ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection

by

Tips about ConfigMgr Audit Reports tracking who Modified SCCM Collection. Let’s see how you can find the who deleted updated the configuration manager objects. There are several out of box audit reports available.

More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the process of audit reporting.

Related PostTrack Who Deleted Modified Changed SCCM Settings

Who Created SCCM Collection

Use SQL Management studio to understand who created ConfigMgr Collection.

Patch My PC
/* 'Who Create COllection'*/
select * from vStatusMessagesWithStrings where MessageID = 30015
Created SCCM Collection - Who Modified SCCM Collection - ConfigMgr
Created SCCM Collection – Who Modified SCCM Collection – ConfigMgr
Altaro Office 365 Backup
Advertisement Altaro Office 365 Backup

Who Modified SCCM Collection

Use SQL Management studio to understand who modified ConfigMgr Collection.

/* 'Who Modified the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30016
Who modified ConfigMgr Collection - Who Modified SCCM Collection - ConfigMgr
Who modified ConfigMgr CollectionWho Modified SCCM Collection – ConfigMgr

Who Deleted ConfigMgr Collection

Use SQL Management studio to understand who deleted SCCM Collection.

/* 'Who Deleted the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30017
who deleted SCCM Collection
who deleted SCCM Collection

Who Deleted all of the resources that belong to the SCCM collection

Use SQL Management studio to understand who deleted all of the resources that belong to collection.

1E Nomad
/* 'Who deleted all of the resources that belong to collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30067
Who deleted all of the resources that belong to collection
Who deleted all of the resources that belong to collection

Additional Audit Reports

/* 'Who requested that the membership be refreshed for collection '*/
select * from vStatusMessagesWithStrings where MessageID = 30104
/* 'Who requested that the CCRs (Client Push?) be generated for collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30110

HTMD Forum Question

Let’s one of the real-world examples of the use of SCCM audit reports from the HTMD forum. More details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/sccm-audit-logs/

ConfigMgr Audit Reports - Who Modified SCCM Collection - ConfigMgr
ConfigMgr Audit Reports – Who Modified SCCM Collection – ConfigMgr
Select
rsm.Severity,
rsm.MessageTypeString as 'Type',
rsm.SiteCode,
rsm.Timestamp as 'Date/Time',
rsm.System,
rsm.Component,
rsm.MessageID,
'User "' + rsm.InsStrValue1 + '"' +
CASE
when rsm.MessageID = 30196 Then 'created updates assignment'
when rsm.MessageID = 30197 Then 'modified updates assignment'
when rsm.MessageID = 30198 Then 'deleted updates assignment'
when rsm.MessageID = 30219 Then 'created authorization list'
when rsm.MessageID = 30220 Then 'modified authorization list'
when rsm.MessageID = 30221 Then 'deleted authorization list'
End
+ rsm.InsStrValue2 + '' + rsm.InsStrValue3 + '' + rsm.InsStrValue4 as 'Description',
cia.CollectionID,
cia.CollectionName
from v_Report_StatusMessageDetail rsm
left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
order by 4 desc

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.