Monitoring your fleets event logs - Part 2


Install Splunk - It's free!

Modify Program Files\Splunk\etc\system\local\inputs.conf

Add the lines

evt_resolve_ad_obj = 1


Then we need to reboot splunk, in Splunk click Settings, then Server controls and click Restart Splunk

Next we need to add our data source, click Add Data from the launch screen, then monitor


Choose Local Events then ForwardedEvents and click Next


Click Create a new index, call it ForwardedEvents, click Save, change the Index to ForwardedEvents and then click Review, Submit

Give it some time to collect a few logins, then go to Search & Reporting

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=1) endswith=eval(EventCode=2) | table ComputerName, duration

So I'm using the selected data, filtering for 4 event codes, then getting the time between event code 1 and 2, and putting it into a table..

Edit: This search can be a bit funny, the delay ended up being between synching the roaming profile so I've also ran

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=6) endswith=eval(EventCode=7) | table ComputerName, duration

Then click on the Visualization tab

This also lets you dive into each login by clicking one and get the event logs!

You can save this as a report, dashboard and share with people.


There is so much more you can do with this software, and it takes some time to learn it. Will post more as I do..



Optimize the 'build and capture' time and size (SCCM Build)



Inspired by Johan's post

I am probably one of the few that uses SCCM to capture base images. I use it because I create a thick image and it keeps the history of packages that it has installed meaning that newly imaged machines will know that they have already installed software x when they recieve it's required deployment.

Patch the install.wim

Patching the default Windows 7 install.wim so it doesn't need to install as many updates during OSD.

1. Download WSUS Offline Update from

2. Extract to C:wsusoffline and run UpdateGenerator.exe

3.  Choose Windows 7 x64 Global and click start.

WSUS Offline Update

4. Important: Delete KB2506143, KB2533552 and KB2819745 from C:wsusofflineclientw61-x64glb if they exist. They break the wim. If your company hasn't deployed IE11 also delete patches for it.

5. Extract a Win7 SP1 Enterprise ISO to 'C:OS Windows 7 SP1 x64'

6. Create the dir C:mount

7. Mount the wim -

dism /mount-wim /wimfile:"C:OS Windows 7 SP1 x64sourcesinstall.wim" /mountdir:C:mount /index:1


8. Patch the wim -

dism /image:C:mount /Add-Package /PackagePath:C:wsusofflineclientw61-x64glb

9. Commit/Close the wim -

dism /unmount-wim /mountdir:C:mount /commit

10. Copy the 'OS Windows 7 SP1 x64' folder to an unc share and import into SCCM under Operating System Installers.


Use Mikael Nystrom's Cleanup Script

1. Download via

2. Place in a UNC Share.

3. Copy ZTIUtility.vbs from MDT 2013 to the UNC Share.

4. Modify Action-CleanupBeforeSysprep.wsf second line to reference the ZTIUtility.vbs in the same folder

<script language="VBScript" src="ZTIUtility.vbs"/>

5. Create a package in SCCM.

6. Before the capture steps create a run command step surrounded by 2 reboots:

cscript.exe Action-CleanupBeforeSysprep.wsf using the package created and disable 64-bit file system redirection

TS Clean

The updated wim will have the patches required for this step.

Access the wim directly from the distribution point

For this to work you need to tick the checkbox on the OS Installer properties to copy to a share, then also the Access content directly in the task sequence Apply OS step.





Monitor KB2894518 for mutiple reboot updates

Create a separate deployment for these updates to a collection that excludes your capture VMs


Tweak your Virtual Machine

  • Don't use the Legacy Network adapter (Have had issues at capture stage)

Visit for VM tweaks

  • Use 2 vCPUs
  • Use a RAM Disk