pane – 1 objects

List of Entities Supported by SCCM CMPivot

CMPivot Entities – these entities are what Microsoft calls the querying objects of each SCCM client. I hope this list will grow with newer releases of SCCM CB.

Administrators – Members of the local administrator’s group
app crash – Recent application crash reports
AutoStartSoftware – Software that starts automatically with, or immediately after, the operating system
Bios – System BIOS information
CcmLog() – Up to the last 50 lines from a Ccm Log file
Connection – An active TCP connection in or out of the device
Device – Basic information about the device
Disk – Local storage device information on a computer system running Windows
EventLog() – Up to the last 50 events from a Windows event log
File() – Information about a specific file
FileShare – Active file share information
InstalledSoftware – An application installed on the device
IPConfig – Gets network configuration, including usable interfaces, IP addresses, and DNS servers
OS – Basic information about the operating system
Process – A process on an operating system
Registry() – All values for a specific registry key
Service – A service on a computer system running Windows
SMBConfig – SMB Configuration of a device
SoftwareUpdate – A software update applicable but not installed on the device
User – A user account with an active connection to the device

SCCM CMPivot Entity

The following are the entities that can be queried from SCCM 1810 CMPivot. Most of the WMI classes are included in the SCCM 1810 production version. Also, there are some other improvements:

  1. CMPivot gives an option Save Favorite queries
  2. On the Query Summary tab, select the count of Failed or Offline devices, and then choose the option to Create Collection.
SCCM CMPivot Architecture and Sample Queries
SCCM CMPivot Architecture and Sample Queries 6

Sample SCCM CMPilot Query

Sample queries you can try with SCCM CMPivot.

Disk | summarize dcount( Device ) by Name OS | summarize countif( (Version == ‘10.0.17134’) ) by Device | where (countif_ > 0) OS | summarize countif( (Version == ‘10.0.17134’) ) by Device | where (countif_ == 0) | project Device Service | summarize dcount( Device ) by Name Service | where (Name == ‘Browser’) | summarize count() by Device Bios | summarize countif( (Version == ‘LENOVO – 1140’) ) by Device | where (countif_ > 0) Disk | where (Description == ‘Local Fixed Disk’) | where isnotnull( FreeSpace ) | order by FreeSpace asc

Let’s find out the recently used apps from online devices using SCCM CMPivot.

CCMRecentlyUsedApplications
| where (LastUsedTime > ago(5h))
| project CompanyName, ProductName, ProductVersion, LastUsedTime

Now, let’s look at Windows 11 Device start time using the SCCM CMPivot query.

SystemBootData
| project Device, SystemStartTime, BootDuration, OSStart=EventLogStart, GPDuration, UpdateDuration
| order by SystemStartTime desc
Windows 11 Device start time using the CMPivot query
Windows 11 Device start time using the SCCM CMPivot query 7

Gets the status of antimalware software installed on the Windows 10 or Windows 11 devices using the following query.

EPStatus
| project Device, QuickScanAge=datetime_diff('day',now(),QuickScanEndTime)
| summarize DeviceCount=count() by QuickScanAge

ProcessModule details can also be queried using SCCM CMPivot.

ProcessModule('powershell')
| summarize count() by ModuleName
| order by count_ desc

CMPivot query to get the results with the chart.

OperatingSystem | summarize count() by BuildNumber | render piechart
SCCM CMPivot Architecture and Sample Queries 1
SCCM CMPivot Architecture and Sample Queries 8

Windows 10 and Windows 11 Devices CMPivot query

OperatingSystem | where Caption == 'Microsoft Windows 10 Enterprise'
OperatingSystem | where Caption == 'Microsoft Windows 10 Eduation'
OperatingSystem | where Caption == 'Microsoft Windows 11 Enterprise'
OperatingSystem | where Caption == 'Microsoft Windows 11 Eduation'

You can get Application Crash details from CMPviot Query

AppCrash | summarize dcount( Device ) by FileName,Version

You can get the BIOS details of Windows 10 and Windows 11 devices from the SCCM CMPivot query.

Bios | summarize dcount( Device ) by Manufacturer

You can also find the event log details and File Details of the Windows 10 devices using SCCM CMPivot.

SCCM CMPivot Architecture and Sample Queries 2
SCCM CMPivot Architecture and Sample Queries 9
File('%windir%\\notepad.exe')
EventLog('Security',1d)

List of Installed Software using CMPivot

This gives the count of applications installed on the device.

InstalledSoftware | summarize count( Device ) by ProductName

Total Number of Processes Running on Windows 11 System

Process | summarize dcount( Device ) by Name

Total Number of Sevices Running on Windows 11 PC

Service | summarize dcount( Device ) by Name

Software Updates SCCM CMPivot Query

Count of devices with a specific software update applicable but not installed on the device (by KB Number). Thanks to Merlin from Belgium for this query.

SoftwareUpdate | summarize countif( (KBArticleIDs == 'KB0000000') ) by Device | where (countif_ > 0)

Table of CMPivot Entity

A list of CMPivot entities is given in the below table.

EntityDescription
ActiveSyncServiceActiveSync Service
AdministratorsMembers of the local administrator’s group
AMTAgentAMT Agent
AppCrashRecent application crash reports
AppVClientApplicationAppV Client Application
AppVClientPackageAppV Client Package
AutoStartSoftwareSoftware that starts automatically with, or immediately after, the operating system
BaseBoardBaseBoard
BatteryBattery
BiosSystem BIOS information
BitLockerBitLocker
boot configurationBoot Configuration
BrowserHelperObjectBrowser Helper Object
CcmLog()Up to the last 50 lines from a Ccm Log file
CCMRAXCCM_RAX
CCMRecentlyUsedApplicationsRecently Used Applications
CCMWebAppInstallInfoWeb Applications
CDROMCDROM Drive
ClientEventsClient Events
computer systemComputer System
ComputerSystemProductComputer System Product
ConnectedDriveConnected Device
ConnectionAn active TCP connection in or out of the device
DesktopDesktop
DesktopMonitorDesktop Monitor
DeviceBasic information about the device
DiskLocal storage device information on a computer system running Windows
DMADMA
DMAChannelDMA Channel
DriverVxDDriver – VxD
EmbeddedDeviceInformationEmbedded Device Information
EnvironmentEnvironment
EventLog()Up to the last 50 events from a Windows event log
File()Information about a specific file
FileShareActive file share information
FirmwareFirmware
IDEControllerIDE Controller
InstalledExecutableInstalled Executable
InstalledSoftwareAn application installed on the device
IPConfigGets network configuration, including usable interfaces, IP addresses, and DNS servers
IRQTableIRQ Table
KeyboardKeyboard
LoadOrderGroupLoad Order Group
LogicalDiskLogical Disk
MDMDevDetailDevice Information
MemoryMemory
ModemModem
MotherboardMotherboard
NAPClientNAP Client
NAPSystemHealthAgentNAP System Health Agent
network adapterNetwork Adapter
NetworkAdapterConfigurationNetwork Adapter Configuration
NetworkClientNetwork Client
NetworkLoginProfileNetwork Login Profile
NTEventlogFileNT Eventlog File
Office365ProPlusConfigurationsOffice 365 ProPlus Configurations
OperatingSystemOperating System
OperatingSystemRecoveryConfigurationOperating System Recovery Configuration
OptionalFeatureOptional Feature
OSBasic information about the operating system
PageFileSettingPage File Setting
parallel portParallel Port
PartitionDisk Partitions
PCMCIA controllerPCMCIA Controller
physical memoryPhysical Memory
PNPDEVICEDRIVERPNP Device Driver
pointing devicePointing Device
portable batteryPortable Battery
PortsPorts
PowerCapabilitiesPower Capabilities
PowerClientOptOutSettingsPower Management Exclusion Settings
PowerConfigurationsPower Configuration
PowerManagementDailyPower Management Daily Data
PowerManagementInsomniaReasonsPower Insomnia Reasons
PowerManagementMonthlyPower Management Monthly Data
power settingPower Settings
PrinterConfigurationPrinter Configuration
PrinterDevicePrinter Device
print jobsPrint Jobs
ProcessA process on an operating system
ProcessorProcessor
ProtectedVolumeInformationProtected Volume Information
ProtocolProtocol
QuickFixEngineeringQuick Fix Engineering
Registry()All values for a specific registry key
SCSI controllerSCSI Controller
SerialPortConfigurationSerial Port Configuration
serial portSerial Ports
ServerFeatureServer Feature
ServiceService on a computer system running Windows
ServicesServices
SharesShares
SMBConfigSMB Configuration of a device
SMSAdvancedClientPortsConfiguration Manager Client Ports
SMSAdvancedClientSSLConfigurationsConfiguration Manager Client SSL Configurations
SMSAdvancedClientStateConfiguration Manager Client State
SMSDefaultBrowserDefault Browser
SMSSoftwareTagSoftware Tag
SMSWindows8ApplicationWindows app
SMSWindows8ApplicationUserInfoWindows app User Info
SoftwareShortcutSoftware Shortcut
SoftwareUpdateA software update is applicable but not installed on the device
SoundDevicesSound Devices
SWLicensingProductSoftware Licensing Product
SWLicensingServiceSoftware Licensing Service
SystemAccountSystem Account
SystemConsoleUsageSystem Console Usage
SystemConsoleUserSystem Console User
SystemDevicesSystem Devices
SystemDriversSystem Drivers
SystemEnclosureSystem Enclosure
TapeDriveTape Drive
TimeZoneTime Zone
TPMTPM
TPMStatusTPM Status
TSIssuedLicenseTS Issued License
TSLicenseKeyPackTS License Key Pack
UninterruptiblePowerSupplyUninterruptible Power Supply
USB controllerUSB Controller
USB deviceUSB Device
UserA user account with an active connection to the device
USMFolderRedirectionHealthFolder Redirection Health
USMUserProfileUser Profile Health
video controllerVideo Controller
VirtualMachineVirtual Machine
VirtualMachine64Virtual Machine (64)
VolumeVolume
WindowsUpdateWindows Update
WindowsUpdateAgentVersionWindows Update Agent Version
WriteFilterStateWrite Filter State
SCCM CMPivot Architecture and Sample Queries 10

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.