FOG Post install script for Win Driver injection
-
@jamaal You have to remember the script was designed to work directly with the Dell CAB file format. I understand you are working with lenovo, but as long as you have inf file format you can adapt it easily.
osid vs osname. In the case of FOG it knows internal osid == a certain operating system. So instead of requiring the FOG IT admin to create directories based on an integer number to represent windows 7 or windows 10, I created a map so when osid == 5 that mapped to a directory path of win7 and osid == 9 would be win10 and so on. That way when you looked at the directory path you would know the win7 drivers go into the win7 directory and not the “5” directory. That is the logic of the osid to osn name matching.
-
Ok, thanks for the explaination George, appreciate your help.
-
@george1421 Why do you have lines 7-12 REMed out? I know very very very little bash so this is like looking at french for me.
-
@agray said in FOG Post install script for Win Driver injection:
@george1421 Why do you have lines 7-12 REMed out? I know very very very little bash so this is like looking at french for me.
In which script?
-
@george1421 fog.ad-the 3rd post
I’m not getting anything of this either. Looking at the thread here, and here (https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed) the scripts are different. What is right? What do you name everything/make the file type? -
@agray Ok you can ignore that section. It is in there to remove the unattend.xml file if its found in the setup directory. There should be only one unattend.xml file and it should be in c:\windows\panther directory.
What the fog.ad script does, it dynamically update the unattend.xml file with fog run time parameters. If you are not using an unattend.xml file or using the FOG client to connect the computer to AD and give it its name then you don’t need the fog.ad script at all.
If you look at the fog.postdownload script in this section
debugPause # . ${postdownpath}fog.log . ${postdownpath}fog.drivers # . ${postdownpath}fog.ad umount /ntfsYou will see that the call to those scripts are commented out. The only script that is required is fog.drivers the others provide functionality beyond driver injection.
As for the 2017 ed why are they different? Because we’ve learned things since this thread was published. I would look at the 2017 version if you are doing a new install. This thread gives the background behind why the 2017 is the way it is.
-
@george1421 From what I’m getting from all the threads, the unattend.xml file is required with win10 now. Is that no longer the case?
If it is, is that required to be edited in the master image before cloned?
Later in your 2017 ed thread you gave an update on the 1703+ Win, saying “add the following lines to your setupcomplete.cmd batch file.” That batch file already created, if not, where can i find code for it, or it that it in the code box? -
@agray The unattend.xml file is required if you want an unattended windows setup. You can use an online unattend.xml generator to create this file: http://www.windowsafg.com/ or craft one by hand with your site specific configuration.
The setupcomplete.cmd file is run by windows setup at the end of the OOBE process and just before the first windows logon is displayed. You place batch commands in there to be executed before the user’s first login. Google “setupcomplete.cmd” to find out its location and structure.
-
@george1421 Thank you! all is appreciated! I’m sorry for the bombardment of questions.
-
Hello,
Thanks a lot for all this stuff ! We used it since year start (HP/Dell, a dozen of differents models, 300 computers). We made some minor update on this script, if it can be reused :
# lowercase machine name and remove all spaces machine=$(echo $machine | tr A-Z a-z | tr -d ' ')So, our drivers directory looks like :
/images/drivers ├── forAll ├── hpelitedesk800g3twr ├── hpz230towerworkstation ├── optiplex7040 ├── optiplex7050 ├── optiplex7060 ├── optiplex9010 ├── optiplex9020 ├── optiplex9030aioAnother one concern the drivers download (unicast/NFS) by each client. By default, all unicast rsync start after the last multicast session. To make «subgroups» of rsync based on last IP number:
dots "Calculate IP (wait4sync)" MY_IP=$(ip route get 9.9.9.9 | awk '{print $7}') IP_LAST=$(echo ${MY_IP} | cut -f 4 -d '.') # IP OK ? if ! [[ ${IP_LAST} =~ ^[0-9]{1,3}$ ]] then IP_LAST=4 echo -n " bad IP..., use ${IP_LAST}," fi # Want each to wait ((IP_LAST % 5) ) * 3mn ## w.x.y.zz0|5|10|... => no wait ## w.x.y.zz1|6|11|... => wait 3mn ## w.x.y.zz2|7|12|... => wait 6mn WAIT=$((${IP_LAST} % 5 * 3))m echo " IP: ${MY_IP} => wait ${WAIT}" sleep ${WAIT} dots "Preparing Drivers" ...the last one concern the «forAll» directory, used for all common drivers like «pci simplified communication»:
remotecommondriverpath="/images/drivers/forAll" [[ ! -d "${clientdriverpath}" ]] && mkdir -p "${clientdriverpath}" >/dev/null 2>&1 dots "Common drivers In Progress" rsync -aq "$remotecommondriverpath" "$clientdriverpath" >/dev/null 2>&1 [[ ! $? -eq 0 ]] && handleWarning "Failed to download common drivers" echo "Finish" -
I hate to admit it took me a full day to realize there should be no space in the directory structure for the driver folders when I (poorly) read George’s instructions in the 2017 thread (lmao)
I also have a question that is related to the driver injection concept, but it is after the post download scripts.
For one of the machine types, the .cab comes with an unknown amount unsigned driver for some stupid reason. This complicates things because a prompt to “install the unverified driver(s)” during the setupcomplete.cmd. I can’t find a method to force/silently say yes to this with pnputil.
Most fixes involve an extra reboot to turn off driver integrity checks. I am trying a really roundabout method:
Setupcomplete.cmd
BCDEDIT /set nointegritychecks ON shutdown -t 0 -rThen, a script that lives in the startup folder found at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup does the following, then deletes itself after it runs once.
pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install rmdir /Q /S C:\drivers BCDEDIT /set nointegritychecks OFF (goto) 2>nul & del "%~f0"Finally, I have a scheduled task built into the image that takes care of the commands usually in the typical setupcomplete.cmd, then deletes itself as well. The reboot should theoretically take care of the client service config and turning the integrity check back on.
sc config FOGService start= delayed-auto shutdown -t 0 -rI got to the point of being ready to test this yesterday, but the workday ended. I will test in a few hours when I am in. I am open to suggestions of how to make this less clunky (if it even works).
-
@fry_p said in FOG Post install script for Win Driver injection:
sc config FOGService start= auto
Why do you set it to auto instead of delayed?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth Whoops, I did not know that was the norm now. It is in the wiki article as auto. My bad, I can certainly change that before I try again.
EDIT: fixed my first post with the delay and a missing space just in case it works and someone uses it later
-
@fry_p said in FOG Post install script for Win Driver injection:
It is in the wiki article as auto.
Which wiki article is this?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
https://wiki.fogproject.org/wiki/index.php/FOG_Client#FOG_Client_with_Sysprep
"Place these lines within the file, and then save.
sc config FOGService start= auto
shutdown -t 0 -rAs the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins. "
Like open source community computing? Why not do it for a good cause?
Use your computer/server for humanitarian projects when it is idle!
https://join.worldcommunitygrid.org?recruiterId=1026912 -
@fry_p Thanks, fixed.
-
@fry_p said in FOG Post install script for Win Driver injection:
BCDEDIT /set nointegritychecks ON
Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?
-
@george1421 said in FOG Post install script for Win Driver injection:
@fry_p said in FOG Post install script for Win Driver injection:
BCDEDIT /set nointegritychecks ON
Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?
I legitimately want to ask, is it really dangerous to have that off for that short period of time? I turn it back on after the next automated reboot. I suppose if something failed, it would be stuck in that state… I need to not be lazy and find which one(s) is(are) unverified. Sadly, the message does not specify in sysprep.
This may be a fluke because I am testing and found this issue on an OptiPlex 7020 .cab. It is not the newest gen by any means.
Like open source community computing? Why not do it for a good cause?
Use your computer/server for humanitarian projects when it is idle!
https://join.worldcommunitygrid.org?recruiterId=1026912 -
@fry_p said in FOG Post install script for Win Driver injection:
I am testing and found this issue on an OptiPlex 7020 .cab.
Someone else on the forum was building a 7070 and had the same results where setupcomplete.cmd never finished. What we found is it was hanging injecting the drivers because of an unsigned driver and the continue message was on a hidden desktop.
I wonder if this will be an issue with those using SCCM or MDT to build their images? MS may just turn it off to avoid failure then turn it back on when done, I don’t know. But its very bad when a hardware manufacturer releases unsigned drivers. I had an issue with Intel NUCs a few years ago where the driver was signed, but it was signed with a MFG certificate. I had to import the certificate into the cert store on the reference image to get the drivers to load correctly on a post deploy driver injection.If you have a service account with Dell I sure would give them a call and ask is this normal. If you rerun the pnputil command interactively with a desktop you may be able to trap which driver(s) are causing the problem and eject them from the driver pack and have solid info when calling Dell support.
-
Hi everyone,
I’ve just copied scripts and getting following error while deploying image to a windows client. I cant find how to resolve it. Did anybody experience same issue before?
An error has been detected!
Failed to download driver information for [VC60/win10/x64]
