In this post we will find who deleted SCCM task sequence using status message queries. If your SCCM task sequence has been deleted and you want to find out who deleted that, this post is for you. Using the ConfigMgr Status Message Queries, you can find out who modified or deleted task sequence.
Status Message Queries are one of the underappreciated features of ConfigMgr. I guess many ConfigMgr admins are already aware of status message queries. The information you can gather in a quick and easy query will help you to determine the root cause analysis of an issue.
You can use status message queries to identify when a specific component, operation, or Configuration Manager object was modified or deleted, and the account that was used to make the modification. ConfigMgr comes with Default Status Message Queries which I will cover in a separate post.
When you delete the task sequence you simply cannot image any machines. And then you are either asked to create a new task sequence or find who deleted the SCCM task sequence.
Ideally you should always backup your task sequences so that you can restore them if someone accidentally deletes it. But what can you do when a ConfigMgr production task sequence deployment itself is deleted.
Delete ConfigMgr Task Sequence – Status Message Queries
If your SCCM task sequence has been accidentally deleted and you want to find out who did that, here are the steps. In this method we will run a single line query against the database.
I have got two task sequences in my lab setup and I have made a backup of those before deleting it. I will first delete one TS with my account and the other TS with a different user account.
Do not attempt to delete the task sequence in your production setup. The method shown below is only for showing you the way to find who deleted task sequence.
To delete a SCCM task sequence, go to Software Library > Operating Systems > Task Sequence. Right click the task sequence and click Delete.
On the Delete Task Sequence window, click OK.
Next, launch the SQL Server Management studio and login. Expand Databases and right click your ConfigMgr database and click New Query.
Run the below SQL query against the ConfigMgr database to find out who deleted the SCCM task sequence.
Select * from vStatusMessagesWithStrings where MessageID = 30002
Let’s analyze the query output. You need to look into the following values which I think are important in determining who deleted SCCM task sequence.
- InsStrValue1 – The user account who deleted the task sequence.
- InsStrValue2 – The package ID.
- Time – The date and time when the task sequence was deleted.
- InsStrValue3 – The name of your task sequence.
In the above example, I deleted both my task sequences with different user accounts. The query output clearly shows us which user deleted SCCM task sequence. Let’s explore another method which doesn’t involve running any query.
Who Deleted SCCM Task Sequence
In addition to method 1, you can use the ConfigMgr status message viewer tool to find who deleted SCCM task sequence. If you don’t want to run query against the database you can always use the Configuration Manager status message viewer tool.
- First of all, launch the Configuration Manager console.
- Go to Monitoring\Overview\System Status\Status Message Queries.
- Right click All Status Messages and click Show Messages.
- Use the filter option and enter the message ID as 30002 and click OK.
- The Audit message description with Message ID 30002 should tell you who deleted the SCCM task sequence.
