MDT Basics of Logging

Welcome back to another article on MDT, today were going to cover MDT logging setup with additional nifty config to grab msiexec and script outputs automatically at the end of the Task Sequence. 

 

This article assumes that your MDT installation is up and running. If its not read the blow by blow installation guides for MDT (here) and particularly how to setup the MDT Shares as its touched upon in this article (here). 

Enabling logging within MDT is not a check box similar to enabling Monitoring.

 

A share with the correct permissions, updates to the Rules (CustomSettings.ini) and a service account are required.

 

Enabled, logging created by the Task Sequence automatically uploads to the share at successful completion. 

#MDT Service Account

Lets get started by creating a service account, either locally or in the domain, neither require any additional privileges. 

 

This article covers the use of local accounts only.

At the Run Command type 'compmgmt.msc' and create a new user account named 'svc_mdtuser'. 

Remove the 'User' group to prevent interactive logon by svc_mdtuser.

#MDT Log Share and Permissions

Create a new folder under the MDT Root named 'Logs', eg:  D:\DeploymentShare\Logs.

 

Share as 'Logs$' and set the Share permissions for 'svc_mdtuser' as either 'Change' or 'Full Control'.

Set the NTFS Security permissions as 'Modify' for the ‘svc_mdtuser’ service account.

 

#CustomSettings aka Rules

Open the Deployment Workbench from the Start Menu.

Right click on the MDT Deployment Share and select properties.

Click on the ‘Rules’ tab.

The 'Rules' can be accessed by navigating to the ‘Control’ folder under the root of the MDT Share, D:\DeploymentShare\Control, with notepad open CustomSettings.ini.

 

Add the following settings:

SLShare=\\IPAddress\Logs$

UserID=svc_mdtuser

UserPassword=Password1234 (clearly this is not the real password)

Nice and simple and that's the configuration completed, the rest kind of looks after itself.

At the completion of a task sequence the MDT script output is uploaded to the logs share.

#Extra Logging

It's possible to utilise this behaviour of uploading files with the extension .log to the logs share.

Redirect all logging output to 'C:\MININT\SMSOSD\OSDLOGS\', make sure the extension is .log.

 

I tend to use an '_' as a prefix to separate the Task Sequence output created when installing an Application from the installation output from msiexec.exe and PowerShell for example.

 

Here's a few examples:

#MSIEXEC

Enable msiexec logging with the /l switch

msiexec.exe /i "Google Chrome.msi" /l C:\MININT\SMSOSD\OSDLogs\_chrome.log

#PowerShell

PowerShell output, the follow example works:

 

$logging = C:\MININT\SMSOSD\OSDLogs\_GetWMI.log

$hn = Get-CimInstance -ClassName win32_computersystem  | out-file $logging
$OS = Get-CimInstance -ClassName win32_operatingsystem | out-file $logging -append
$bios = Get-CimInstance -ClassName win32_bios | out-file $logging -append
$cpu = Get-CimInstance -ClassName win32_processor | out-file $logging -append

This simple example can be expanded to run the vulnerability script as part of the build process. New programs are automatically audited for known issues.

#GPResult

GPResult works as well, rename to htm once its been uploaded.

gpresult /h C:\MININT\SMSOSD\OSDLogs\_GPresult.log

Thanks for reading and your time, it is very much appreciated.