Rediger

Del via


Tenant attach: CMPivot usage overview

Applies to: Configuration Manager (current branch)

CMPivot allows you to quickly assess the state of a device in your environment and take action. When you enter a query, CMPivot will run a query in real time on the currently connected device. The data returned can then be filtered, grouped, and refined to answer business questions, troubleshoot issues in your environment, or respond to security threats. For more information about using CMPivot, see Use CMPivot.

Refine CMPivot queries

When using CMPivot from the Microsoft Intune admin center, ensure your queries are tuned for performance. If you request a query with a data set that is too large, you may receive Error: The query result is too large, retry with additional filters. Refine your query to be more specific if you see this error. The following operators are commonly used to refine queries:

  • Use count if you only need the number of items returned.
  • Use project if you only need specific columns.
  • Use take to return up to the specified number of rows.
  • Use top to return the first N records sorted by specified columns.

Important

When using CMPivot to query a device, if there isn't a response within 10 minutes, the query will timeout.

Queries

Queries can be used to search terms, identify trends, analyze patterns, and provide many other insights based on your data. CMPivot uses a subset of the Azure Log Analytics data flow model for the tabular expression statement. The typical structure of a tabular expression statement is a composition of client entities and tabular data operators (such as filters and projections). The composition is represented by the pipe character (|), giving the statement a regular form that visually represents the flow of tabular data from left to right. Each operator accepts a tabular data set "from the pipe", and additional inputs (including other tabular data sets) from the body of the operator, then emits a tabular data set to the next operator that follows: entity | operator1 | operator2 | ...

In the following example, the entity is CCMRecentlyUsedApplications (a reference to the recently used applications), and the operator is where (which filter out records from its input according to some per-record predicate):

CCMRecentlyUsedApplications | where CompanyName like '%Microsoft%' | project CompanyName, ExplorerFileName, LastUsedTime, LaunchCount, FolderPath

Entities

Entities are objects that can be queried from the client. We currently support the following entities:

Entity Description
AadStatus Status of Microsoft Entra ID
Administrators Members of the local administrators group
AppCrash Recent application crash reports
AppVClientApplication AppV Client Application
AppVClientPackage AppV Client Package
AutoStartSoftware Software that starts automatically with, or immediately after, the operating system
BaseBoard BaseBoard
Battery Battery
Bios System BIOS information
BitLocker BitLocker
BitLockerEncryptionDetails BitLocker Encryption Details
BitLockerPolicy BitLocker Policy
BootConfiguration Boot Configuration
BrowserHelperObject Browser Helper Object
BrowserUsage Browser Usage
CcmLog() Lines within 24 hours (by default) from a Ccm Log file
CCMRAX CCM_RAX
CCMRecentlyUsedApplications Recently Used Applications
CCMWebAppInstallInfo Web Applications
CDROM CDROM Drive
ClientEvents Client Events
ComputerSystem Computer System
ComputerSystemEx Computer System Ex
ComputerSystemProduct Computer System Product
ConnectedDevice Connected Device
Connection An active Tcp connection in or out of the device
Desktop Desktop
DesktopMonitor Desktop Monitor
Device Basic information about the device
Disk Local storage device information on a computer system running Windows
DMA DMA
DMAChannel DMA Channel
DriverVxD Driver - VxD
EmbeddedDeviceInformation Embedded Device Information
Environment Environment
EPStatus Status of antimalware software on the computer gathered by the Get-MpComputerStatus cmdlet. Supported on Windows 10 and Server 2016, or later with defender running.
EventLog() Events within 24 hours (by default) from an event log
File() Information about a specific file
FileShare Active file share information
Firmware Firmware
IDEController IDE Controller
InstalledExecutable Installed Executable
InstalledSoftware An application installed on the device
IPConfig Gets network configuration, including usable interfaces, IP addresses, and DNS servers
IRQTable IRQ Table
Keyboard Keyboard
LoadOrderGroup Load Order Group
LogicalDisk Logical Disk
MDMDevDetail Device Information
Memory Memory
Modem Modem
Motherboard Motherboard
NetworkAdapter Network Adapter
NetworkAdapterConfiguration Network Adapter Configuration
NetworkClient Network Client
NetworkLoginProfile Network Login Profile
NTEventlogFile NT Eventlog File
Office365ProPlusConfigurations Office 365 Apps Configurations
OfficeAddin Office add-ins
OfficeClientMetric Office Client Metric
OfficeDeviceSummary Office Device Summary
OfficeDocumentMetric Office document metrics
OfficeDocumentSolution Office Document Solution
OfficeMacroError Office Macro Error
OfficeProductInfo Office Product Info
OfficeVbaRuleViolation Office Vba Rule Violation
OfficeVbaSummary Office VBA scan summary
OperatingSystem Operating System
OperatingSystemEx Operating System Ex
OperatingSystemRecoveryConfiguration Operating System Recovery Configuration
OptionalFeature Optional Feature
OS Basic information about the operating system
PageFileSetting Page File Setting
ParallelPort Parallel Port
Partition Disk Partitions
PCMCIAController PCMCIA Controller
PhysicalDisk PhysicalDisk
PhysicalMemory Physical Memory
PNPDEVICEDRIVER PNP Device Driver
PointingDevice Pointing Device
PortableBattery Portable Battery
Ports Ports
PowerCapabilities Power Capabilities
PowerClientOptOutSettings Power Management Exclusion Settings
PowerConfigurations Power Configuration
PowerManagementDaily Power Management Daily Data
PowerManagementInsomniaReasons Power Insomnia Reasons
PowerManagementMonthly Power Management Monthly Data
PowerSettings Power Settings
PrinterConfiguration Printer Configuration
PrinterDevice Printer Device
PrintJobs Print Jobs
Process A process on an operating system
ProcessModule() Modules loaded by specified processes
Processor Processor
ProtectedVolumeInformation Protected Volume Information
Protocol Protocol
QuickFixEngineering Quick Fix Engineering
Registry All values for a specific registry key

Starting in version 2107, Key value was added to the Registry() entity
SCSIController SCSI Controller
SerialPortConfiguration Serial Port Configuration
SerialPorts Serial Ports
ServerFeature Server Feature
Service A service on a computer system running Windows
Services Services
Shares Shares
SMBConfig SMB Configuration of a device
SMSAdvancedClientPorts Configuration Manager Client Ports
SMSAdvancedClientSSLConfigurations Configuration Manager Client SSL Configurations
SMSAdvancedClientState Configuration Manager Client State
SMSDefaultBrowser Default Browser
SMSSoftwareTag Software Tag
SMSWindows8Application Windows app
SMSWindows8ApplicationUserInfo Windows app User Info
SoftwareShortcut Software Shortcut
SoftwareUpdate A software update applicable but not installed on the device
SoundDevices Sound Devices
SWLicensingProduct Software Licensing Product
SWLicensingService Software Licensing Service
SystemAccount System Account
SystemBootData System Boot Data
SystemBootSummary System Boot Summary
SystemConsoleUsage System Console Usage
SystemConsoleUser System Console User
SystemDevices System Devices
SystemDrivers System Drivers
SystemEnclosure System Enclosure
TapeDrive Tape Drive
TimeZone Time Zone
TPM TPM
TPMStatus TPM Status
TSIssuedLicense TS Issued License
TSLicenseKeyPack TS License Key Pack
UninterruptiblePowerSupply Uninterruptible Power Supply
USBController USB Controller
USBDevice USB Device
User A user account with an active connection to the device
USMFolderRedirectionHealth Folder Redirection Health
USMUserProfile User Profile Health
VideoController Video Controller
VirtualMachine Virtual Machine
VirtualMachine64 Virtual Machine (64)
Volume Volume
WindowsUpdate Windows Update
WindowsUpdateAgentVersion Windows Update Agent Version
WinEvent() Events within 24 hours (by default) from a Windows event log
WriteFilterState Write Filter State

Table operators

Table operators can be used filter, summarize, and transform data streams. Currently the following operators are supported:

Table operators Description
count Returns a table with a single record containing the number of records
distinct Produces a table with the distinct combination of the provided columns of the input table
join Merge the rows of two tables to form a new table by matching row for the same device
order by Sort the rows of the input table into order by one or more columns
project Select the columns to include, rename or drop, and insert new computed columns
take Return up to the specified number of rows
top Returns the first N records sorted by the specified columns
where Filters a table to the subset of rows that satisfy a predicate

Scalar Operators

The following table summarizes operators:

Operators Description Example
== Equal 1 == 1, 'aBc' == 'AbC'
!= Not Equal 1 != 2, 'abc' != 'abcd'
< Less 1 < 2, 'abc' < 'DEF'
> Greater 2 > 1, 'xyz' > 'XYZ'
<= Less or Equal 1 <= 2, 'abc' <= 'abc'
>= Greater or Equal 2 >= 1, 'abc' >= 'ABC'
+ Add 2 + 1, now() + 1d
- Subtract 2 - 1, now() - 1h
* Multiply 2 * 2
/ Divide 2 / 1
% Modulo 2 % 1
like Left Hand Side (LHS) contains a match for Right Hand Side (RHS) 'abc' like '%B%'
!like LHS doesn't contain a match for RHS 'abc' !like '_d_'
contains RHS occurs as a subsequence of LHS 'abc' contains 'b'
!contains RHS doesn't occur in LHS 'team' !contains 'i'
startswith RHS is an initial subsequence of LHS 'team' startswith 'tea'
!startswith RHS isn't an initial subsequence of LHS 'abc' !startswith 'bc'
endswith RHS is a closing subsequence of LHS 'abc' endswith 'bc'
!endswith RHS isn't a closing subsequence of LHS 'abc' !endswith 'a'
and True if and only if RHS and LHS are true (1 == 1) and (2 == 2)
or True if and only if RHS or LHS is true (1 == 1) or (1 == 2)

Aggregation functions

Aggregation functions can be used with the summarize table operator to calculated summarized values. Currently the following aggregation functions are supported:

Function Description
avg() Returns the average of the values across the group
count() Returns a count of the records per summarization group
countif() Returns a count of rows for which Predicate evaluates to true
dcount() Returns the number of distinct values in the group
max() Returns the maximum value across the group
maxif() Starting in version 2107, you can use maxif with the summarize table operator.

Returns the maximum value across the group for which Predicate evaluates to true.
min() Returns the minimum value across the group
minif() Starting in version 2107, you can use minif with the summarize table operator.

Returns the minimum value across the group for which Predicate evaluates to true.
percentile() Returns an estimate for the specified nearest-rank percentile of the population defined by Expr
sum() Returns the sum of the values across the group
sumif() Returns a sum of Expr for which Predicate evaluates to true

Scalar functions

Scalar functions can be used in expressions. Currently the following scalar functions are supported:

Function Description
ago() Subtracts the given timespan from the current UTC clock time
bin() Rounds values down to a number of datetime multiple of a given bin size
case() Evaluates a list of predicates and returns the first result expression whose predicate is satisfied
datetime_add() Calculates a new datetime from a specified datepart multiplied by a specified amount, added to a specified datetime
datetime_diff() Calculates the difference between two date time values
iif() Evaluates the first argument and returns the value of either the second or third arguments depending on whether the predicate evaluated to true (second) or false (third)
indexof() Function reports the zero-based index of the first occurrence of a specified string within input string
isnotnull() Evaluates its sole argument and returns a Boolean value indicating if the argument evaluates to a non-null value
isnull() Evaluates its sole argument and returns a Boolean value indicating if the argument evaluates to a null value
now() Returns the current UTC clock time
strcat() Concatenates between 1 and 64 arguments
strlen() Returns the length, in characters, of the input string
substring() Extracts a substring from a source string starting from some index to the end of the string
tostring() Converts input to a string representation

Additional entities, operators, and functions for CMPivot from Configuration Manager

Important

These items aren't supported when you run CMPivot from Microsoft Intune admin center.

Type Item Description
Entity AccountSID Account SID
Entity FileContent() Content of a specific file
Entity NAPClient NAP Client
Entity NAPSystemHealthAgent NAP System Health Agent
Entity RegistryKey() Returns all registry keys matching the given expression (starting in version 2107)
Table operator render Renders results as graphical output

Next steps

For more information, see Launch CMPivot from the admin center For more sample scripts, see Microsoft Intune tenant attach: CMPivot script samples.