Track Who Deleted Modified Changed SCCM Settings

0

SCCM Audit status messages are constructive to track who did what in your SCCM environment. The Audit Status messages will help you get answers for most of the unforeseen issues happen in SCCM environment. In this post, we will see how to track who deleted or modified or changed SCCM Settings.

Also, it’s important to note that SCCM Current Branch (CB) Audit status messages are purged from the database after 180 days. All these SCCM audit status messages are under the MessageType = 768. I have uploaded a YouTube video here to explain the process of audit reporting.

This post will give you answers to following questions:-

Who created/deleted Azure Services? 
Who Approved the Script?
Who started the download of updates and Servicing package?
Who deleted the collection?, Who removed the member of a collection?, Who modified the collection query?
Who deployed/deleted application or package or Task Sequence?
Who removed/modified the Boundary or Boundary Group?
Who installed/deleted site system server roles?
Who changed/deleted the client settings?
Who took the remote control of the machine?

I have explained the best ways to look at the audit status messages. I think this will help you to track down the culprit. There are mainly three (3) ways to track down and analyse SCCM CB audit status messages. In this post, I will try to explain how to review SCCM audit status messages using different methods.

  1. Status Message Queries
  2. SCCM SSRS Audit Reports
  3. SQL Management Studio

Review Audit Status Messages with Status Message Queries

SCCM CB console has 17 out of box audit status message queries. These queries are in-build to the SCCM system. You don’t need to create it manually. Launch SCCM console and navigate via \Monitoring\Overview\System Status\Status Message Queries. Make sure you filter the status message queries with AUDIT.

You have following options with each query available under SCCM audit status messages. It’s important to follow the proper RBAC policies in your environment to protect the Audit status messages.

Examples of these reports are available at the bottom of the post, or else you can refer to the YouTube video tutorial here. Also, I have noted down the specific Audit Status message IDs for each category in the following section of this post.

Show Messages - Review/Read the Audit Messages
Delete Messages - Delete the Audit status messages (Important)
Refresh - Refresh the query
Delete - Delete the Query from SCCM (Important)
Set Security Scope - To setup security scope for specific audit status message query (Important)

SCCM Audit Status Messages

Review Audit Status Messages with SCCM SSRS Reports

There are two ways to access SSRS reports. One from SCCM console and other from a web browser. It’s doesn’t matter which is the way you prefer to read SCCM audit status message reports. Your SCCM SSRS report is not working? I have a post explains the setup of SCCM SSRS reporting service point.

There are three (3) main audit status message reports in SCCM CB. All these are default out of box reports. You don’t to create any of these reports manually.

56943 - All audit messages for a specific user
42036 - Remote Control - All computers remote controlled by a specific user
40238 - Remote Control - All remote control information

Examples of these reports are available at the bottom of the post, or else you can refer to the YouTube video tutorial here. Also, I have noted down the specific Audit Status message IDs for each category in the following section of this post.

Review Audit Status Messages with SQL Management Studio

I would prefer this method for advanced troubleshooting scenarios of SCCM audit status messages. In typical situations, this method is not very useful.

Following are the two (2) SQL queries which will help to track down the issues related to accidental deployment or deletion issues in your SCCM environment.

The first query will return all the SCCM status messages related to AUDIT. The second query will return the status messages of a specific scenario. For example, MessageID 30015 is related to Collections Created, Modified, or Deleted.

Select * from vStatusMessagesWithStrings where MessageType = '768'

select * from vStatusMessagesWithStrings 
where component = 'Microsoft.ConfigurationManagement.exe' and MessageID = 30015

Meaning of Audit Status MessageIDs

In the following list, you can see all the details of each SCCM audit status message IDs. This is the list as per the latest SCCM CB 1802 (preview version).

Boundaries Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of boundaries.
MessageID >= 40600 and MessageID <= 40602

Client Component Configuration Changes - Audit status messages that track changes to the client components'' configuration kept in the site control file.
MessageID >= 30042 and MessageID <= 30047

Collection Member Resources Manually Deleted - Audit status messages that track the manual deletion of collection member resources by an administrator.
MessageID >= 30066 and MessageID <= 30067

Collections Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of collections.
MessageType = 768 and MessageID >= 30015

Deployments Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of deployments.
MessageID >= 30006 and MessageID <= 30008

Packages Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of packages.
MessageID >= 30000 and MessageID <= 30002

Programs Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of package programs.
MessageID >= 30003 and MessageID <= 30005

Queries Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of queries, including status message queries.
MessageID >= 30063 and MessageID <= 30065

Remote Control Activity Initiated at a Specific Site - Audit status messages that track the use of the Remote Control.
MessageID >= 30069 and MessageID <= 30087

Security Roles / Scopes created, modified, or deleted - Audit status messages that track the creation, modification, and deletion of security rights.
(stat.MessageID >= 31200 and stat.MessageID <= 31202 OR stat.MessageID >= 31220 and stat.MessageID <= 31222 OR stat.MessageID = 31207)

Server Component Configuration Changes - Audit status messages that track changes to the server components'' configuration kept in the site control file.
(MessageID >= 30033 and MessageID <= 30035) or (MessageID >= 30039 and MessageID <= 30041)

Site Addresses Created, Modified, or Deleted - Audit status messages that track the creation, modification, and deletion of site addresses.
MessageID >= 30018 and MessageID <= 30020

Following is the examples of Audit Status Messages

Message ID Description
30000 User "INTUNE\anoop" created a package named " 1802 Upgrade TS " (TP100020).
30001 User "INTUNE\anoop" modified the Package Properties of a package named " Windows 10 CYOD " (TP10001B).
30003 User "INTUNE\anoop" created a program named "Create Folder" that belongs to a package with package ID TP100012.
30006 User "INTUNE\anoop" created a deployment named "Windows10CYOD_TP10001B_Win10Upgrade" (TP120005) deploying program "*".
30008 User "INTUNE\anoop" deleted a deployment named "Windows10EnterpriseUpgrade_TP10001C_Win10Upgrade" (TP120003) deploying program "*".
30011 User "INTUNE\anoop" removed a package with package ID TP100019 from a distribution point on \\SCCMTP1.Intune.com at site "TP1 - New TP Server 1".
30015 User "INTUNE\anoop" created a collection named "Win10 Upgrade" (TP100017).
30016 User "INTUNE\anoop" modified the Collection Properties for a collection named "Win10 Upgrade" (TP100017). This collection is currently assigned to the following ConfigMgr Administrators: . 
30031 User "INTUNE\anoop" modified site definition information in the site control file for site "TP1 - New TP Server 1" (Parent Site Code="").
30034 User "INTUNE\anoop" modified component "SMS_DMP_DOWNLOADER" on SMS Dmp Connector in the site control file at site TP1.
30036 User "INTUNE\anoop" added the role of Reporting services point to the Windows NT Server "\\SCCMTP1.Intune.com" in the site control file at site TP1.
30037 User "INTUNE\anoop" modified the role of the Windows NT Server "\\SCCMTP1.Intune.com" as a Software update point in the site control file at site TP1.
30038 User "INTUNE\anoop" deleted the role of the Windows NT Server "\\SCCMTP1.Intune.com" as a Reporting services point in the site control file at site TP1.
30043 User "INTUNE\anoop" modified client component "Client Component" in the site control file at site TP1.
30068 User "NT AUTHORITY\SYSTEM" updated a package named " Boot image (x64) 10.0.15063.0 " (TP100005) to the site distribution points.
30104 User "INTUNE\anoop" requested that the membership be refreshed for collection "All Systems" (SMS00001).
30108 User "INTUNE\anoop" requested that the CCR be generated for Machine "WIN10-1709-TRY" (2097152003).
30125 User "INTUNE\anoop" added new distribution points to a package named " Win10 en-US" (TP100019).
30152 User "INTUNE\anoop" created configuration item "16785030" (CI_UniqueID=ScopeId_0F705575-4F94-46DA-A1C4-8869FB8C68AD/ConfigurationPolicy_a98d1e90-5949-41e9-abb9-08c8728e1e09, CIVersion=1). .
30160 User "INTUNE\anoop" modified a CategoryInstance "16777553" (LocalizedCategoryInstanceName=Office 365 Client (Product:30eb551c-6288-4716-9a78-f300ec36d72b), CategoryTypeName=Product). .
30186 User "INTUNE\anoop" created the SUM deployment template with TemplateUniqueID "{BEA96FA5-8A7E-455C-AFC5-D9B6839BC35A}" (Name = "New 1802 TS Deployment Template"). .
30196 User "INTUNE\anoop" created updates assignment 16778230 ({96BD5FC5-E4CE-4F89-A2DD-63BBF4134ED6}). .
30197 User "INTUNE\anoop" modified updates assignment 16777225 ({b91576af-7116-4fa5-b1a4-36a1bc9e4ded}). .
30198 User "INTUNE\anoop" deleted updates assignment 16777225 ({b91576af-7116-4fa5-b1a4-36a1bc9e4ded}). .
30209 User "INTUNE\anoop" requested to execute summary task (Calculate EP Antimalware Policy Summary). .
30210 User "INTUNE\anoop" created user account INTUNE\anoop. .
30214 User "INTUNE\anoop" submitted a registration record at site "SCCMTP1.Intune.com - TP1" (SMSID=1c2c6362-ccc4-4c1c-a8ee-d39168e0ada4).
30215 User "INTUNE\anoop" received policies for Task Sequence using Deployment "{55D8F97F-0D35-4FF0-8720-0CDC5AD1F158}".
30216 User "INTUNE\anoop" received client configuration policies.
30219 User "INTUNE\anoop" created authorization list "16783798" (CI_UniqueID=ScopeId_0F705575-4F94-46DA-A1C4-8869FB8C68AD/AuthList_DC06C5C2-4227-4FE9-80E5-12240CBD6B4A, CIVersion=1). .
30220 User "INTUNE\anoop" modified authorization list "16784011" (CI_UniqueID=ScopeId_0F705575-4F94-46DA-A1C4-8869FB8C68AD/AuthList_4fcf3f8f-9679-4aaf-b952-095c60d3896f, CIVersion=2). .
30226 User "INTUNE\anoop" created a deployment of application "Office 365 Client Install" to collection "All Desktop and Server Clients".
30228 User "INTUNE\anoop" deleted the deployment of application "64 Bit PS" to collection "All Desktop and Server Clients".
40300 User "INTUNE\anoop" created client settings object (ID=16777218).
40301 User "INTUNE\anoop" modified client settings object (ID=16777217).
40303 User "INTUNE\anoop" created client settings assignment (SettingsID=16777217, CollectionID=TP100017).
40501 User "INTUNE\anoop" modified Boundary Group "Test1".
40503 User "INTUNE\anoop" created Boundary Group Relationships "16777218" "16777217" .
40600 User "INTUNE\anoop" created Boundary "IPS".
40700 User "INTUNE\anoop" created configuration policy assignment 16778232 ({CF5E4157-A7AC-4E3A-BAEF-12D64109D7B3}). .
40701 User "INTUNE\anoop" modified configuration policy assignment 16778228 ({0D7BEB54-0873-4A8E-8A86-6654976633FB}). .
40800 User INTUNE\anoop initiated client operation 135 to collection INTUNE\anoop.
40801 User INTUNE\anoop initiated client operation 8 to 1 members of collection SMSDM003.
42031 User "INTUNE\anoop" created Auto Deployment Rule "Office 365 Updates New" (AutoDeploymentID = 3).
52200 User INTUNE\anoop updated the state of package A69042F2-64AA-4592-B77A-24FDE17058DF to state 2 with flag 2.
52203 User INTUNE\anoop requested download for package 51D629D3-C355-4B80-AD6F-BA44B27F84ED.
52500 User INTUNE\anoop created Script with Guid 9d85fb2f-2d2e-4cc1-a114-31e882958dae.
52501 User INTUNE\anoop approved script with Guid D7A08315-7731-49B5-9601-BF7268BA98C7.
53401 User INTUNE\anoop created Azure Cloud Service

LEAVE A REPLY

Please enter your comment!
Please enter your name here