FOG Post install script for Win Driver injection
-
@agray The unattend.xml file is required if you want an unattended windows setup. You can use an online unattend.xml generator to create this file: http://www.windowsafg.com/ or craft one by hand with your site specific configuration.
The setupcomplete.cmd file is run by windows setup at the end of the OOBE process and just before the first windows logon is displayed. You place batch commands in there to be executed before the user’s first login. Google “setupcomplete.cmd” to find out its location and structure.
-
@george1421 Thank you! all is appreciated! I’m sorry for the bombardment of questions.
-
Hello,
Thanks a lot for all this stuff ! We used it since year start (HP/Dell, a dozen of differents models, 300 computers). We made some minor update on this script, if it can be reused :
# lowercase machine name and remove all spaces machine=$(echo $machine | tr A-Z a-z | tr -d ' ')
So, our drivers directory looks like :
/images/drivers ├── forAll ├── hpelitedesk800g3twr ├── hpz230towerworkstation ├── optiplex7040 ├── optiplex7050 ├── optiplex7060 ├── optiplex9010 ├── optiplex9020 ├── optiplex9030aio
Another one concern the drivers download (unicast/NFS) by each client. By default, all unicast rsync start after the last multicast session. To make «subgroups» of rsync based on last IP number:
dots "Calculate IP (wait4sync)" MY_IP=$(ip route get 9.9.9.9 | awk '{print $7}') IP_LAST=$(echo ${MY_IP} | cut -f 4 -d '.') # IP OK ? if ! [[ ${IP_LAST} =~ ^[0-9]{1,3}$ ]] then IP_LAST=4 echo -n " bad IP..., use ${IP_LAST}," fi # Want each to wait ((IP_LAST % 5) ) * 3mn ## w.x.y.zz0|5|10|... => no wait ## w.x.y.zz1|6|11|... => wait 3mn ## w.x.y.zz2|7|12|... => wait 6mn WAIT=$((${IP_LAST} % 5 * 3))m echo " IP: ${MY_IP} => wait ${WAIT}" sleep ${WAIT} dots "Preparing Drivers" ...
the last one concern the «forAll» directory, used for all common drivers like «pci simplified communication»:
remotecommondriverpath="/images/drivers/forAll" [[ ! -d "${clientdriverpath}" ]] && mkdir -p "${clientdriverpath}" >/dev/null 2>&1 dots "Common drivers In Progress" rsync -aq "$remotecommondriverpath" "$clientdriverpath" >/dev/null 2>&1 [[ ! $? -eq 0 ]] && handleWarning "Failed to download common drivers" echo "Finish"
-
I hate to admit it took me a full day to realize there should be no space in the directory structure for the driver folders when I (poorly) read George’s instructions in the 2017 thread (lmao)
I also have a question that is related to the driver injection concept, but it is after the post download scripts.
For one of the machine types, the .cab comes with an unknown amount unsigned driver for some stupid reason. This complicates things because a prompt to “install the unverified driver(s)” during the setupcomplete.cmd. I can’t find a method to force/silently say yes to this with pnputil.
Most fixes involve an extra reboot to turn off driver integrity checks. I am trying a really roundabout method:
Setupcomplete.cmd
BCDEDIT /set nointegritychecks ON shutdown -t 0 -r
Then, a script that lives in the startup folder found at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup does the following, then deletes itself after it runs once.
pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install rmdir /Q /S C:\drivers BCDEDIT /set nointegritychecks OFF (goto) 2>nul & del "%~f0"
Finally, I have a scheduled task built into the image that takes care of the commands usually in the typical setupcomplete.cmd, then deletes itself as well. The reboot should theoretically take care of the client service config and turning the integrity check back on.
sc config FOGService start= delayed-auto shutdown -t 0 -r
I got to the point of being ready to test this yesterday, but the workday ended. I will test in a few hours when I am in. I am open to suggestions of how to make this less clunky (if it even works).
-
@fry_p said in FOG Post install script for Win Driver injection:
sc config FOGService start= auto
Why do you set it to auto instead of delayed?
-
@Sebastian-Roth Whoops, I did not know that was the norm now. It is in the wiki article as auto. My bad, I can certainly change that before I try again.
EDIT: fixed my first post with the delay and a missing space just in case it works and someone uses it later
-
@fry_p said in FOG Post install script for Win Driver injection:
It is in the wiki article as auto.
Which wiki article is this?
-
https://wiki.fogproject.org/wiki/index.php/FOG_Client#FOG_Client_with_Sysprep
"Place these lines within the file, and then save.
sc config FOGService start= auto
shutdown -t 0 -rAs the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins. "
-
@fry_p Thanks, fixed.
-
@fry_p said in FOG Post install script for Win Driver injection:
BCDEDIT /set nointegritychecks ON
Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?
-
@george1421 said in FOG Post install script for Win Driver injection:
@fry_p said in FOG Post install script for Win Driver injection:
BCDEDIT /set nointegritychecks ON
Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?
I legitimately want to ask, is it really dangerous to have that off for that short period of time? I turn it back on after the next automated reboot. I suppose if something failed, it would be stuck in that state… I need to not be lazy and find which one(s) is(are) unverified. Sadly, the message does not specify in sysprep.
This may be a fluke because I am testing and found this issue on an OptiPlex 7020 .cab. It is not the newest gen by any means.
-
@fry_p said in FOG Post install script for Win Driver injection:
I am testing and found this issue on an OptiPlex 7020 .cab.
Someone else on the forum was building a 7070 and had the same results where setupcomplete.cmd never finished. What we found is it was hanging injecting the drivers because of an unsigned driver and the continue message was on a hidden desktop.
I wonder if this will be an issue with those using SCCM or MDT to build their images? MS may just turn it off to avoid failure then turn it back on when done, I don’t know. But its very bad when a hardware manufacturer releases unsigned drivers. I had an issue with Intel NUCs a few years ago where the driver was signed, but it was signed with a MFG certificate. I had to import the certificate into the cert store on the reference image to get the drivers to load correctly on a post deploy driver injection.If you have a service account with Dell I sure would give them a call and ask is this normal. If you rerun the pnputil command interactively with a desktop you may be able to trap which driver(s) are causing the problem and eject them from the driver pack and have solid info when calling Dell support.
-
Hi everyone,
I’ve just copied scripts and getting following error while deploying image to a windows client. I cant find how to resolve it. Did anybody experience same issue before?
An error has been detected!
Failed to download driver information for [VC60/win10/x64]
-
@acatalepsy First I would follow the instructions in this post: https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed
I realize its 4 year old information but its still accurate and works for Win10. The thing you have to remember is that linux is case sensitive so you need to make sure your data path to the drivers is in the case format that is known and expected. You can surely debug your setup and make it work.
-
I’m experiencing an issue with a Dell OptiPlex 3090. In the postscript:
“/images/postdownloadscripts/fog.copydrivers: command substitution: line 14: syntax error near unexpected token ‘;;’”
manu=
dmidecode -s system-manufacturer
; >> is working fine since it’s returning the next line of code:“echo “Unable to identify the hardware for manufacturer ${manu}”;”
result:
“Unable to identify the hardware for manufacturer Dell Inc.”case $manu in [Ll][Ee][Nn][Oo][Vv][Oo]) machine=$(dmidecode -s system-version) ;; *[Dd][Ee][Ll][Ll]*) machine=$(#) ;; *I[Nn][Tt][Ee][Ll]*) # For the Intel NUC and intel mobo pick up the system type from the # baseboard product name machine=$(dmidecode -s baseboard-product-name) ;; *) # Technically, we can remove the Dell entry above as it is the same as this [default] machine=$(dmidecode -s system-product-name) ;; esac
Somewhere in the above code the script is unable to retrieve the product name. I’m still debugging this but maybe someone already resolved this issue?
-
Fixed it with the following code:
#!/bin/bash ceol=`tput el`; manu=`dmidecode -s system-manufacturer`; dots "Identifying hardware" case $manu in [Ll][Ee][Nn][Oo][Vv][Oo]) machine=$(dmidecode -s system-version) ;; *I[Nn][Tt][Ee][Ll]*) # baseboard-product-name machine=$(dmidecode -s baseboard-product-name) ;; *) # system-product-name machine=$(dmidecode -s system-product-name) ;; esac
-
@dvbnl It’s the “.” in “Dell Inc.”
I was just implementing this and found an issue with “Vmware Inc.” specifically the “.” not being seen as part of the string.I chose to remove any trailing dots in the manufacturer name.
add this second manu definition, and it should help move you forward.
manu=`dmidecode -s system-manufacturer`; manu="${manu%.*}";
I would also add below it something like
if [[ "${manu}" == "Dell Inc" ]]; then manu="Dell"; fi
If you are structuring your folders with the name “Dell” rather then Dell Inc
-
@jj-fullmer So how would you propose to tweak this code:
#!/bin/bash ceol=`tput el`; manu=`dmidecode -s system-manufacturer`; dots "Identifying hardware" case $manu in [Ll][Ee][Nn][Oo][Vv][Oo]) machine=$(dmidecode -s system-version) ;; *[Dd][Ee][Ll][Ll]*) machine=$(dmidecode -s system-product-name) ;; *I[Nn][Tt][Ee][Ll]*) # For the Intel NUC and intel mobo pick up the system type from the # baseboard product name machine=$(dmidecode -s baseboard-product-name) ;; *)
I need to look because someone else just recently found a bug in this section of code too. Maybe I need to update/create a 2022 version of this post. The 2017 version is still accurate even in 2022 (maybe)
-
@dvbnl Looking at it again, that makes sense, the old code had it setting all Dell manufactured systems to nothing.
-
@george1421 I was intending on sharing my changes in that 2017 post on drivers and on the unattend updates by the end of this month (still making sure everything is stable and will have to universalize a bit)
Granted, the only changes I made for the drivers related to how I structure my driver packs. Like I don’t have anything other than 64 bit windows 10, so I didn’t need all the os code stuff or a structure matching that. I also have driver packs that fit multiple models, in windows/powershell I found ways to match models based on the folder name but wasn’t able to recreate that syntax in bash (I’m sure it can be done, I just didn’t want to put in the time). So instead I added a ModelList.txt file in each driver pack and have it use grep to search all of those files for the model of the machine. This also helps in handling spaces in the folder structure and model name, as I didn’t want to recreate my entire driver folder structure without spaces. So I didn’t need the bit that removes spaces from the make\model (I also change manu to make and machine to model). I also had to add bits as mentioned below for the makes that have a ‘.’ as it was seeing that as a command in some cases.I also had some notes on how and when the drivers are added in windows, as you can use the unattend.xml to deploy them during the specialize phase before it gets to oobe. You also can do
pnputil
without the/install
flag first so that all the drivers are added to the pnp store so once they are visible they will auto add in windows.Also the unattend update example mentions putting the password in plaintext, but the fos console has access to the $adpass variable from the host information. So it can pass that to the unattend without displaying it. I would also add a note about being sure the unattend.xml files should be deleted.
I don’t know why I waited so long to play with the driver injection and other postdownload scripts, once I did I added so many improvements in speed and stability to my provisioning system.
I also added a log file for what is copied down that is visible inside of windows, basically had it pipe to said log file instead of to null.
This is what my snippet looks like for getting the model
ceol=`tput el`; make=`dmidecode -s system-manufacturer`; make="${make%.*}"; dots "Identifying hardware" if [[ "${make}" == "Hewlett-Packard" ]]; then make="hp"; fi if [[ "${make}" == "HP" ]]; then make="hp"; fi if [[ "${make}" == "Hp" ]]; then make="hp"; fi if [[ "${make}" == "VMware, Inc" ]]; then make="VMware"; fi case $make in [Ll][Ee][Nn][Oo][Vv][Oo]) model=$(dmidecode -s system-version) ;; *[Ii][Nn][Tt][Ee][Ll]* | *[Aa][Ss][Uu][Ss]*) # For the Intel NUC and intel mobo pick up the system type from the # baseboard product name model=$(dmidecode -s baseboard-product-name) ;; *) # Technically, we can remove the Dell entry above as it is the same as this [default] model=$(dmidecode -s system-product-name) ;; esac # if the model isn't identified then no need to continue with this script, just return to caller if [[ -z $model ]]; then echo "Unable to identify the hardware for manufacturer ${make}"; debugPause; return; elif [["${model}" == "Surface Go"]]; then echo -en "\n\nSurface Go will also match other generations of Surface Go, adding a 1\n\n" model="Surface Go 1"; fi echo "${model} Identified";
Then I find the driver pack to copy like this
dots "Preparing Drivers" #folder to copy into, I create this when I setup my image and also embed a small selection of storage drivers that aren't included in the default windows install (.i.e any that require loading a driver when installing windows manually such as intel vmd/raid types or vmware paravirtual scsii) These are added during audit system phase of sysprep clientdriverpath="/ntfs/Out-Of-Box Drivers" #the driverstore is organized as make/model but that Model folder can apply to multiple models (i.e. hp shares a driver pack for all the form factors of hp elitedesk/prodesk 400/600/800 g#) #define the base make path, and cd to it, helps with handling spaces in the path makePth="/images/drivers/${make}" cd $makePth; #find the model in a modellist.txt using grep. I used the API to get all my hosts and then sorted the inventory to show me all the unique makes/models and used that to built the modellist.txt files so that they would match what is found here. listFile=`grep -il "$model" ./*/*-ModelList.txt` #set the remote driver path to the parent folder of the modellist.txt where it was found remotedriverpath="$makePth/${listFile%/*}" #define the log file that will be visible injectLog="/ntfs/logs/driverInjection.log"
Then I get ready to copy
#I set up a generic/universal driver pack of network/storage/chipset drivers that I've found aren't included in the default windows install that I've found through trial and error. It probably has a bunch of duplicates (so I call it a hodgepodge) but it helps to get the machine on the network so it can find the drivers it needs when a driver pack wasn't found. if [[ ! -d "${remotedriverpath}" ]]; then echo "failed"; #output to console and output to log echo " ! Driver package not found for ${model} copying hodgepodge! "; echo " ! Driver package not found for ${make} ${model} copying hodgepodge universtal oobe drivers ! " > $injectLog; remotedriverpath="/images/drivers/generic/universal" debugPause; else # output to console and output to log echo " Driver package for ${make} ${model} found! ${removedriverpath} will be copied to ${clientdriverpath}"; echo " Driver package for ${make} ${model} found via ${listFile}! ${removedriverpath} will be copied to ${clientdriverpath}" > $injectLog; fi cd /; echo "Ready";
echo -en "Driver Injection In Progress\n\n\n" echo -en "Driver Injection In Progress\n\n" #I removed the -q and tried to add a progress bar to no avail, but also found that rsync displayed a message saying to use -zz instead of -z for sending with compression, since the output is piped to a log, I kept -q out of it to get more verbose logging rsync -azz "$remotedriverpath" "$clientdriverpath" >> $injectLog; echo -en "Drivers.cmd Injection In Progress\n\n" #this is the drivers.cmd file used during specialize to add drivers rsync -azz "/images/drivers/drivers.cmd" "/ntfs/drivers.cmd" >> $injectLog; # I also copy additional files here following this same syntax [[ ! $? -eq 0 ]] && handleError "Failed to download driver information for [$model] or other files failed to copy" debugPause
This is the contents of drivers.cmd
echo "Adding drivers to driver store...." start pnputil.exe /add-driver "C:\Out-Of-Box Drivers\*.inf" /subdirs echo "Installing drivers for present devices...." start pnputil.exe /add-driver "C:\Out-Of-Box Drivers\*.inf" /install /subdirs
This is the part of the sysprep unattend under the specialize phase I use to call it
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- I have other settings inside this component, this is just to show the synchronous command in the component--> <!-- commands to run in order during specialize --> <RunSynchronous> <!-- add and or install the injected drivers and then reboot --> <RunSynchronousCommand wcm:action="add"> <Path>C:\drivers.cmd</Path> <Order>1</Order> <Description>Add Injected Drivers</Description> <WillReboot>Always</WillReboot> </RunSynchronousCommand> <!-- Additional commands to run before getting to oobe, I use this for configuring built in windows features using dism powershell commands and I have a powershell function that detects nvidia drivers and attempts to install the graphics driver. This .cmd file just opens a .ps1 file --> <RunSynchronousCommand wcm:action="add"> <Order>2</Order> <Description>Pre-req steps</Description> <Path>C:\step0.cmd</Path> <WillReboot>Always</WillReboot> </RunSynchronousCommand> </RunSynchronous> <!-- I have a case statement in my unattend updater to set the correct device form. This affects some UI settings in windows, I use 3 as a default as it is a normal desktop pc, there are also ones for detachable or convertible tablets, all in one machines, and many others. You can also just omit this--> <DeviceForm>3</DeviceForm> </component>
This above component needs to be in the specialize settings block, i.e.
<settings pass="specialize"> <!-- other specialize components--> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- stuff from above --> </component> </settings>
I recommend using windows system image manager (https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) for creating your initial unattend file.