MDT Basics of Logging
Welcome back to another article on MDT, today we're going to cover MDT logging setup with an additional nifty config to grab msiexec and script outputs automatically at the end of the Task Sequence.
This article assumes that your MDT installation is up and running. If it's not read the blow-by-blow installation guides for MDT (here) and particularly how to set up the MDT Shares as it's touched upon in this article (here).
Enabling logging within MDT is not a check box similar to enabling Monitoring.
A share with the correct permissions, updates to the Rules (CustomSettings.ini) and a service account are required.
Enabled, logging created by the Task Sequence automatically uploads to the share at successful completion.
#MDT Service Account
Let's get started by creating a service account, either locally or in the domain, neither requiring any additional privileges.
This article covers the use of local accounts only.
At the Run Command type 'compmgmt.msc' and create a new user account named 'svc_mdtuser'.
Remove the 'User' group to prevent interactive logon by svc_mdtuser.
#MDT Log Share and Permissions
Create a new folder under the MDT Root named 'Logs', eg: D:\DeploymentShare\Logs.
Share as 'Logs$' and set the Share permissions for 'svc_mdtuser' as either 'Change' or 'Full Control'.
Set the NTFS Security permissions as 'Modify' for the ‘svc_mdtuser’ service account.
#CustomSettings aka Rules
Open the Deployment Workbench from the Start Menu.
Right click on the MDT Deployment Share and select properties.
Click on the ‘Rules’ tab.
The 'Rules' can be accessed by navigating to the ‘Control’ folder under the root of the MDT Share, D:\DeploymentShare\Control, with notepad open CustomSettings.ini.
Add the following settings:
UserPassword=Password1234 (clearly this is not the real password)
Nice and simple and that's the configuration completed, the rest kind of looks after itself.
At the completion of a task sequence, the MDT script output is uploaded to the logs share.
It's possible to utilise this behaviour of uploading files with the extension .log to the logs share.
Redirect all logging output to 'C:\MININT\SMSOSD\OSDLOGS\', make sure the extension is .log.
I tend to use an '_' as a prefix to separate the Task Sequence output created when installing an Application from the installation output from msiexec.exe and PowerShell for example.
Here's a few examples:
Enable msiexec logging with the /l switch
msiexec.exe /i "Google Chrome.msi" /l C:\MININT\SMSOSD\OSDLogs\_chrome.log
PowerShell output, the follow example works:
$logging = C:\MININT\SMSOSD\OSDLogs\_GetWMI.log
$hn = Get-CimInstance -ClassName win32_computersystem | out-file $logging
$OS = Get-CimInstance -ClassName win32_operatingsystem | out-file $logging -append
$bios = Get-CimInstance -ClassName win32_bios | out-file $logging -append
$cpu = Get-CimInstance -ClassName win32_processor | out-file $logging -append
This simple example can be expanded to run the vulnerability script as part of the build process. New programs are automatically audited for known issues.
GPResult works as well, rename to htm once its been uploaded.
gpresult /h C:\MININT\SMSOSD\OSDLogs\_GPresult.log
Thanks for reading and your time, it is very much appreciated.