question

MTran-2950 avatar image
0 Votes"
MTran-2950 asked MTran-2950 answered

SCCM - can you find out who did what in SCCM Console?

Hi,
Something strange happened last night and I am trying to get to the bottom of it.
I have a Windows 10 In Place Upgrade collection - membership rule type is Direct
I have a remote site named HOP, which has a collection named "All HOP Computers". This collection has all workstation and servers, every device belonging to this site is in the collection.
IT personnel have been manually adding computers to the Windows 10 IPU collection for the win10 upgrade.
Last night, I had to redistribute the Win10 Upgrade package to HOP DP.
All of a sudden late in the night, ALL computers in HOP were getting the windows 10 upgrade.
While investigating what happened that triggered the mass upgrade, I found that somehow the All HOP Computers collection was added to the Windows 10 IPU membership as shown below.

Are there any ways I can find out how this collection made its way into the Win10 IPU collection?

Thank you so much!

140951-image.png


configuration-manager-general
image.png (161.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErshovIS avatar image
0 Votes"
ErshovIS answered

You can investigate status messages. They contain related information about collections: who created, modified and deleted.
Reffer the following article


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarthJones-9654 avatar image
0 Votes"
GarthJones-9654 answered

The audit events should tell you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MTran-2950 avatar image
1 Vote"
MTran-2950 answered GarthJones-9654 commented

@ErshovIS and @GarthJones-9654

Thank you for your responses. Yes, I did try to look at those status messages but all they showed was "User so and so modified the Collection Properties for a collection named "Windows 10 In-Place Upgrade" . This collection is currently assigned to the following ConfigMgr Administrators: "

That was all.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You can ask related users about their actions. Probably they modified collection membership for any reason

0 Votes 0 ·

Thank you. I have asked. I am the only sccm admin with full permissions. I have 2 other users with limited person. The rest of the IT Helpdesk team only has the Read Only permissions with the ability to modify collections so that they can add devices to the IPU collection.

This is one incident that has been puzzling me. Is it even possible that something in SCCM triggered it by itself? For a collection to be included in this IPU collection, one would have to physically open the IPU collection properties, click the Add Rule and select another collection, right?

0 Votes 0 ·

CM itself will NOT add or remove devices from a collection. It will follow exactly what you have for query rules.

0 Votes 0 ·
MTran-2950 avatar image
0 Votes"
MTran-2950 answered

@GarthJones-9654 and @ErshovIS

We just had another incident and I am cracking my head trying to understand what is causing this.

I just created a new collection named "Exclaimer Cloud Agent" to push out the Exclaimer app. This collection includes the Windows 10 collection and excludes several other collections. A few hours later I was made aware that serveral windows 10 got the Windows 10 IPU upgrade. I went into the properties of the IPU collection and guess what? The Exclaimer collection was added to the IPU collection!!!!!!!!!

I really don't know what is going on!! If you say CM itself cannot add/remove devices, why this happened a 2nd time? Could it be that the inclusion/exclusion of the collections screwed this up? Because those windows 7 computers were upgraded to windows 10, they are now part of the Windows 10 collection. Could it be that because I included the Windows 10 collection in the Exclaimer collection that it automatically added itself into the IPU collection?

For any computers that were successfully upgraded to Windows 10, should I remove them from the IPU collection to hopefully avoid this in the future?





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.