Issues with KACE Inventory/Install using MDT Deployment
Greetings all,
We use MDT to scripted install Windows 10 on our machines. The MDT sequence is pretty bare bones. It essentially just installs Windows, renames it per our database, imports our WiFi profile, joins our domain, and installs the KACE agent. Not counting the other intermediary tasks that MDT requires. All of this works flawlessly. The KACE agent installs properly, then shortly after, the machine reboots as it's the last step of the Windows Install. When I check in KACE, the machine will show as not having checked in (note, these are generally computers that have already been inventoried, then reimaged, and re-inventorying (is that a word?) into KACE.
Now, if I log in afterwards and manually run a runkbot 4 0/6 0 to inventory and install software, it does just that. Additionally, in most cases, if I leave the device on long enough, it eventually figures it out and gets its act together.
This is not ideal however, since KACE is handling our software installs. We have LDAP labels setup for our machines so that each one gets what it needs after MDT is done with it, which in a manual case, all works fine. But, if we're imaging a batch of devices, it's pretty counter productive if we either have to launch and confirm everything manually or leave them on for hours afterwards instead of getting them back to their users.
I've tried adding manual runkbot 4 0/6 0 scripts at the end of MDT to force this, but since I can't figure out a way to get MDT to run a command as "Administrator", the commands don't do anything and it just skips right across them and reboots. I've also tried installing the agent with a batch file and adding a timeout 300 afterwards to give it 5 minutes to get its stuff together. Adding the timeout seems to have helped the communication side of things, but the device still reboots, then software installs while it sits at the log in screen.Ultimately, what I'd like (if possible) is to get MDT to install the agent, wait for communication if necessary (using a timeout command), then run an inventory and install before it reboots. That way we know, once it reboots, it's done. But I can't figure out how to get MDT to do that. Nothing seems to want to listen to me on that front.
Unfortunately, we don't have quite enough devices yet to warrant me pressuring people into getting the K2000 (or whatever it's called these days) since MDT works fine and is free so I need to make this work more seamlessly somehow.
Any advice would be greatly appreciated.
Answers (7)
In your MDT customsettings.ini add this value
FinishAction=Logout
This will stop MDT from rebooting your machine but logout when complete. Remove any Restart task you may have at the end of the TS.
As for forcing an inventory to KACE, create a cmd task with the entries below;
This is how i force clients to check-in and run Kace Inventory after an image.
Comments:
-
I just tried another machine with the changes you suggested. I had tried adding the runkbot 4 0 cmd in the task sequence before which always fails, my guess is because it isn't "running as administrator" even though it is logged in as administrator.... I hate windows sometimes...
I did try re-adding that cmd and changing the finish action to logoff instead of reboot, but it appears to be stuck in the same boat. The task sequence finished, glosses right over the runkbot cmd and logs off. I left it sit for a bit but no activity in KACE. When I logged back in manually, I confirmed that the agent is indeed installed, and I can manually run a runkbot 4 0 as administrator and that works immediately with the machine getting it's assigned software shortly after as intended. - clarlee 1 year ago
MDT always runs as the System/Administrator user unless you specify to run as a different user
Question, in my first picture, you do not have the option Disable this Step unchecked? If it is checked, this would cause MDT to skip that step when it reaches that sequence.
Also, there could be something wrong with your command line execution. Can you attach photos of your steps in MDT
The step is enabled.
Here's an overview of the TS post Windows install.
As a side note, I've tried the runkbot 4 0 using this method that you shared, I've also had it setup similarly just without the IF statement variable, as well as having actually call a batch file in the scripts MDT share that has the command.
Everything I've read says that MDT runs as system so it should work, it just acts like it's not actually elevated. I added a 5 minute timeout after the agent install, and was able to manually run a runkbot 4 0 using an elevated cmd prompt and it did trigger (it failed because the laptop logged off before it finished which I knew would happen, but still) so I know it will work, just a matter of getting around why MDT isn't doing it on its own.
So looking at your command path, C:\Progra~2 is the Program Files directory. C:\Progra~1 is the Program Files (x86) directory which is where Kace agent lives. Your path is the issue. Also, can you just do C:\Program Files (x86)\Quest\Kace in the path. I'm not sure if MDT knows how to resolve the C:\Progra~1 variable.
Also, you need to call the file full name and extension. You have runkbot instead of runkbot.exe
Comments:
-
Yeah, I missed the .exe. But considering I've tried this so many times I don't think it will help. I'll give it a shot though. Same as using the full path as opposed to the short name. It should parse it though since MDT is passing the command to CMD and not trying to locate the path itself (if there are actually issues with MDT and short names)
Also, Progra~2 is correct. You have the ~1 vs ~2 backwards. - clarlee 1 year ago-
My apologies, yes, the shortname is correct. i just double checked in cmd.
Another question, do you have logging enabled? This would greatly help with your issues. - kayroccs 1 year ago
So i tested with the shortname and it worked for me. I think you need to enable logging so we can get more details.
I'm trying something. Not sure if it will work, but we'll see.
I scanned through the runkbot 4 0 output side by side as both an elevated and non-elevated user just on my daily driver. The error it throws as non-elevated is a permissions error of not being able to write a file to C:\ProgramData\Quest\KACE\kbots_cache.
When I went to that folder, the Administrators group already has access, but I explicitly added my user account to the folder permissions and ran the runkbot again from the non-elevated cmd and the inventory kicked off and worked as if it was elevated. KACE was happy and showed the updated inventory data shortly after.
So... I tried on a test machine, just using an icacls cmd and a service account, to add perms to that folder and it also worked.
I added the icacls cmd to my MDT TS right before the runkbot cmd to add a service account to the perms on the folder, then set the runkbot script to run as that user.
Like I said, no idea if it will work, but worth a shot.
If not, have logging enabled for this attempt, so I'll have that after the fact.
Comments:
-
I'm stoopid and goofed it... fixed my mistake and trying this idea again... - clarlee 1 year ago
My attempts have failed. My commands to add local admin, system, and a test service account to the folder permissions is working just fine. I can confirm after logging in that the permissions are there, so in theory, it should be working.
The runkbot is still not triggering properly.
Log output:
Expand a string: C:\Program Files (x86)\Quest\KACE\runkbot.exe
TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
The condition for the action (KInventory) is evaluated to be true TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: cmd.exe /c "C:\Program Files (x86)\Quest\kace\runkbot.exe" 4 0 TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Start executing the command line: cmd.exe /c "C:\Program Files (x86)\Quest\kace\runkbot.exe" 4 0 TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
!--------------------------------------------------------------------------------------------!
TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Expand a string: WinPEandFullOS TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Executing command line: cmd.exe /c "C:\Program Files (x86)\Quest\kace\runkbot.exe" 4 0 TSManager 4/12/2023 2:54:16 PM 8220 (0x201C)
Process completed with exit code 0 TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
!--------------------------------------------------------------------------------------------!
TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Successfully completed the action (KInventory) with the exit win32 code 0 TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Executing in non SMS standalone mode. Ignoring send a task execution status message request TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Set a global environment variable _SMSTSLastActionRetCode=0 TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Set a global environment variable _SMSTSLastActionName=KInventory TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Set a global environment variable _SMSTSLastActionSucceeded=true TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Clear local default environment TSManager 4/12/2023 2:54:17 PM 8220 (0x201C)
Time from launch to completion is one second, so it's still just not wanting to trigger the inventory.