Enabling Logging for Commercial Vantage
As noted in our docs, logging is not enabled by default any longer for Commercial Vantage. This is in regards to the System Update add-in. Historically, a log file is generated when a device checks for or installs updates.
Lenovo’s Product Security team wanted to ensure that enabling logs was a customer choice, and not something that was enabled by default without customer knowledge. This blog will provide example solutions for enabling logging for devices managed by Intune and ConfigMgr.
Intune
There are several options for Intune managed devices. We'll leverage Remediations for this example. A simple detection script will check for the necessary registry name and its value. If the value is False, the remediation script will flip it to True.
Below is a sample detection that can be used:
$Path = "HKLM:\SOFTWARE\WOW6432Node\Lenovo\SystemUpdateAddin\Logs"
$Name = "EnableLogs"
$Value = $true
try {
$Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
If ($Registry -eq $Value){
Write-Output -InputObject "System Update logging enabled."
Exit 0
}
Write-Warning -Message "System Update logging not enabled."
Exit 1
}
catch {
Write-Warning -Message "Could not enable System Update logging..."
Exit 1
}
Followed by a sample remediation:
Write-Output -InputObject "Enabling System Update Logging..."
$Path = "HKLM:\SOFTWARE\WOW6432Node\Lenovo\SystemUpdateAddin\Logs"
If (-not(Test-Path -Path $Path)) {
New-Item -Path $Path -Force
}
Set-ItemProperty $Path EnableLogs -Value $true
Login to the Microsoft Intune admin center and click create script package. Enter a name and select the detection and remediation script files to add. Choose to run the script in 64-bit PowerShell, configure the assignment and schedule. For our lab, I've set this to run hourly. Since this only applies to Lenovo devices, it may be worthwhile to create a device filter that only targets Lenovo branded systems. For example:
Once the device retrieves the policy for Remediation scripts, track the HealthScripts.log for details. In this screenshot, I can see logging was enabled and verified in the Registry
The next time the System Update feature of Commercial Vantage runs, you can find the log in the following location:
ConfigMgr
For ConfigMgr managed devices, you can import a sample Configuration Baseline that will accomplish the same result.
Download the Baseline here.
If you look at the properties of the Configuration Item, you'll see this is a simple Registry value setting type and a single compliance rule.
When you deploy the Baseline, be sure to check the options to Remediate noncompliant rules when supported and Allow remediation outside the maintenance window.
Happy logging!