MEMCM Client Health integrated product pack
Integrated Product Pack used to create the MEMCM Client Health policy.
For more information please refer to Guaranteed State - MEMCM Client Health Policy.
Overview
Many businesses rely on Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy software, patches and updates across their company networks. It is crucial that Configuration Manager is working effectively.
The MEMCM Client Health policy monitors Configuration Manager client health and performance. It checks for cache availability, inventory cycles, service availability and Configuration Manager WMI integrity - common causes of Configuration Manager client problems on devices.
The MEMCM Client Health policy replaces the previous SCCM Client Health policy and covers the following:
Ensure the correct version of the CM client is installed and running and assigned to the correct site
Ensure the CM client is not stuck in provisioning mode
Ensure that heartbeat discovery, inventory and state messages are being sent regularly
Ensures the CM client cache is set to the correct size
Ensure the CM client log settings are correct
Ensure the BITS service exists, configured to start up automatically and is running
Ensure the Windows Time service exists with correct startup settings
Ensure the Windows Management Instrumentation (WMI) service exists, configured to start automatically and is running
Ensure WMI is healthy, the core CIMv2 and ccm namespaces and classes exist and that the WMI repository is consistent
Ensure the Windows Update service exists with correct startup settings, is configured to use the correct source (CM, WSUS or Microsoft Update) and that the service can connect to the source.
Note
This policy is intended for deployment to Windows devices only.
Instructions
This product pack contains no instructions.
Policies
The following table shows the policies included in the Integrated Product Pack.
Name | Description |
---|---|
The MEMCM (Microsoft Endpoint Manager - Configuration Manager) Client Health policy ensures that the MEMCM client and surrounding technologies are healthy. |
Rules
Note
The following table shows the rules included in the above policy. Any parameter values shown in the Check and Fix fragments, Triggers and Precondition fragment columns are specifically set in the rules when the pack is uploaded. These may be different to the default values shown in the Fragments table. You can modify these if required.
Name | Type | Description | Check and Fix fragments | Triggers | Precondition fragment |
---|---|---|---|---|---|
Fix | Ensure the client is assigned to the right site. Assign it if it isn't. | Periodic (24 hours) | 1E-GuaranteedState-Precondition-Multiple
| ||
Fix | Ensure the MEMCM client cache is set to the right size. Set it if it isn't. | Periodic (24 hours) | |||
Check(1) | Ensure the default CCM class exists in WMI. | Periodic (24 hours) | |||
Fix | Ensure the client is not stuck in provisioning mode. Turn it off if it is. | Periodic (24 hours) | |||
Check | Ensure that a data discovery record (DDR) is being sent regularly. | Periodic (24 hours) | |||
Check | Ensure that file collection is being sent regularly. | Periodic (24 hours) | |||
Check | Ensure that hardware inventory is being sent regularly. | Periodic (24 hours) | |||
Check | Ensure that IDMIF collection is being sent regularly. | Periodic (24 hours) | |||
Check | Ensure the MEMCM client log settings are set to the right values. | Periodic (24 hours) | |||
Check(1) | Ensure the MEMCM (CCM) namespace exists in WMI. | Periodic (24 hours) | |||
Check | Ensure that software inventory is being sent regularly. | Periodic (24 hours) | |||
Check | Ensure that state messages are being sent regularly. | Periodic (24 hours) | |||
Check(1) | Ensure the right version of the client is installed. | Periodic (24 hours) | |||
Check | Check the FQDN matches DNS by looking up the primary IPv4 address in DNS | Periodic (24 hours) | |||
Fix | Ensure that the BITS (Background Intelligent Transfer Service) service is set to Automatic (Delayed Start). Set it if not. | 1E-GuaranteedState-Check-Service-StartType 1E-GuaranteedState-Fix-Service-SetStartTypeAutomaticDelayedStart | Periodic (24 hours) | ||
Check | Ensure that the BITS (Background Intelligent Transfer Service) service exists. | Periodic (24 hours) | |||
Fix | Ensure that the BITS (Background Intelligent Transfer Service) service is running. Start it if it isn't | Service Status Change | |||
Fix | Ensure that the ccmexec (SMS Agent Host) service is set to Automatic (Delayed Start). Set it if not. | 1E-GuaranteedState-Check-Service-StartType 1E-GuaranteedState-Fix-Service-SetStartTypeAutomaticDelayedStart | Periodic (24 hours) | ||
Check(1) | Ensure that the ccmexec (SMS Agent Host) service exists. | Periodic (24 hours) | |||
Fix | Ensure that the ccmexec (SMS Agent Host) service is running. Start it if it isn't | Service Status Change | |||
Check | Ensure that the W32Time (Windows Time) service exists. | Periodic (24 hours) | |||
Fix | Ensure that the W32Time (Windows Time) service is set to manual. Set it to manual if it's not. | Periodic (24 hours) | |||
Check | Ensure that the W32Time (Windows Time) service is set to trigger start. | Periodic (24 hours) | |||
Fix | Ensure that the Winmgmt (Windows Management Instrumentation) service is set to automatic. Set it to automatic if it's not. | Periodic (24 hours) | |||
Check | Ensure that the Winmgmt (Windows Management Instrumentation) service exists. | Periodic (24 hours) | |||
Fix | Ensure that the Winmgmt (Windows Management Instrumentation) service is running. Start it if it isn't | Service Status Change | |||
Check(2) | Ensure that the wuauserv (Windows Update) service exists. | Periodic (24 hours) | |||
Fix | Ensure that the wuauserv (Windows Update) service is set to manual. Set it to manual if it's not. | Periodic (24 hours) | |||
Check | Ensure that the wuauserv (Windows Update) service is set to trigger start. | Periodic (24 hours) | |||
Check | Ensure the connection to Windows Update is OK | Periodic (24 hours) | |||
Check | Ensure the connection to Windows Update is using the right source (Configuration Manager, WSUS, Microsoft Update) | Periodic (24 hours) | |||
Check | Ensure the default (cimv2) namespace exists in WMI. | Periodic (24 hours) | |||
Fix | Ensure the WMI repository is consistent. Salvage the repository or (optionally) reset it if inconsistent. | Periodic (24 hours) | |||
Check | Ensure the default Win32_ComputerSystem class exists in WMI. | Periodic (60 min) |
Fragments
Note
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these fragments, unless you select alternative values.
Fragments used in MEMCM Client Health Policy rules
The following fragments are used by the rules defined above in the MEMCM Client Health policy.
Name | Type | Readable Payload and summary | Parameters |
---|---|---|---|
Check | Check the CM client has been assigned to site %SiteCode% | SiteCode Check to see if the MEMCM client is assigned to this site code | |
Check | Check the CM cache size is between %MinMB% and %MaxMB% | MinMB The cache size should be at least this big (in Megabytes) MaxMBThe cache size should be at most this big (in Megabytes) | |
Check | Check the CM ClientProvisioningMode is set to %TrueFalse% | TrueFalse True represents client provisioning ON, False represents client provisioning OFF | |
Check | Check the CM client has sent a DDR (Data Discovery Record) within the last %Days% days | Days Look for DDRs sent back in this number of days | |
Check | Check the CM client has performed a file collection within the last %Days% days | Days Look for file collection sent back in this number of days | |
Check | Check the CM client logging is configured with %Loglevel%, %MaxSize%, %MaxHistoryFiles% and %DebugLogging% settings | LogLevel The logging level Valid Values: Verbose, Normal, None MaxSize The maximum size (in Bytes) that the MEMCM logs may grow before rolling over MaxHistoryFiles The number of incremented log files to accumulate before deleting DebugLogging True means debug logging should be on, False means it should be off | |
Check | Check the CM client has sent hardware inventory within the last %Days% days | Days Look for hardware inventory data sent back in this number of days | |
Check | Check the CM client has performed an IDMIF collection within the last %Days% days | Days Look for IDMIFs sent back within this number of days | |
Check | Check the CM client has sent software inventory within the last %Days% days | Days Look for software inventory data sent back within this number of days | |
Check | Check the CM client has sent state messages within the last %Days% days | Days Look for state messages sent back within this number of days | |
Check | Check the Device FQDN matches the value from DNS Take the primary IP address for the default route and look it up in DNS. Make sure the fqdn from device summary matches the fqdn returned from DNS | ||
Check | Check that %ServiceName% service exists | ServiceName Shortname of the service | |
Check | Check that %ServiceName% start type is %StartType% | ServiceName Shortname of the service StartType The startup setting for the service Valid Values:
| |
Check | Check the %ServiceName% service is in %State% state For completeness, all valid service states are included. Realistically, however, making a precondition out of transition states like
isn't a very good idea as a service will only be in that state for a very short time. | ServiceName Shortname of the service StateThe state the service should be in Valid Values:
| |
Check | Check the %ServiceName% service is set to start on a trigger The actual trigger is not checked or reported | ServiceName Shortname of the service | |
Check | Check for the existence of %Publisher% %Product% with version %VersionDesiredResult% than %VersionToCompare% Checks if the specified Publisher and Product is installed and that the version is lower, same or higher than the target (VersionToCompare) | Publisher Check for this publisher name Product Check for this product name VersionToCompare The software product version to use as the comparison DEFAULT: 0 VersionDesiredResultThe outcome that's desired when the software product version is compared to VersionToCompare Valid values:
DEFAULT: SameOrHigher | |
Check | Check that the client can connect to the configured Windows Update source | ||
Check | Check Windows Update agent is configured to use %Source% as source If Source is set to % (Default) this will check each of the sources and pass with the first one that succeeds. | Source The windows update source (% wildcard accepted) Valid Values:
DEFAULT: % | |
Check | Check that WMI %Class% exists in %Namespace% | Namespace The WMI namespace to check existence (ROOT\cimv2 for example) ClassThe WMI class that should exist in specified namespace | |
Check | Check that WMI %Namespace% exists | Namespace The WMI namespace to check existence (ROOT\cimv2 for example) | |
Check | Check that the WMI repository is consistent Runs winmgmt.exe /verifyrepository and fails if 'is not consistent' appears in the returned result | ||
Fix | Set CM assigned site to %SiteCode% Namespace: ROOT\CCM Class: SMS_CLIENT Method: SetAssignedSite sSiteCode: %SiteCode% | SiteCode Assign the client to this site code | |
Fix | Set CM client cache size to %MaxMB% MB Com Object: UIResource.UIResourceMgr.GetCacheInfo().TotalSize | MaxMB The cache size should be at least this size (in MB) DEFAULT: 5120 | |
Fix | Set MEMCM client provisioning mode to %TrueFalse% Namespace: ROOT\CCM Class: SMS_CLIENT Method: SetClientProvisioningMode bEnable: <true/false> | TrueFalse True sets client provisioning mode to ON False sets client provisioning mode to OFF DEFAULT: False Valid Values: True False | |
Fix | Set %ServiceName% service to Automatic start type and confirm change within %Timeout% seconds | ServiceName The name of the service on which we want to operate Timeout The maximum number of seconds to wait for the fix to enforce the correct state before considering it "fixed" or not DEFAULT: 15 | |
Fix | Set %ServiceName% service to Automatic (Delayed Start) start type and confirm change within %Timeout% seconds | ServiceName The name of the service on which we want to operate Timeout The maximum number of seconds to wait for the fix to enforce the correct state before considering it "fixed" or not DEFAULT: 15 | |
Fix | Set %ServiceName% service to Manual start type and confirm change within %Timeout% seconds | ServiceName The name of the service on which we want to operate Timeout The maximum number of seconds to wait for the fix to enforce the correct state before considering it "fixed" or not DEFAULT: 15 | |
FIx | Start %ServiceName% service and confirm as started within %Timeout% seconds | ServiceName The name of the service on which we want to operate Timeout The maximum number of seconds to wait for the fix to enforce the correct state before considering it "fixed" or not DEFAULT: 15 | |
Fix | Fix the consistency of the WMI Repository and ResetRepository command if %ResetRepository%=True SALVAGE: winmgmt /salvagerepository RESET: (optional) winmgmt /resetrepository | ResetRepository True will reset the WMI repository (only if salvage fails) False will only try to salvage | |
PreCondition | Multiple checks using specified parameters %1EClientVersionToCompare% %1EClientVersionDesiredResult% %DeviceChassisTypeList% %DeviceCpuTypeList% %DeviceDomainList% %DeviceFqdnList% %DeviceManufacturerList% %DeviceModelList% %DeviceRamMBMin% %DeviceRamMBMax% %DeviceTimeZoneOffsetList% %DirectoryExists% %DirectoryName% %DnsLookupFqdnList% %FileNameExists% %FileName% %OsTypeList% %OsArchitectureList% %ProcessExists% %ProcessExecutableList% %QuarantineStatus% %RegistryExists% %RegistryHive% %RegistryKey% %RegistryValue% %RegistryData% %ServiceExists% %ServiceName% %ServiceStartAccountName% %ServiceStartType% %ServiceState% %ServiceTriggerStart% %ServiceType% %SoftwareExists% %SoftwareProduct% %SoftwarePublisher% %SoftwareVersionToCompare% %SoftwareVersionDesiredResult% %WindowsUpdateSource% %WmiNamespace% %WmiClass% %WmiColumn% %WmiWhereClause% %WmiVersionToCompare% %WmiDesiredResult% Most parameters will be ignored if % is entered so they don't take up any resources trying to lookup a precondition on something that isn't relevant. The default values for the parameters will do this. In other words, if you don't want to search for a precondition on something like a directory, leave it's parameters at their defaults and it will skip the search for that. | 1E Client... 1EClientVersionToCompare The version to use as the comparison DEFAULT: 0 1EClientVersionDesiredResult The outcome that's desired when the 1E Client Version is compared to the passed in version DEFAULT: Same or Higher Device details... DeviceChassisTypeList A semi-colon separated list of acceptable ChassisType values. (% wildcards are acceptable within each item) DEFAULT: % DeviceCpuTypeList A semi-colon separated list of acceptable CpuType values. (% wildcards are acceptable within each item DEFAULT: % DeviceDomainList A semi-colon separated list of acceptable Domain values. (% wildcards are acceptable within each item) DEFAULT: % DeviceFqdnList A semi-colon separated list of acceptable Fqdn values. (% wildcards are acceptable within each item) DEFAULT: % DeviceManufacturerList A semi-colon separated list of acceptable Manufacturer values. (% wildcards are acceptable within each item) DEFAULT: % DeviceModelList A semi-colon separated list of acceptable Model values. (% wildcards are acceptable within each item) DEFAULT: % DeviceRamMBMin The minimum amount of RAM (in MB) a device should have DEFAULT: 0 DeviceRamMBMax The minimum amount of RAM (in MB) a device should have DEFAULT: 9223372036854775807 DeviceTimeZoneOffsetList A semi-colon separated list of acceptable time zone offsets Directory and File... DirectoryExists Exists if the directory should exist Doesn't Exist if the directory shouldn't exist DEFAULT: % DirectoryName The name of the directory to check for existence DEFAULT: % FileNameExists Exists if the file should exist Doesn't Exist if the file shouldn't exist DEFAULT: Exists FileName The name of the file to check for existence DEFAULT: % DNS... DnsLookupFqdnList A semi-colon separated list of acceptable Fqdns that have been looked up in DNS by the device DEFAULT: % Operating System... OsArchitectureList A semi-colon separated list of acceptable OS Architectures DEFAULT: % OsTypeList A semi-colon separated list of acceptable OS Types DEFAULT: % Process... ProcessExists Exists if the process should exist Doesn't Exist if the process shouldn't exist DEFAULT: Exists ProcessExecutableList A semi-colon separated list of acceptable processes DEFAULT: % Quarantine... QuarantineStatus Quarantined if the device should be quarantined NotQuarantined if the device should not be quarantined DEFAULT: % Registry Key... RegistryExists Exists if the registry key should exist Doesn't Exist if the registry key should not exist DEFAULT: Exists RegistryHive The registry hive in which the registry key should exist. Valid Values:
DEFAULT: % RegistryKey The registry key to find in the specified hive DEFAULT: % RegistryValue Exists if the registry key value should exist Doesn't Exist if the registry key value should not exist DEFAULT: Exists RegistryData Exists if the registry key value data should exist Doesn't Exist if the registry key value data should not exist DEFAULT: Exists Service... ServiceExists Exists if the registry key value data should exist Doesn't Exist if the registry key value data should not exist DEFAULT: Exists ServiceName The short name of the service DEFAULT: % ServiceStartAccountName The account name under which the service starts DEFAULT: % ServiceStartType The start type of the service. Valid Values:
DEFAULT: % ServiceState The state the service should be in Valid Values:
DEFAULT: % ServiceTriggerStart Is the service set to TriggerStart Valid Values:
DEFAULT: % ServiceType The type of service (use {none} to match null/empty value) Valid Values:
DEFAULT: % Software... SoftwareExists Exists if the software should exist Doesn't Exist if the software shouldn't exist DEFAULT: Exists SoftwareProduct Check for this product name DEFAULT: % SoftwarePublisher Check for this publisher name DEFAULT: % SoftwareVersionToCompareThe software product version to use as the comparison DEFAULT: 0 SoftwareVersionDesiredResultThe outcome that's desired when the software product version is compared to SoftwareVersionToCompare Valid values:
DEFAULT: SameOrHigher Windows Update... WindowsUpdateSource The source to check for Windows Update connectivity Valid Values:
DEFAULT: % WMI... WmiNamespace The WMI namespace to check existence (ROOT\cimv2 for example) WmiClassThe WMI class that should exist in specified namespace (ignored if %) WmiWhereClause The WHERE clause to use when querying this class (use {none} for no filter) WmiColumn The column name from querying the class which holds a version string WmiVersionToCompare The software product version to use as the comparison DEFAULT: 0 WmiVersionDesiredResultThe outcome that's desired when the software product version is compared to SoftwareVersionToCompare Valid values:
DEFAULT: SameOrHigher |
Spare fragments
The following fragments are included in the MEMCM Client Health Integrated Product Pack but are not used in any predefined rules. You can use these in rules that you create or modify in any policy.
Name | Type | Readable Payload and summary | Parameters | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Check | Check that the CM certificate is in the certificate store by looking in the CM client logs located in %MEMCMLogsDirectory% This checks the ClientIDManagerStartup.log for "Failed to find the certificate in the store" error messages, which indicates the CM client certificate is likely missing. | MEMCMLogsDirectory The full path to the MEMCM client logs directory (%Environment% variables accepted) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check | Check that the CM client has sent data back within the last %Days% days. This checks to see if hardware inventory, software inventory, DDRs or IDMIFs have been sent anytime in the past %Days% days. | Days Look for client messages sent back in this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check | Check that the CM client has checked for machine policy within the last %Days% days | Days Look for machine policy validated within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Check | Check that the CM client has checked for user policy within the last %Days% days | Days Look for user policy validated within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
FIx | Install the CM client using CCMSETUP.EXE from %CcmSetupFileUrl% having size %CcmSetupFileSize% and hash %CcmSetupFileHash% with command line options %SourceList%, %MpList%, %RetryMinutes%, %ServiceNoService%, %InstallUninstall%, %Logon%, %ForceReboot%, %BITSPriority%, %DownloadTimeout%, %UsePKICert%, %NoCRLCheck%, %ConfigFile%, %SkipPrereqFileList%, %ForceInstall%, %ExcludeFeaturesList%, %CcmSetupMsiProperties%, %ClientMsiProperties% This is essentially a front-end for the ccmsetup.exe installation parameters found in Microsoft Documentation. See https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/about-client-installation-properties for more information about the installation parameters. | Expand parameters... CcmSetupFileUrlEither the full HTTP or HTTPS URL path to the ccmsetup.exe file on a web server or the relative path to be appended to the Content directory under the background channel URL DEFAULT: ccmsetup.exe CcmSetupFileSizeThe size of the ccmsetup.exe file in bytes DEFAULT: 4099328 CcmSetupFileHash The SHA256 hash of the ccmsetup.exe file DEFAULT: ab85f58b0cc257d25628384b0ec8fab1f9e15ca2b110a1e425e86e56b47ebde1 SourceList A semicolon ; delimited list of download locations for setup media DEFAULT: {none} MpList A semicolon ; delimited list of management points or cloud management gateway DEFAULT: {none} RetryMinutes The retry interval in minutes to retry setup if it fails to download installation files. -1 to ignore this parameter DEFAULT: -1 ServiceNoServiceTells setup to install as a service or no service DEFAULT: Service Valid Values: Service NoService InstallUninstall Tell setup to install or uninstall the client DEFAULT: Install Valid Values: Install Uninstall Logon If any version of the client is already installed, install will stop DEFAULT: False Valid Values: True False ForceReboot Setup should force the client to reboot if necessary to complete installation Valid Values: True False BITSPriority Download priority when client installation files are downloaded over HTTP connection DEFAULT: Normal Valid Values: Foreground High Normal Low DownloadTimeout Length of time in minutes that setup tries to download the installation files before stopping DEFAULT: 1440 UsePKICert Uses a PKI cert that includes client authentication, if available. If can't find a valid cert, it uses HTTP with self-signed cert. DEFAULT: False Valid Values: True False NoCRLCheck Client won't check the cert revocation list when it uses HTTPS with PKI cert DEFAULT: False Valid Values: True False ConfigFile The name of a text file that lists client installation properties DEFAULT: {none} SkipPrereqFileList A semicolon ; delimited list of prerequisite files that will be skipped during install DEFAULT: {none} ForceInstall Uninstall any existing client and install a new client DEFAULT: False Valid Values: True False ExcludeFeaturesList Do not install the semicolon ; delimited list of features (ClientUI is supported) when installing the client DEFAULT: {none} Valid Values: ClientUI CcmSetupMsiProperties Properties that modify the installation behavior of ccmsetup.msi DEFAULT: {none} ClientMsiProperties Properties that modify the installation behavior of client.msi DEFAULT: {none} | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Application manager global evaluation action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000123} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Application manager policy action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000121} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Application manager user policy action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000122} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM branch distribution point maintenance task Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000109} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM clearing proxy settings cache action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000037} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM client machine authentication action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000012} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM data discovery record action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000001} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM discovery data collection cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000103} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Endpoint Protection Antimalware policy reevaluation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000222} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Endpoint Protection deployment reevaluation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000221} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM external event detection Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000223} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM file collection Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000010} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM file collection cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000104 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM hardware inventory Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000001} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke MEMCM hardware inventory collection cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000101} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM IDMIF collection Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000011} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM IDMIF collection cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000105} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
FIx | Invoke CM client Location Services refresh locations task Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000024} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM client Location Services timeout refresh action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000025} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM machine policy agent cleanup action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000040} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM machine policy assignments request Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000021} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM machine policy evaluation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000022} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM peer DP pending package check schedule Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000062} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM peer DP status reporting Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000061} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM User policy evaluation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000027} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM User policy request Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000026} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM machine policy / assignment validation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000042} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM user policy / assignment validation Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000043} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM power management start summarizer Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000131} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM refresh default MP task Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000023} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM retrying/refreshing certificates in AD on MP Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000051} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM scan by update source Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000113} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM client %Schedule% action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: <ScheduleID> TipClick here to expand list of ScheduleIDs...
| Schedule The MEMCM client schedule (client action) to trigger Valid Values: Select a name from the table in the Summary column. These are presented as a dropdown in the UI. The string values are converted to the ScheduleID required by the WMI method. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM send unsent state message action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000111} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM software inventory action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000002} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM software inventory collection cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000102} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM software metering generate usage report action Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000031} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM software metering usage report cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000106} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM software updates assignments evaluation cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000108} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM source update message Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000032} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM state system policy bulk send high Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000115} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM state system policy bulk send low Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000116} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM state system policy cache cleanout Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000112} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Software Updates install schedule Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000063} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM update store policy Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000114} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM user policy agent cleanup Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000041} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Invoke CM Windows Installer source list update cycle Namespace: ROOT\CCM Class: SMS_CLIENT Method: TriggerSchedule ScheduleId: {00000000-0000-0000-0000-000000000107} | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Refresh CM server compliance state Com Object: Microsoft.CCM.UpdatesStore.RefreshServerComplianceState() | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Reset CM policy Namespace: ROOT\CCM Class: SMS_CLIENT Method: ResetPolicy uFlags: <see list below>
| ResetOption Valid values
These are presented as a dropdown in the UIO and converted to the numeric value required by the WMI method. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fix | Completely reset Windows Update from scratch (Experimental) Process mostly inspired by https://gallery.technet.microsoft.com/Reset-WindowsUpdateps1-e0c5eb78 and tweaked a little to be more forceful Process also inspired by https://www.definit.co.uk/2012/02/powershell-recursively-taking-ownership-of-files-and-folders-and-adding-permissions-without-removing-existing-permissions/ WarningThis is a very destructive and involved process. It should only be used as a last resort to fix a broken Windows Update system. The machine will be somewhat unusable until it is rebooted and should be rebooted right away. Many different and unrelated apps may throw odd and misleading errors until the reboot happens General process:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Checks for the existence of the 1E client with version lower, same or higher (%DesiredResults%) than %VersionToCompare%. | VersionToCompare A version number to compare against the installed 1E Client version number. Examples: 5 5.0 5.0.0 5.0.0.745 DEFAULT: 0 DesiredResultsThe outcome that's desired when actual version is compared to passed in version. DEFAULT: SameOrHigher Valid values:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client is assigned to %SiteCode% | SiteCode Check to see if the MEMCM client is assigned to this site code | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM cache size is between %MinMB% and %MaxMB% | MinMB The cache size should be at least this big (in Megabytes) MaxMBThe cache size should be at most this big (in Megabytes) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM certificate is in the certificate store by checking CM log files in %MEMCMLogsDirectory% This checks the ClientIDManagerStartup.log for "Failed to find the certificate in the store" error messages, which indicates the CM client certificate is likely missing. | MEMCMLogsDirectory The full path to the MEMCM client logs directory (%Environment% variables accepted) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has sent data back within the last %Days% days This checks to see if hardware inventory, software inventory, DDRs or IDMIFs have been sent anytime in the past %Days% days. | Days Look for client messages sent back in this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check if the CM ClientProvisioningMode is set to %TrueFalse% | TrueFalse True represents client provisioning ON, False represents client provisioning OFF | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has sent a DDR (Data Discovery Record) within the last %Days% days | Days Look for DDRs sent back in this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has performed a file collection within the last %Days% days | Days Look for file collection sent back in this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client logging is configured with %Loglevel%, %MaxSize%, %MaxHistoryFiles% and %DebugLogging% settingsconfiguration %LogLevel% %MaxSize% %MaxHistoryFiles% %DebugLogging% | LogLevel The logging level Valid Values: Verbose, Normal, None MaxSize The maximum size (in Bytes) that the MEMCM logs may grow before rolling over MaxHistoryFiles The number of incremented log files to accumulate before deleting DebugLogging True means debug logging should be on, False means it should be off | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has sent hardware inventory within the last %Days% days | Days Look for hardware inventory data sent back in this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has performed an IDMIF collection within the last %Days% days | Days Look for IDMIFs sent back within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has checked for machine policy within the last %Days% days | Days Look for machine policy validated within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has sent software inventory within the last %Days% days. | Days Look for software inventory data sent back within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has sent status messages within the last %Days% days. | Days Look for status messages sent back within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the CM client has checked for user policy within the last %Days% days | Days Look for user policy validated within this number of days | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the %Executable% process exists (is running) | Executable The name of the executable that should be running | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check the %ServiceName% service exists | ServiceName Shortname of the service | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check for the existence of %Publisher% %Product% with version %VersionDesiredResult% than %VersionToCompare% Checks if the specified Publisher and Product is installed and that the version is lower, same or higher than the target (VersionToCompare | Publisher Check for this publisher name Product Check for this product name VersionToCompare The software product version to use as the comparison DEFAULT: 0 VersionDesiredResultThe outcome that's desired when the software product version is compared to SoftwareVersionToCompare Valid values:
DEFAULT: SameOrHigher | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check that the Windows Update connection is OK | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check that the connection to the %Source% Windows Update source is OK | Source The windows update source (% wildcard accepted) Valid Values:
DEFAULT: % | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check that a Windows Update connection is OK for %SourceId% | SourceId The identity of the source of updates. E.g. for a ' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check if the value of the WMI attribute defined by %Namespace%, %Class%, %ColumnName% (and optional %WhereClause%) is a version number (e.g. 7.2.5.612) that is lower, higher or the same (defined by %DesiredResult%) as %VersionToCompare% | Namespace The WMI namespace to check existence (ROOT\cimv2 for example) ClassThe WMI class that should exist in specified namespace (ignored if %) WhereClause The WHERE clause to use when querying this class (use {none} for no filter) ColumnName The column name from querying the class which holds a version string VersionToCompare The software product version to use as the comparison DEFAULT: 0 DesiredResultThe outcome that's desired when the software product version is compared to SoftwareVersionToCompare Valid values:
DEFAULT: SameOrHigher | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check for the existence of WMI %Class% in %NameSpace% | Namespace The WMI namespace to check existence (ROOT\cimv2 for example) ClassThe WMI class that should exist in specified namespace (ignored if %) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check for any data returned from specified WMI %Class% and %Namespace% using (optional) %WhereClause% and %ColumnList% | Namespace The WMI namespace to check existence (ROOT\cimv2 for example, ignored if %) ClassThe WMI class that should exist in specified namespace (ignored if %) WhereClause The WHERE clause to use when querying this class (use {none} for no filter) ColumnList A list of columns to select from the WMI class (use {all} for all columns) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check for the existence of WMI %Namespace% | Namespace The WMI namespace to check existence (ROOT\cimv2 for example) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
PreCondition | Check that the WMI repository is consistent Runs winmgmt.exe /verifyrepository and fails if 'is not consistent' appears in the returned result |
Trigger templates
The following table shows the trigger templates included in the Nomad Client Health Integrated Product Pack.
Note
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these templates, unless you select alternative values.
Name | Readable Payload and summary | Parameters |
---|---|---|
On change of file "<fileName>" When a file changes (Windows only) | File Name
| |
Every <intervalHours> hours Periodic (hours) | Interval Hours
| |
Every <intervalMinutes> minutes Periodic (minutes) | Interval Minutes
| |
Every <intervalSeconds> seconds Periodic (seconds) | Interval Seconds
| |
On crash of process "<executable>" When a process crashes (Windows only) Monitors the Windows Application Event Log for event 1000. Executable is case insensitive but is required to be the whole filename without the folder path, such as unreliableapp.exe A partial string such as unreliableapp will not trigger on a crash of unreliableapp.exe. | Executable
| |
On launch of process "<executable>" When a process starts (Windows only) Monitors the Windows Security Event Log for event 4688. | Executable
| |
On change of running state of the "<serviceName>" service When the state of the named Windows service changes You can determine the short name of a service using the PowerShell cmdlet get-service -DisplayName "Network Location Awareness" This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter. | Service Name
| |
On Windows"<channel>"; event log entry matching "<query>" (debounce for <debounce> seconds) When an event log entry is created (Windows only) A channel is an event sink, example standard channel names are Application or Security. To determine the available event channels execute the following PowerShell command: Or to view the event channels on a remote computer: Similarly to view event log entries for a given channel either use Event Viewer or from PowerShell for example: Get-EventLog application | where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")} Or: A query is used to filter the event log messages for a given channel. Examples can be found at https://docs.microsoft.com/en-us/windows/win32/wes/consuming-events. For example to query all OneNote application crashes error log messages: *[System[(Level=2) and (EventID=1000)]] and *[EventData[Data='onenote.exe']] Debounce is a settling period to ensure that in the case of multiple events, only a single event is registered within the space of a given time period. | Channel
Query
Debounce Time Seconds
| |
On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>) When the value of a Windows registry key changes. | Hive, which must be one of:
Subkey: free text string, default empty. Include Sub Keys : 1/0 default 0. |