Endpoint Insights
Determine Who Installed the ConfigMgr Client from Event Viewer
Topics: Endpoint Insights
Recently I published a post, “Who Pushed the ConfigMgr Client,” where I talked about how to determine who pushed the Configuration Manager (ConfigMgr) client from ConfigMgr itself.
This was fairly easy to demonstrate by using the reports within ConfigMgr and reviewing the status messages. The information was quick to find!
After this post appeared, a friend of mine, Eswar Koneti @eskonr, sent me a question via Twitter asking if I knew of a method to determine who manually installed the ConfigMgr client.
To be honest, I never tried to determine this information before, but someone else asked me to look into it. All I ever want is for the ConfigMgr client to be installed on a computer or virtual machine and to have it report properly to ConfigMgr. I don’t really care how or who installed the ConfigMgr client.
Back to Eswar’s question, I was sure the installation would be recorded within the Event Viewer. I first logged on to my new virtual machine (VM) with both my personal account (Garth) and my test user account (Morgan). I confirmed within the Event Viewer that I could see both logon EventIDs. Additionally, I could see both account logins within the Task Manager. Next, using the Morgan account, I executed the install on the VM. I waited for the installation to complete.
At first, I scrolled through the Event Viewer looking at the MSI EventID, but I didn’t see anything that was useful. Next, as this was a brand new server, I reviewed all of the Event Viewer records. I didn’t think that it would take as long as it did! It was surprising to me to see how many Event Viewer records there were for a brand new server with virtually nothing installed on it. Again, I still found nothing useful. I really found it hard to believe that a Microsoft install wouldn’t be recorded within the Event Viewer.
I took a break by taking my dog, Nabby, for a walk. She loves it when I get stuck on a problem because it means that she gets a walk! After the walk and thinking about this a bit more, I decided to review only the MSI events within Event Viewer. I filtered the EventIDs for the MSI EventID.
Suddenly it hit me like a lead balloon! The answer was staring me straight in the face. I found the ConfigMgr client EventID which confirmed that the client was successfully installed. Problem solved!
How did I know that? As you can see from the screenshot below, I used my test account gartekmorgan (green arrow) to install the ConfigMgr client on my new VM. Additionally, you can see that the ConfigMgr client install returned an error code of 0 (red arrow), which we all know is a success!
Coming back to Eswar’s question, yes, you can determine who installed the ConfigMgr client from the Event Viewer! Eswar, Nabby thanks you for the extra walk!
If you have questions or comments about this or any of my blog posts, please contact me at @GarthMJ.