How to fix missing system console user information from SCCM reports

(Post courtesy Anil Malekani)

In recent months, I have worked on two different cases where the TopConsoleUser field was missing from SCCM Reports for some of the computers. For example, here are some predefined reports where the information was missing:

-- Hardware 3A - Primary computer users
-- Hardware 3B - Computers for a Specific Primary Console User
-- Hardware 4A - Shared (multi-user) Computers
-- Hardware 5A - Console Users on a Specific Computer

I started my troubleshooting with one of the workstations. When I checked log files on this computer, InventoryAgent.log and AssetAdvisor.log files, I found no errors. Both of log files reported SMS_SystemConsoleUser and SMS_SystemConsoleUsage fields being inventoried.

Also the mof file, aainst.mof had definition included for classes SMS_SystemConsoleUsage and SMS_SystemConsoleUser. This means that sms_def.mof were configured correctly as well.

The next thing I checked was the WMI class SMS_SystemConsoleUsage, under "\\<Machine Name>\root\cimv2\sms\  , using WMI CIM Studio. I found that the TopConsoleUser Property was missing from SMS_SystemConsoleUsage class. I confirmed on my lab machine that the property was there and was being inventoried by SCCM (see the screenshot below).

clip_image002

I Also ran a query "select TopConsoleUser from SMS_SystemConsoleUsage" which didn't return the TopConsoleUser value. Again on my lab machine it returns all class properties along with TopConsoleUser value.

clip_image003

After doing some more research, I found the following article from MSDN which explains the method used to collect console usage information by the class and also says that only interactive logons are acknowledged by this class.

SMS_SystemConsoleUsage Client WMI Class

https://msdn.microsoft.com/en-us/library/cc146052.aspx

This class gathers information about all users from the system security event log by using logon and logoff events. When a logon event is found, the associated logon ID is used to search for a matching logoff event. If more than one logoff event is found for a specific logon event, then the last logoff event is used to calculate the amount of time that the user was logged on. This is because it is possible to issue more than one logoff request before the system actually performs the logoff action. If a matching logoff event cannot be found, the next shutdown event or logon event is used in place of a logoff event. If none of these can be found, the latest entry in the security log is used. The resulting information is aggregated by user and ordered by total console usage.

Note Only interactive logons are acknowledged by this class.

This means that users need to practice proper logon/logoff instead of simply locking their screens and unlocking on next use. This will ensure that the user logon information is captured by WMI.

Apart from the above, logon auditing should also be enabled to make sure that logon/logoff events are captured on every computer in the domain. Here is the location within group policy:

Group Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events

After enabling the appropriate setting within group policy, and informing the partner that only interactive logins are captured, the TopConsoleUser information was captured from the workstation and displayed in reports as expected.