Tips about ConfigMgr Audit Reports tracking who Modified SCCM Collection. Let’s see how you can find the deleted and updated configuration manager objects. There are several out-of-box audit reports available.
The Audit Status messages will help you get answers for most of the unforeseen issues in the SCCM environment. This post will show who deleted, modified, or updated SCCM collections.
More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the audit reporting process.
Related Post – Track Who Deleted Modified Changed SCCM Settings
ConfigMgr Audit Reports
The reporting functionality in Configuration Manager is supported by the SQL Server Reporting Services (SSRS), which facilitates the storage and generation of reports. Consequently, details of pre-built and user-generated reports are maintained in the SQL Server Reporting Services database instead of the Configuration Manager database.
Who Created the SCCM Collection
Use SQL Management Studio to understand who created the ConfigMgr Collection.
/* 'Who Create COllection'*/ select * from vStatusMessagesWithStrings where MessageID = 30015
Who Modified SCCM Collection
Use SQL Management Studio to understand who modified the ConfigMgr Collection.
/* 'Who Modified the Collection'*/ select * from vStatusMessagesWithStrings where MessageID = 30016
Who Deleted ConfigMgr Collection
Use SQL Management Studio to understand who deleted the SCCM Collection.
/* 'Who Deleted the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30017
Who Deleted all of the Resources that Belong to the SCCM Collection
Use SQL Management Studio to understand who deleted all of the resources that belong to a collection.
/* 'Who deleted all of the resources that belong to collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30067
Additional Audit Reports
/* 'Who requested that the membership be refreshed for collection '*/
select * from vStatusMessagesWithStrings where MessageID = 30104
/* 'Who requested that the CCRs (Client Push?) be generated for collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30110
HTMD Forum Question
Let’s be a real-world example of using SCCM audit reports from the HTMD forum. More details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/sccm-audit-logs/
Select
rsm.Severity,
rsm.MessageTypeString as 'Type',
rsm.SiteCode,
rsm.Timestamp as 'Date/Time',
rsm.System,
rsm.Component,
rsm.MessageID,
'User "' + rsm.InsStrValue1 + '"' +
CASE
when rsm.MessageID = 30196 Then 'created updates assignment'
when rsm.MessageID = 30197 Then 'modified updates assignment'
when rsm.MessageID = 30198 Then 'deleted updates assignment'
when rsm.MessageID = 30219 Then 'created authorization list'
when rsm.MessageID = 30220 Then 'modified authorization list'
when rsm.MessageID = 30221 Then 'deleted authorization list'
End
+ rsm.InsStrValue2 + '' + rsm.InsStrValue3 + '' + rsm.InsStrValue4 as 'Description',
cia.CollectionID,
cia.CollectionName
from v_Report_StatusMessageDetail rsm
left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
order by 4 desc
Resources
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.