Track changes in ConfigMgr
Monday morning, Task-Sequence for 1709 upgrade stopped working.. Two questions will pop up very quickly:
- Who has changed something ?
- What has changed since last Friday ?
To answer the first question, you can check Audit Status Messages in Configuration Manager, but to fix the issue it's more interesting to know what has changed.
In this Blog, I will show you how to use JainDB to track and report changes on ConfigMgr Objects.
Backup ConfigMgr Objects with JainDB
JainDB is a Blockchain based data warehouse for JSON objects. You can archive any types of JSON data and JainDB will track all the changes and keeps history for every object that changes.
As ConfigMgr does not store objects in a JSON format, we need a script to get all Information from ConfigMgr and convert it into a JSON object before we can upload to JainDB.
BackupCM.ps1 is an example of such a converter. The script supports most of the common Object Types in ConfigMgr like:
- Applications (incl. DeploymentTypes)
- Baselines
- Boot Images
- Boundaries (incl. BoundaryGroups)
- ClientSettings
- Collections (incl. Maintenance Windows, PowerSettings, Variables)
- Configuration Items
- Deployments
- DistributionPoints
- Devices (incl. Variables)
- Hierarchy Settings
- OperatingSystem Images and Packages
- Packages and Programs
- Site Maintenance Tasks
- Task-Sequences
- UpdateGroups (incl. deployed Updates)
- User Device Affinity
Note: exporting Devices may run for hours in large Environments-> Only Export Objects that you really need to archive!
Requirements
The only thing we need is JainDB, where we have two options for setup:
- Docker Container including REDIS Cache (Database)
- .NET Core Command
The Redis-Cache (Docker-Image) is the best choice if you need reporting performance. Check out the QuickStart Guide for installation instructions.
The .NET Core Command is the best choice if you want to learn how JainDB is working. It's not that fast as it stores objects on the File-System as json files. The Binaries can be downloaded from GitHub.
Note: .Net Core 2.0 is required to run jaindb.dll.
Extract the Files and create a Batch-File to startup:
cd "%~dp0"
::set WebPort=5000
set ReportUser=DEMO
set ReportPW=password
dotnet .\jaindb.dll
It's recommended to run JainDB on a computer with the System Center Configuration Manager Console installed. Otherwise you have to change the "jaindburi" variable in BackupCM.ps1 to point to your JainDB endpoint.
Run a Backup
- Start JainDB
- Download BackupCM.ps1
- Check if the "jaindburi" variable is pointing to jour JainDB Service
- Open PowerShell on a computer with the ConfigMgr Console installed.
- Run BackupCM.ps1
Example output in JainDB (only new or changed objects are listed):
Example PowerShell script Output (it lists hashes for all objects):
If you are wondering where and how the content is stored, check out the wwwroot subfolder in the JainDB directory. There may be hundred of directories but a few are important:
- _Full : latest Version of an object including dynamic data (tagged with '@'). If you delete these files, JainDB will recreate the file(s) when needed.
- _Key : Key-Identifiers to search an object based on these keys.
- Assets: Raw Objects without content (only hashes)
- Chain: Blockchain for each object
The other folders do (mostly) contain child objects that are referenced from the Assets data.
What has changed ?
JainDB provides a REST-API that can be used for reporting or to get the objects that have changed.
To get a list of objects that have changed in the last 10hours, we can run the following command against JaindDB (you may have to change the URL and Port):
(Invoke-WebRequest -Uri "http://localhost:5000/changes?age=10-0-0&changetype=1" -Credential DEMO).Content | ConvertFrom-Json
Changetype=1 will only show changed objects and not new ones. The Parameter age=10-0-0 defines the age (10hours).
If you would like to get the list in Excel:
The important part of the result is the "id" column as this is the Unique Identifier of the changed object:
In this example, there are 4 UpdateGroupDeployments, 4 Deployments,one Device and one OS Image/Package with some changes...
Get the changed attributes
In this use case, a Task-Sequence stopped working... so let's have a closer look on the OS Upgrade Package "osd-WP1004E5".
To get the changed attributes in a readable form, we can use the function "diffvis" from JainDB. Just open the URL http://localhost:5000/diffvis?id=osd-WP1004E5 in a browser (Note: the URL contains the id we want to check)
Diffvis will show old values in red and new values in green. As we can see from the screenshot above, the PreDownloadRule has changed from 1033 to 2055. Here we are, someone has changed the prerequisite language on the OS Upgrade Package from English (1033) to Swiss German (2055) !
If you want to get the changes in a Patch format format, call the "diff" method from JainDB API with mode=1 as option:
(Invoke-WebRequest -Uri "http://localhost:5000/diff?id=osd-WP1004E5&mode=1" -Credential DEMO).Content
Result will look like this:
{
"_hash": [
"9qZoQDaX6K5G27jPcNzUHX6dn",
"9qZY95nGTyCkFM9ZXXUE7BEYF"
],
"_index": [
1,
2
],
"OperatingSystemUpgradePackage": {
"LastRefreshTime": [
"2017-10-27T09:26:44Z",
"2018-02-19T07:47:34Z"
],
"PreDownloadRule": [
"@@ -93,8 +93,8 @@\n age=\n-1033\n+2055\n",
0,
2
],
"SedoObjectVersion": [
"9A19B015-B2C3-4638-A2A3-C02574DA727B",
"6901E7A4-3E48-4CAE-95D0-F8458E599E03"
],
"LocalizedCategoryInstanceNames": [
[]
]
},
"#id": [
"osd-WP1004E5"
],
"_date": [
"2018-02-19T07:48:35.7658472Z"
]
}
Summary
JainDB a simple and free Solution to track changes in ConfigMgr (or other data sources). It's not Realtime, but if you trigger a "Backup" every day or week, you can monitor changes in your environment.
Note: There are many other reporting options in the REST-API that can be used with Excel or Power BI...
Keep in mind that JainDB is Open-Source, without Warranty and Support, but if you see some issues please report it back on GitHub.