How To Audit SCCM Device Collection Changes
This is a useful post that covers how to audit SCCM device collection changes. With the help of a report you can find who created, modified and deleted SCCM Collection. Whenever you want to audit SCCM device collection changes, the Status Message Queries and Message ID’s are super useful.
You can use status message queries to identify when a specific component or SCCM object was modified or deleted, and the account that was used to make the modification.
If you have a bigger SCCM environment, you probably have to monitor a lot of things. Especially audit the changes being done to SCCM and it’s components. I am just picking one small section here which is auditing SCCM device collection changes.
Your first line support or helpdesk can have permissions to create device collections in SCCM. However you would want to monitor the changes done to these device collections.
What if a SCCM device collection is deleted by a user either by his mistake or intentionally and now you want to find who deleted SCCM collection. Or it may be the case where you want to find who modified SCCM collection or find who created deleted SCCM collection.
To answer all these questions, this post will help you. In my previous posts, I have covered about the importance of SCCM status message queries. You could do the following things with status message queries.
- Monitor SCCM task sequence progress
- Find who modified SCCM task sequence
- Find who deleted SCCM task sequence
Table of Contents
Prerequisites to Audit Device Collection
Alright before you start to audit SCCM device collection changes, the most important prerequisite is reports. You must have access to run the reports. You can run the reports from your Configuration Manager console or through web browser.
If you have any issues with your SCCM reporting services point, you can easily re-install SQL Reporting Services for SCCM.
SCCM Device Collection Message ID’s
Knowing the messages ID’s are super useful while trying to find out who created/modified/deleted SCCM device collection. We will be using the below message ID’s to audit SCCM device collection changes.
| Message ID | Message ID Description |
| 30015 | Find who created SCCM collection |
| 30016 | Find who modified SCCM collection |
| 30017 | Find who deleted SCCM collection |
Find Who Created SCCM Device Collection
Here are the steps to find who created SCCM device collection.
- Launch the Configuration Manager console.
- Navigate to Monitoring\Overview\Reporting\Reports.
- Look for the report All messages for a specific message ID.
- Right click All messages for a specific message ID and click Run.
On the All Messages for a specific message ID report, click Values and enter the message ID as 30015. Message ID 30015 gives you information about who created SCCM collection. Click View Report.
The following details are shown in the output.
- Status Message
- Record ID
- Severity
- Message ID
- Component
- Device Name
- Time(UTC)
- Site Code
If you look closely, the Status message actually shows you the user who created the device collection. For example in this case – User cmadmin created a collection named Windows 10 Test Computers (TP100014).
Find Who Modified SCCM Device Collection
We will use the same report to find who modified SCCM device collection but with a message ID 30016. Run the report named All messages for a specific message ID and click Values. In the value box enter the message ID as 30016. Click View Report.
In the output you can see the Status message actually shows you the user who modified the device collection. For example in this case – User James modified the collection properties for a collection named Windows 10 Test Computers (TP100014). This collection is currently assigned to the following ConfigMgr Administrators.
You may find more than two entries in the output because a device collection may be modified by many users. What’s important here is the Time(UTC) column that tells who last modified the SCCM device collection.
Find Who Deleted SCCM Device Collection
This is the important section where we find who deleted SCCM device collection. A collection when modified is ok but it becomes a very critical issue when you get to know a device collection is deleted.
Again we will run the report All messages for a specific message ID to find the user who deleted device collection. We will use the message ID 30017 to find the user who deleted the SCCM device collection.
Run the report and enter the message ID as 30017 and click View Report. The output will reveal the user who deleted the SCCM device collection. For example in this case – User James deleted a collection named Windows 10 Test Computers (TP100014).
I hope this post helps to audit SCCM device collection changes in your setup. If you have any questions leave them in comments section below.
I have a collection that is not coming up in the report. Is it right to presume that SCCM only keeps records for certain period? I can see the report only goes as far back as August 2022.
I have a feeling, this collection was created by someone who has left some time ago. I can’t see the collection in the results. The name isn’t important, I need to know when it was created.
Is there a way I can get when the collection was created?
It’s a very good report but if the change is to old you not able to find it in the reports.
As I know saves the changes for a half year. Is it correct?