ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection

Tips about ConfigMgr Audit Reports tracking who Modified SCCM Collection. Let’s see how you can find the deleted and updated configuration manager objects. There are several out-of-box audit reports available.

The Audit Status messages will help you get answers for most of the unforeseen issues in the SCCM environment. This post will show who deleted, modified, or updated SCCM collections.

More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the audit reporting process.

Related PostTrack Who Deleted Modified Changed SCCM Settings

Patch My PC
Index
ConfigMgr Audit Reports
Who Created the SCCM Collection
Who Modified SCCM Collection
Who Deleted ConfigMgr Collection
Who Deleted all of the Resources that Belong to the SCCM Collection
Additional Audit Reports
HTMD Forum Question
Resources
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Table 1

ConfigMgr Audit Reports

The reporting functionality in Configuration Manager is supported by the SQL Server Reporting Services (SSRS), which facilitates the storage and generation of reports. Consequently, details of pre-built and user-generated reports are maintained in the SQL Server Reporting Services database instead of the Configuration Manager database.

Who Created the SCCM Collection

Use SQL Management Studio to understand who created the ConfigMgr Collection.

Adaptiva
/* 'Who Create COllection'*/
select * from vStatusMessagesWithStrings where MessageID = 30015
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection - Fig.1
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Fig.1

Who Modified SCCM Collection

Use SQL Management Studio to understand who modified the ConfigMgr Collection.

/* 'Who Modified the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30016
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection - Fig.2
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Fig.2

Who Deleted ConfigMgr Collection

Use SQL Management Studio to understand who deleted the SCCM Collection.

/* 'Who Deleted the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30017
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection - Fig.3
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Fig.3

Who Deleted all of the Resources that Belong to the SCCM Collection

Use SQL Management Studio to understand who deleted all of the resources that belong to a collection.

/* 'Who deleted all of the resources that belong to collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30067
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection - Fig.4
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Fig.4

Additional Audit Reports

/* 'Who requested that the membership be refreshed for collection '*/
select * from vStatusMessagesWithStrings where MessageID = 30104
/* 'Who requested that the CCRs (Client Push?) be generated for collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30110

HTMD Forum Question

Let’s be a real-world example of using SCCM audit reports from the HTMD forum. More details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/sccm-audit-logs/

ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection - Fig.5
ConfigMgr Audit Reports Who Deleted Updated Modified SCCM Collection – Fig.5
Select
rsm.Severity,
rsm.MessageTypeString as 'Type',
rsm.SiteCode,
rsm.Timestamp as 'Date/Time',
rsm.System,
rsm.Component,
rsm.MessageID,
'User "' + rsm.InsStrValue1 + '"' +
CASE
when rsm.MessageID = 30196 Then 'created updates assignment'
when rsm.MessageID = 30197 Then 'modified updates assignment'
when rsm.MessageID = 30198 Then 'deleted updates assignment'
when rsm.MessageID = 30219 Then 'created authorization list'
when rsm.MessageID = 30220 Then 'modified authorization list'
when rsm.MessageID = 30221 Then 'deleted authorization list'
End
+ rsm.InsStrValue2 + '' + rsm.InsStrValue3 + '' + rsm.InsStrValue4 as 'Description',
cia.CollectionID,
cia.CollectionName
from v_Report_StatusMessageDetail rsm
left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
order by 4 desc

Resources

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.