Tips about ConfigMgr Audit Reports tracking who Modified SCCM Collection. Let’s see how you can find the who deleted updated the configuration manager objects. There are several out of box audit reports available.
More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the process of audit reporting.
Related Post – Track Who Deleted Modified Changed SCCM Settings
Who Created SCCM Collection
Use SQL Management studio to understand who created ConfigMgr Collection.
/* 'Who Create COllection'*/ select * from vStatusMessagesWithStrings where MessageID = 30015
Who Modified SCCM Collection
Use SQL Management studio to understand who modified ConfigMgr Collection.
/* 'Who Modified the Collection'*/ select * from vStatusMessagesWithStrings where MessageID = 30016
Who Deleted ConfigMgr Collection
Use SQL Management studio to understand who deleted SCCM Collection.
/* 'Who Deleted the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30017
Who Deleted all of the resources that belong to the SCCM collection
Use SQL Management studio to understand who deleted all of the resources that belong to collection.
/* 'Who deleted all of the resources that belong to collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30067
Additional Audit Reports
/* 'Who requested that the membership be refreshed for collection '*/
select * from vStatusMessagesWithStrings where MessageID = 30104
/* 'Who requested that the CCRs (Client Push?) be generated for collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30110
HTMD Forum Question
Let’s one of the real-world examples of the use of SCCM audit reports from the HTMD forum. More details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/sccm-audit-logs/
Select
rsm.Severity,
rsm.MessageTypeString as 'Type',
rsm.SiteCode,
rsm.Timestamp as 'Date/Time',
rsm.System,
rsm.Component,
rsm.MessageID,
'User "' + rsm.InsStrValue1 + '"' +
CASE
when rsm.MessageID = 30196 Then 'created updates assignment'
when rsm.MessageID = 30197 Then 'modified updates assignment'
when rsm.MessageID = 30198 Then 'deleted updates assignment'
when rsm.MessageID = 30219 Then 'created authorization list'
when rsm.MessageID = 30220 Then 'modified authorization list'
when rsm.MessageID = 30221 Then 'deleted authorization list'
End
+ rsm.InsStrValue2 + '' + rsm.InsStrValue3 + '' + rsm.InsStrValue4 as 'Description',
cia.CollectionID,
cia.CollectionName
from v_Report_StatusMessageDetail rsm
left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
order by 4 desc