Roughly half of reimaged devices do not run first run scripts in autounattend.xml after imaging.
-
I’m unable to determine why about 1/2 of the devices we reimage with FOG do not process the first-run scripts set up in the autounattend.xml file. Sometimes it works fine though which leaves me scratching my head. Perhaps someone could shed some light on why this is occurring. When the scripts do NOT run Windows just comes up to a logon screen “Other User”. WhenFOG log attached is from one of the devices that did NOT process the first-run scripts.
Basically at first run the device should autologon as Administrator - there are some firewall policies that are set for the FOG executables, then it calls FinalSetup.ps1 which will continue on with configuration and software installation. This autologon is what appears to be failing intermittently.
FOG Log, FinalSetup.txt, and autounattend.txt attached.Mod edit to remove autounattend.xml that was unsanitized
-
@jyost Well I think we need to clarify things a bit. FOG (itself) doesn’t touch the target computer after the system is imaged. There is the fog service that does some simple things like connect to AD, set the system name and such. But it can only do that once the service is enabled in the Setupcomplete.cmd batch file. The execution of that batch file as well as the first run commands are under the control of WinSetup/OOBE.
Now it is possible that the fog service is running too soon in your WinSetup process. You might want to delay the service start until the last step in your first run section just before you reboot the target computer. Then when the system comes up after the reboot the fog service will start and any pending tasks will be completed.
But again the execution of setupcomplete.cmd and the first run commands are under the control of winsetup. FWIW: You must use VLK media and sysprep the image for these first run files to be executed. FOG has no control over this part.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
-
@jyost Just looking at your autoattend.txt you might want to remove the section that talks about partitioning the disk, because FOG is doing that for you.
You might also want to redact internal private info from your unattend.xml file. Finally, here is an example of my unattend.xml file. Its not my post but the example provided is based on my file: https://forums.fogproject.org/topic/11920/windows-10-1803-sysprep-problem/7
-
@george1421
Let me see if I have this correctly…I am running some scripts in the FirstLogonCommands section of the autounattend.xml file. These include setting firewall rules, setting services, configuring wireless profile, installing MS-Teams, Disabling Lenovo auto update in the registry. Once the last of the commands in autounattend.xml has completed then Windows setup is complete and the C:\Windows\Setup\SetupComplete.cmd batch file runs (sets the FOG service startup type to Auto, and then reboots the computer). Once the computer restarts the FOG service starts, renames the computer, joins it to the domain, and reboots again. I’m just trying to get the order of operations straightened out in my head. -
@jyost Just to add clarity to a few things (you almost have it spot on).
The setupcomplete.cmd batch file is executed before the logon screen is displayed after WinSetup completes. So as soon as you start the fog client it will check in and start doing its stuff (like rebooting). I would push as much of the firstlogon stuff into the setupcomplete.cmd file before you start the fog service.
The firstlogon commands will only run when 1) an administrator logs in 2) You have the administrator automatically log into the computer using the auto login feature of windows. If you do this setup the login count registry setting so the account only auto logs in the first time the computer is booted.
-
Thanks for the quick followup. Just a couple more pointed questions. I’ve moved the majority of the First Run scripts into the start of SetupComplete.cmd before starting the FOG client. I’ve set the FOG service startup type to Auto…do I need to start it immediately by adding a line after “sc config FOGService start= auto” such as net start FOGService? I guess my question here is whether FOG will attempt to rename the device and join it to the domain BEFORE restarting at the end of SetupComplete.cmd or does it rename & join the domain immediately AFTER the final restart? Since we’re setting the startup type to Auto and then calling a restart immediately thereafter I’m thinking it won’t have time to rename/join domain prior to the restart. So, how long does the FOGService typically take to start and begin the rename/join domain? Will it restart again automatically thereafter?
Here is my setupcomplete.cmd file::: Set AutoLogon
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v SecondaryScripts /d C:\Admin\Scripts\FinalSetup.cmd /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoAdminLogon /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v AutoLogonCount /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName /d Administrator /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /d ********* /f
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v ForceAutoLogon /d 1 /f
:: Disable Scheduled Lenovo System Updates
reg add “HKLM\SOFTWARE\Wow6432Node\Lenovo\System Update\Preferences\UserSettings\Scheduler” /v SchedulerAbility /t REG_SZ /d NO /f
:: Configure Firewall Settings
netsh advfirewall firewall set rule group=Network Discovery" new enable=yes
netsh advfirewall firewall add rule name=“Fog Client” dir=in action=all program=“C:\Program Files (x86)\FOG\FOGService.exe”
netsh advfirewall firewall add rule name=“Fog Service” dir=in action=all program=“C:\Program Files (x86)\FOG\FOGServiceConfig.exe”
netsh advfirewall firewall add rule name=“Fog Tray” dir=in action=all program=“C:\Program Files (x86)\FOG\FOGTray.exe”
:: Disable Adobe Reader Update Service
sc config “AdobeARMservice” start= disabled
sc stop “AdobeARMservice”
:: Enable Windows Store Installer Service
sc config “InstallService” start= Auto
:: Set AutoRemoval of Taskbar Icons
powershell.exe -NoProfile -ExecutionPolicy ByPass -WindowStyle Hidden -file C:\Admin\Scripts\ManageTaskbar\Managetaskbar\taskband.ps1
:: Install MS-Teams (All Profiles)
msiexec /i C:\Admin\MS-Teams\Teams_windows.msi OPTIONS=“noAutoStart=true” ALLUSERS=1
:: Configure Wireless Profile Settings
net start wlansvc
Netsh wlan add profile Filename=C:\Admin\Scripts\Vistex.xml user=all
netsh wlan connect name=‘Vistex’
sc config FOGService start= auto
:: Do I need the following 1 line???
------>> net start FOGService
shutdown -t 0 -rIf the renaming/domain join occurs AFTER the final restart I will need to run a powershell script to install our AntiVirus software and also add a domain user account to the Remote Desktop Users group –
Add-LocalGroupMember -Group “Remote Desktop Users” -Member “vistex\SetupVTX”
obviously the latter needs to be done after it’s joined to the domain so I would need to set the autologon registry keys for two logons…one for immediately after setupcomplete.cmd and one for after the domain join/restart. Hopefully that makes sense and that I’ve got the order of operations down in my mind correctly. -
@jyost said in Roughly half of reimaged devices do not run first run scripts in autounattend.xml after imaging.:
do I need to start it immediately by adding a line after “sc config FOGService start= auto” such as net start FOGService?
Using the sc command only changes the autostartup flag. You do need to issue the net start command to actually start the service. I can’t tell you how soon after starting the service it will start doing its thing. The default checkin period is 5 minutes, so it may take up to 5 minutes to see it (FOG Client) has things to do.
FWIW: I don’t use the fog client in my environment, but use the unattend.xml file to name the computer and connect it to AD. I use a FOG Post install script to update the unattend.xml file just after imaging with dynamic information such as computer name that is calculated as well as target OU.
-
@jyost said in Roughly half of reimaged devices do not run first run scripts in autounattend.xml after imaging.:
If the renaming/domain join occurs AFTER the final restart I will need to run a powershell script to install our AntiVirus software and also add a domain user account to the Remote Desktop Users group –
You might want to consider deploying this action with a snapin. Snapins will run after all of the other imaging actions are complete.
