Email Notification for Security Changes in ConfigMgr

Have you ever had a deployment or maybe a security change that happened with no one noticing? Maybe you’re working with a team and someone accidentally deployed to the wrong collection. We all have busy schedules, it’s not easy stay on top of changes or deployments in Configuration Manager. Therefore, we need to take advantage of the built-in status system. This post will walk you through creating a status filter rule that sends an email whenever a security setting is created, modified, or deleted in ConfigMgr.
A quick overview of the status system; Configuration Manager allows major site components to alert on events by creating status messages. By default, ConfigMgr has several nodes we can use to view pre-configured queries for status messages. To view or create queries around messages we can access them from “Monitoring > System Status > Status Message Queries”. These are a great way to quickly see changes or events going on in the environment.

Status messages are great for finding out what events or changes have happened in the environment, but what if I want to be immediately notified of certain “priority” events? Status filter rules allow you to automate responses, alerts, tasks, and more. Let’s go through an example that will notify you when security settings are changed.

To get here go to “Administration > Site Configuration > Sites” and in the ribbon or by right clicking, we can select “Status Filter Rules” and this will allow us to create new rules or modify existing. Leave the top 13 rules alone as these are default rules to help monitor the health of your environment.

From within the status filter window, we can create, edit, disable, or delete rules from the environment. Let’s go ahead and create our Status Filter Rule. We’ll utilize PowerShell to make this dynamic and easier to change if needed. For a name of the rule lets use “Audit Message Alerts”, then check Message Type and select Audit and then next.

Next we have to configure our actions for what happens when a status message meets our rule criteria. For email alerts we need to use the “Run a Program” option and leave the others unchecked.

The text below should be pasted into “Actions” window under “Run a Program” as a single line.  (When putting into the blog – highlight and enter as one line of code)

 

This status filter rule is calling a PowerShell script with the parameters listed on this TechNet Site https://technet.microsoft.com/en-us/library/bb693758.aspx and will use this information to create an email alert. The script below is by default sending only notifications that meet the criteria of having a status message id in 31240 through 31242. These are alerts based on user security changes. If it does not fall in this we can customize PowerShell with an else if statement, or make another rule and point it to another PowerShell script.

To use the PowerShell script, you need to modify the variables in the comment block. You’ll also need to know if you have a local SMTP server or a relay setup. You’ll also need to specify the sender and destination email addresses.

 

Now that we have this rule configured, you can test it out by making a change to an existing user or adding in a new test user with minimal rights. This will then process the rule (you can monitor it via statmgr.log on the primary site) and email you an alert.

Thank you for reading, if you have questions please feel free to leave feedback or reach out to me for questions on twitter @ManageDoug.