FOG Post install script for Win Driver injection

  • Moderator

    Introduction

    First I have to say this article contains the results of many brilliant people and is not my content. I’m only assembling this information into a consistent document instead of spread around buried in posts and responses. My intent is to not dig into the details behind the scripts or how to tweak them for your needs. You can read the links below to figure out why things are being done the way they are. I wanted to create a tutorial that was as close to a cut and paste to get driver injection going in your environment. Now I will primarily focus on Dell hardware for the main reason that Dell does supply driver archive files (known as .CABs) that can be downloaded and extracted quickly to create the driver structure. I’m sure that HP, Lenovo, and others have similar driver packs.

    You can download the Dell driver cabs for your hardware from here: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment

    Reference links:
    https://forums.fogproject.org/topic/4278/utilizing-postscripts-rename-joindomain-drivers-snapins
    https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script-under-construction
    https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script
    https://forums.fogproject.org/topic/8878/fog-drivers-script-will-not-run-correctly-in-postdownloadscripts/46

  • Testers

    @george1421 I was intending on sharing my changes in that 2017 post on drivers and on the unattend updates by the end of this month (still making sure everything is stable and will have to universalize a bit)
    Granted, the only changes I made for the drivers related to how I structure my driver packs. Like I don’t have anything other than 64 bit windows 10, so I didn’t need all the os code stuff or a structure matching that. I also have driver packs that fit multiple models, in windows/powershell I found ways to match models based on the folder name but wasn’t able to recreate that syntax in bash (I’m sure it can be done, I just didn’t want to put in the time). So instead I added a ModelList.txt file in each driver pack and have it use grep to search all of those files for the model of the machine. This also helps in handling spaces in the folder structure and model name, as I didn’t want to recreate my entire driver folder structure without spaces. So I didn’t need the bit that removes spaces from the make\model (I also change manu to make and machine to model). I also had to add bits as mentioned below for the makes that have a ‘.’ as it was seeing that as a command in some cases.

    I also had some notes on how and when the drivers are added in windows, as you can use the unattend.xml to deploy them during the specialize phase before it gets to oobe. You also can do pnputil without the /install flag first so that all the drivers are added to the pnp store so once they are visible they will auto add in windows.

    Also the unattend update example mentions putting the password in plaintext, but the fos console has access to the $adpass variable from the host information. So it can pass that to the unattend without displaying it. I would also add a note about being sure the unattend.xml files should be deleted.

    I don’t know why I waited so long to play with the driver injection and other postdownload scripts, once I did I added so many improvements in speed and stability to my provisioning system.

    I also added a log file for what is copied down that is visible inside of windows, basically had it pipe to said log file instead of to null.

    This is what my snippet looks like for getting the model

    ceol=`tput el`;
    make=`dmidecode -s system-manufacturer`;
    make="${make%.*}";
    
    dots "Identifying hardware"
    
    if [[ "${make}" == "Hewlett-Packard" ]]; then make="hp"; fi
    if [[ "${make}" == "HP" ]]; then make="hp"; fi
    if [[ "${make}" == "Hp" ]]; then make="hp"; fi
    if [[ "${make}" == "VMware, Inc" ]]; then make="VMware"; fi
    
    
    case $make in
        [Ll][Ee][Nn][Oo][Vv][Oo])
            model=$(dmidecode -s system-version)
            ;;
        *[Ii][Nn][Tt][Ee][Ll]* | *[Aa][Ss][Uu][Ss]*)
            # For the Intel NUC and intel mobo pick up the system type from the
            # baseboard product name
            model=$(dmidecode -s baseboard-product-name)
            ;;
        *)
            # Technically, we can remove the Dell entry above as it is the same as this [default]
            model=$(dmidecode -s system-product-name) 
            ;;
    esac
    
    # if the model isn't identified then no need to continue with this script, just return to caller
    if [[ -z $model ]]; then 
        echo "Unable to identify the hardware for manufacturer ${make}";
        debugPause;
        return;
    elif [["${model}" == "Surface Go"]]; then
        echo -en "\n\nSurface Go will also match other generations of Surface Go, adding a 1\n\n"
        model="Surface Go 1";
    fi 
    
    echo "${model} Identified";
    
    

    Then I find the driver pack to copy like this

    dots "Preparing Drivers"
    #folder to copy into, I create this when I setup my image and also embed a small selection of storage drivers that aren't included in the default windows install (.i.e any that require loading a driver when installing windows manually such as intel vmd/raid types or vmware paravirtual scsii) These are added during audit system phase of sysprep
    clientdriverpath="/ntfs/Out-Of-Box Drivers"
    #the driverstore is organized as make/model but that Model folder can apply to multiple models (i.e. hp shares a driver pack for all the form factors of hp elitedesk/prodesk 400/600/800 g#)
    #define the base make path, and cd to it, helps with handling spaces in the path
    makePth="/images/drivers/${make}"
    cd $makePth;
    #find the model in a modellist.txt using grep. I used the API to get all my hosts and then sorted the inventory to show me all the unique makes/models and used that to built the modellist.txt files so that they would match what is found here.
    listFile=`grep -il "$model" ./*/*-ModelList.txt`
    #set the remote driver path to the parent folder of the modellist.txt where it was found
    remotedriverpath="$makePth/${listFile%/*}"
    #define the log file that will be visible
    injectLog="/ntfs/logs/driverInjection.log"
    

    Then I get ready to copy

    #I set up a generic/universal driver pack of network/storage/chipset drivers that I've found aren't included in the default windows install that I've found through trial and error. It probably has a bunch of duplicates (so I call it a hodgepodge) but it helps to get the machine on the network so it can find the drivers it needs when a driver pack wasn't found. 
    if [[ ! -d "${remotedriverpath}" ]]; then
        echo "failed";
    #output to console and output to log
        echo " ! Driver package not found for ${model} copying hodgepodge! ";
        echo " ! Driver package not found for ${make} ${model} copying hodgepodge universtal oobe drivers ! " > $injectLog;
        remotedriverpath="/images/drivers/generic/universal"
        debugPause;
    else 
    # output to console and output to log
        echo " Driver package for ${make} ${model} found! ${removedriverpath} will be copied to ${clientdriverpath}";
        echo " Driver package for ${make} ${model} found via ${listFile}! ${removedriverpath} will be copied to ${clientdriverpath}" > $injectLog;
    fi 
    
    cd /;
    echo "Ready";
    
    echo -en "Driver Injection In Progress\n\n\n"
    
    echo -en "Driver Injection In Progress\n\n"
    #I removed the -q and tried to add a progress bar to no avail, but also found that rsync displayed a message saying to use -zz instead of -z for sending with compression, since the output is piped to a log, I kept -q out of it to get more verbose logging
    rsync -azz "$remotedriverpath" "$clientdriverpath" >> $injectLog;
    
    echo -en "Drivers.cmd Injection In Progress\n\n"
    #this is the drivers.cmd file used during specialize to add drivers
    rsync -azz "/images/drivers/drivers.cmd" "/ntfs/drivers.cmd" >> $injectLog;
    # I also copy additional files here following this same syntax
    
    [[ ! $? -eq 0 ]] && handleError "Failed to download driver information for [$model] or other files failed to copy"
    
    debugPause
    

    This is the contents of drivers.cmd

    echo "Adding drivers to driver store...."
    start pnputil.exe /add-driver "C:\Out-Of-Box Drivers\*.inf" /subdirs
    echo "Installing drivers for present devices...."
    start pnputil.exe /add-driver "C:\Out-Of-Box Drivers\*.inf" /install /subdirs
    

    This is the part of the sysprep unattend under the specialize phase I use to call it

     <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <!-- I have other settings inside this component, this is just to show the synchronous command in the component-->
                <!-- commands to run in order during specialize -->
                <RunSynchronous>
                <!-- add and or install the injected drivers and then reboot -->
                    <RunSynchronousCommand wcm:action="add">
                        <Path>C:\drivers.cmd</Path>
                        <Order>1</Order>
                        <Description>Add Injected Drivers</Description>
                        <WillReboot>Always</WillReboot>
                    </RunSynchronousCommand>
                    <!-- Additional commands to run before getting to oobe, I use this for configuring built in windows features using dism powershell commands and I have a powershell function that detects nvidia drivers and attempts to install the graphics driver. This .cmd file just opens a .ps1 file -->
                    <RunSynchronousCommand wcm:action="add">
                        <Order>2</Order>
                        <Description>Pre-req steps</Description>
                        <Path>C:\step0.cmd</Path>
                        <WillReboot>Always</WillReboot>
                    </RunSynchronousCommand>
                </RunSynchronous>
                <!-- I have a case statement in my unattend updater to set the correct device form. This affects some UI settings in windows, I use 3 as a default as it is a normal desktop pc, there are also ones for detachable or convertible tablets, all in one machines, and many others. You can also just omit this-->
                <DeviceForm>3</DeviceForm>
            </component>
    

    This above component needs to be in the specialize settings block, i.e.

       <settings pass="specialize">
            <!-- other specialize components-->
           <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
               <!-- stuff from above -->
           </component>
       </settings>
    

    I recommend using windows system image manager (https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) for creating your initial unattend file.

  • Testers

    @dvbnl Looking at it again, that makes sense, the old code had it setting all Dell manufactured systems to nothing.

  • Moderator

    @jj-fullmer So how would you propose to tweak this code:

    #!/bin/bash
    ceol=`tput el`;
    manu=`dmidecode -s system-manufacturer`;
    dots "Identifying hardware"
    case $manu in
        [Ll][Ee][Nn][Oo][Vv][Oo])
            machine=$(dmidecode -s system-version)
            ;;
        *[Dd][Ee][Ll][Ll]*)
            machine=$(dmidecode -s system-product-name)
            ;;
        *I[Nn][Tt][Ee][Ll]*)
            # For the Intel NUC and intel mobo pick up the system type from the
            # baseboard product name
            machine=$(dmidecode -s baseboard-product-name)
            ;;
        *)
    

    ref: https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed

    I need to look because someone else just recently found a bug in this section of code too. Maybe I need to update/create a 2022 version of this post. The 2017 version is still accurate even in 2022 (maybe)

  • Testers

    @dvbnl It’s the “.” in “Dell Inc.”
    I was just implementing this and found an issue with “Vmware Inc.” specifically the “.” not being seen as part of the string.

    I chose to remove any trailing dots in the manufacturer name.

    add this second manu definition, and it should help move you forward.

    manu=`dmidecode -s system-manufacturer`;
    manu="${manu%.*}";
    

    I would also add below it something like

    if [[ "${manu}" == "Dell Inc" ]]; then manu="Dell"; fi
    

    If you are structuring your folders with the name “Dell” rather then Dell Inc


  • @dvbnl

    Fixed it with the following code:

    #!/bin/bash
    ceol=`tput el`;
    manu=`dmidecode -s system-manufacturer`;
    dots "Identifying hardware"
    case $manu in
        [Ll][Ee][Nn][Oo][Vv][Oo])
            machine=$(dmidecode -s system-version)
            ;;
        *I[Nn][Tt][Ee][Ll]*)
            # baseboard-product-name
            machine=$(dmidecode -s baseboard-product-name)
            ;;
        *)
            # system-product-name
            machine=$(dmidecode -s system-product-name)
            ;;
    esac
    

  • I’m experiencing an issue with a Dell OptiPlex 3090. In the postscript:

    “/images/postdownloadscripts/fog.copydrivers: command substitution: line 14: syntax error near unexpected token ‘;;’”

    manu=dmidecode -s system-manufacturer; >> is working fine since it’s returning the next line of code:

    “echo “Unable to identify the hardware for manufacturer ${manu}”;”
    result:
    “Unable to identify the hardware for manufacturer Dell Inc.”

    case $manu in
        [Ll][Ee][Nn][Oo][Vv][Oo])
            machine=$(dmidecode -s system-version)
            ;;
        *[Dd][Ee][Ll][Ll]*)
            machine=$(#)
            ;;
        *I[Nn][Tt][Ee][Ll]*)
            # For the Intel NUC and intel mobo pick up the system type from the
            # baseboard product name
            machine=$(dmidecode -s baseboard-product-name)
            ;;
        *)
            # Technically, we can remove the Dell entry above as it is the same as this [default]
            machine=$(dmidecode -s system-product-name) 
            ;;
    esac
    

    Somewhere in the above code the script is unable to retrieve the product name. I’m still debugging this but maybe someone already resolved this issue?

  • Moderator

    @acatalepsy First I would follow the instructions in this post: https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed

    I realize its 4 year old information but its still accurate and works for Win10. The thing you have to remember is that linux is case sensitive so you need to make sure your data path to the drivers is in the case format that is known and expected. You can surely debug your setup and make it work.


  • Hi everyone,

    I’ve just copied scripts and getting following error while deploying image to a windows client. I cant find how to resolve it. Did anybody experience same issue before?

    An error has been detected!

    Failed to download driver information for [VC60/win10/x64]

  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    I am testing and found this issue on an OptiPlex 7020 .cab.

    Someone else on the forum was building a 7070 and had the same results where setupcomplete.cmd never finished. What we found is it was hanging injecting the drivers because of an unsigned driver and the continue message was on a hidden desktop.
    I wonder if this will be an issue with those using SCCM or MDT to build their images? MS may just turn it off to avoid failure then turn it back on when done, I don’t know. But its very bad when a hardware manufacturer releases unsigned drivers. I had an issue with Intel NUCs a few years ago where the driver was signed, but it was signed with a MFG certificate. I had to import the certificate into the cert store on the reference image to get the drivers to load correctly on a post deploy driver injection.

    If you have a service account with Dell I sure would give them a call and ask is this normal. If you rerun the pnputil command interactively with a desktop you may be able to trap which driver(s) are causing the problem and eject them from the driver pack and have solid info when calling Dell support.

  • Moderator

    @george1421 said in FOG Post install script for Win Driver injection:

    @fry_p said in FOG Post install script for Win Driver injection:

    BCDEDIT /set nointegritychecks ON

    Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?

    I legitimately want to ask, is it really dangerous to have that off for that short period of time? I turn it back on after the next automated reboot. I suppose if something failed, it would be stuck in that state… I need to not be lazy and find which one(s) is(are) unverified. Sadly, the message does not specify in sysprep.

    This may be a fluke because I am testing and found this issue on an OptiPlex 7020 .cab. It is not the newest gen by any means.

  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    BCDEDIT /set nointegritychecks ON

    Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?

  • Moderator

    @fry_p Thanks, fixed.

  • Moderator

    @Sebastian-Roth

    https://wiki.fogproject.org/wiki/index.php/FOG_Client#FOG_Client_with_Sysprep

    "Place these lines within the file, and then save.

    sc config FOGService start= auto
    shutdown -t 0 -r

    As the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins. "

  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    It is in the wiki article as auto.

    Which wiki article is this?

  • Moderator

    @Sebastian-Roth Whoops, I did not know that was the norm now. It is in the wiki article as auto. My bad, I can certainly change that before I try again.

    EDIT: fixed my first post with the delay and a missing space just in case it works and someone uses it later

  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    sc config FOGService start= auto

    Why do you set it to auto instead of delayed?

  • Moderator

    I hate to admit it took me a full day to realize there should be no space in the directory structure for the driver folders when I (poorly) read George’s instructions in the 2017 thread (lmao)

    I also have a question that is related to the driver injection concept, but it is after the post download scripts.

    For one of the machine types, the .cab comes with an unknown amount unsigned driver for some stupid reason. This complicates things because a prompt to “install the unverified driver(s)” during the setupcomplete.cmd. I can’t find a method to force/silently say yes to this with pnputil.

    Most fixes involve an extra reboot to turn off driver integrity checks. I am trying a really roundabout method:

    Setupcomplete.cmd

    BCDEDIT /set nointegritychecks ON
    shutdown -t 0 -r
    

    Then, a script that lives in the startup folder found at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup does the following, then deletes itself after it runs once.

    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    rmdir /Q /S C:\drivers
    BCDEDIT /set nointegritychecks OFF
    (goto) 2>nul & del "%~f0"
    

    Finally, I have a scheduled task built into the image that takes care of the commands usually in the typical setupcomplete.cmd, then deletes itself as well. The reboot should theoretically take care of the client service config and turning the integrity check back on.

    sc config FOGService start= delayed-auto 
    shutdown -t 0 -r
    

    I got to the point of being ready to test this yesterday, but the workday ended. I will test in a few hours when I am in. I am open to suggestions of how to make this less clunky (if it even works).


  • Hello,

    Thanks a lot for all this stuff ! We used it since year start (HP/Dell, a dozen of differents models, 300 computers). We made some minor update on this script, if it can be reused :

    # lowercase machine name and remove all spaces
    machine=$(echo $machine | tr A-Z a-z | tr -d ' ')
    

    So, our drivers directory looks like :

    /images/drivers
    ├── forAll
    ├── hpelitedesk800g3twr
    ├── hpz230towerworkstation
    ├── optiplex7040
    ├── optiplex7050
    ├── optiplex7060
    ├── optiplex9010
    ├── optiplex9020
    ├── optiplex9030aio
    
    

    Another one concern the drivers download (unicast/NFS) by each client. By default, all unicast rsync start after the last multicast session. To make «subgroups» of rsync based on last IP number:

    dots "Calculate IP (wait4sync)"
    MY_IP=$(ip route get 9.9.9.9 | awk '{print $7}')
    IP_LAST=$(echo ${MY_IP} | cut -f 4 -d '.')
    
    # IP OK ?
    if ! [[ ${IP_LAST} =~ ^[0-9]{1,3}$ ]]
    then
      IP_LAST=4
      echo -n " bad IP..., use ${IP_LAST},"
    fi
    # Want each to wait ((IP_LAST % 5) ) * 3mn
    ## w.x.y.zz0|5|10|... => no wait
    ## w.x.y.zz1|6|11|... => wait 3mn
    ## w.x.y.zz2|7|12|... => wait 6mn
    WAIT=$((${IP_LAST} % 5 * 3))m
    echo " IP: ${MY_IP} => wait ${WAIT}"
    sleep ${WAIT}
    
    dots "Preparing Drivers"
    ...
    

    the last one concern the «forAll» directory, used for all common drivers like «pci simplified communication»:

    remotecommondriverpath="/images/drivers/forAll"
    [[ ! -d "${clientdriverpath}" ]] && mkdir -p "${clientdriverpath}" >/dev/null 2>&1
    dots "Common drivers In Progress"
    rsync -aq "$remotecommondriverpath" "$clientdriverpath" >/dev/null 2>&1
    [[ ! $? -eq 0 ]] && handleWarning "Failed to download common drivers"
    echo "Finish"
    

  • @george1421 Thank you! all is appreciated! I’m sorry for the bombardment of questions.

324
Online

9.8k
Users

16.1k
Topics

148.5k
Posts