If your SCCM task sequence has been deleted and you want to find out who deleted that, this post is for you. Using the ConfigMgr Status Message Queries, you can find out who modified or deleted task sequence.
Status Message Queries are one of the underappreciated features of ConfigMgr. The information you can gather in a quick and easy query will help you to determine the root cause analysis of an issue.
You can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified or deleted, and the account that was used to make the modification.
When you delete the task sequence you simply cannot image any machines. And then you are either asked to create a new task sequence or find who deleted the SCCM task sequence.
Ideally you should always backup your task sequences so that you can restore them if someone accidentally deletes it. But what can you do when a ConfigMgr production task sequence deployment itself is deleted.
Find Who Deleted SCCM Task Sequence
If your SCCM task sequence has been accidentally deleted and you want to find out who did that, here are the steps. In this method we will run a single line query against the database.
I have got two task sequences in my lab setup and I have made a backup of those before deleting it. I will first delete one TS with my account and the other TS with a different user account.
To delete a task sequence, go to Software Library > Operating Systems > Task Sequence. Right click the task sequence and click Delete.
On the Delete Task Sequence window, click OK.
Next, launch the SQL Server Management studio and login. Expand Databases and right click your ConfigMgr database and click New Query.
Run the below SQL query against the ConfigMgr database to find out who deleted the SCCM task sequence.
Select * from vStatusMessagesWithStrings where MessageID = 30002
Let’s analyze the query output. You need to look into the following values which I think are important in determining who deleted the task sequence.
- InsStrValue1 – The user account who deleted the task sequence.
- InsStrValue2 – The package ID.
- Time – The date and time when the task sequence was deleted.
- InsStrValue3 – The name of your task sequence.
In the above example, I deleted both my task sequences with different user accounts. The query output clearly tells us which user deleted the the task sequence.
Who Deleted ConfigMgr Task Sequence
In addition to method 1, you can use the ConfigMgr status message viewer tool to find who deleted the ConfigMgr task sequence. If you don’t want to run query against the database you can always use the Configuration Manager status message viewer tool.
- First of all, launch the Configuration Manager console.
- Go to Monitoring\Overview\System Status\Status Message Queries.
- Right click All Status Messages and click Show Messages.
- Use the filter option and enter the message ID as 30002 and click OK.
- The Audit message description with Message ID 30002 should tell you who deleted the task sequence.