In Microsoft Endpoint Configuration Manager, To monitor infrastructure and operations, we use the Monitoring workspace in the Configuration Manager console.
One of the common ask in many forums is that how to find who created or modified or deployed certain tasks to users or devices that caused an issue.
when someone deploys something, they would not know it would cause some outage or impact the end-user experience.
When such things happen, you always in search of identifying who did that?.
In this blog post, we will see how to find who deployed or created an assignment for the software update group?
For all these types of auditing, there are status message IDs that I have blogged about and the excel spreadsheet is available in Github for your reference.
If you want to find out who created the assignment for the software update group, there is no built-in way to monitor it in the software update section.
The following is the view of the software update deployment assignment.
As you can see, there is no user ID tagged for the specific update deployment group.
How do we trace it? There are few options for this.
1. Use smsprov.log
2. Use Status Message Queries
3.Use SQL database.
SMSPROV.log is very limited in size and the records get overwritten in just no time and also tedious process to find the right data.
The next available options are with the help of Audit status messages and SQL database.
We can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to modify. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.
Based on the excel sheet i have shared earlier for status message queries, the following are the status message ID related to software update deployments.
| 30196 | User "%1" created updates assignment %2 (%3). |
| 30197 | User "%1" modified updates assignment %2 (%3). |
| 30198 | User "%1" deleted updates assignment %2 (%3). |
Now we will find out, who created the deployment group for target collection ‘all Mobile devices’ on 3/4/21 using the audit status message queries:
Go to monitoring workspace, click on System status, status message queries
Open All audit status messages from specific site.
Choose the site and time when the deployment was created (3/4/21), Click on OK.
If your deployment was created days or weeks ago, you can choose up to 1 year.
There was so many audit status messages for the specific duration.
we can use the filter with the message ID: 30196 to find the new assignments
Here you will find all the software update deployments that were created.
In the properties section, you will see the following information.
User "INTRANET\eswar.koneti" created updates assignment 16779253 ({65FCC1AD-126D-4D27-991A-F563F8A0CDFE}).
Like-wise, if there are multiple deployments created by the users, how do you find the right deployment that you are looking for?
lets go back to the update deployment in the console and find out the deployment ID that we are looking for.
In my case, the deployment ID for the reporting is:16779253
From the audit status messages, i will filter with message ID:30196 and the description: *16779253* to get the exact information.
we now see who created specific deployment type for the software update group.
How to find the data using SQL management studio or using the database?
Using SQL query, we will need 2 values to search for. 1) Message ID which we know already (30196) and 2) Deployment name.
The following is the SQL query to run against the SCCM database.
select * from vStatusMessagesWithStrings
where MessageID = 30196
and InsStrValue4 like 'Microsoft Software Updates - 2021-03-04 12:54:40 AM'
SQL query is much simpler to find the relevant information.
Hope you find this blog post useful!