Tips about ConfigMgr Audit Reports tracking who Modified SCCM Collection. Let’s see how you can find the deleted and updated configuration manager objects. There are several out-of-box audit reports available.
More details about six status message queries are listed under the Administrative Security category. I have uploaded a YouTube video here to explain the process of audit reporting.
Related Post – Track Who Deleted Modified Changed SCCM Settings
Who Created SCCM Collection
Use SQL Management studio to understand who created ConfigMgr Collection.
/* 'Who Create COllection'*/ select * from vStatusMessagesWithStrings where MessageID = 30015
Who Modified SCCM Collection
Use SQL Management studio to understand who modified ConfigMgr Collection.
/* 'Who Modified the Collection'*/ select * from vStatusMessagesWithStrings where MessageID = 30016
Who Deleted ConfigMgr Collection
Use SQL Management studio to understand who deleted SCCM Collection.
/* 'Who Deleted the Collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30017
Who Deleted all of the resources that belong to the SCCM collection
Use SQL Management studio to understand who deleted all of the resources that belong to a collection.
/* 'Who deleted all of the resources that belong to collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30067
Additional Audit Reports
/* 'Who requested that the membership be refreshed for collection '*/
select * from vStatusMessagesWithStrings where MessageID = 30104
/* 'Who requested that the CCRs (Client Push?) be generated for collection'*/
select * from vStatusMessagesWithStrings where MessageID = 30110
HTMD Forum Question
Let’s be one of the real-world examples of the use of SCCM audit reports from the HTMD forum. More details https://forum.howtomanagedevices.com/endpointmanager/configuration-manager/sccm-audit-logs/
Select
rsm.Severity,
rsm.MessageTypeString as 'Type',
rsm.SiteCode,
rsm.Timestamp as 'Date/Time',
rsm.System,
rsm.Component,
rsm.MessageID,
'User "' + rsm.InsStrValue1 + '"' +
CASE
when rsm.MessageID = 30196 Then 'created updates assignment'
when rsm.MessageID = 30197 Then 'modified updates assignment'
when rsm.MessageID = 30198 Then 'deleted updates assignment'
when rsm.MessageID = 30219 Then 'created authorization list'
when rsm.MessageID = 30220 Then 'modified authorization list'
when rsm.MessageID = 30221 Then 'deleted authorization list'
End
+ rsm.InsStrValue2 + '' + rsm.InsStrValue3 + '' + rsm.InsStrValue4 as 'Description',
cia.CollectionID,
cia.CollectionName
from v_Report_StatusMessageDetail rsm
left join v_CIAssignment cia on rsm.InsStrValue2 = cia.AssignmentID
where rsm.MessageID >= 30196 and rsm.MessageID = 30218 and rsm.MessageID <= 30221
order by 4 desc