FOG Post install script for Win Driver injection


  • Moderator

    Introduction

    First I have to say this article contains the results of many brilliant people and is not my content. I’m only assembling this information into a consistent document instead of spread around buried in posts and responses. My intent is to not dig into the details behind the scripts or how to tweak them for your needs. You can read the links below to figure out why things are being done the way they are. I wanted to create a tutorial that was as close to a cut and paste to get driver injection going in your environment. Now I will primarily focus on Dell hardware for the main reason that Dell does supply driver archive files (known as .CABs) that can be downloaded and extracted quickly to create the driver structure. I’m sure that HP, Lenovo, and others have similar driver packs.

    You can download the Dell driver cabs for your hardware from here: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment

    Reference links:
    https://forums.fogproject.org/topic/4278/utilizing-postscripts-rename-joindomain-drivers-snapins
    https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script-under-construction
    https://forums.fogproject.org/topic/7740/the-magical-mystical-fog-post-download-script
    https://forums.fogproject.org/topic/8878/fog-drivers-script-will-not-run-correctly-in-postdownloadscripts/46


  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    I am testing and found this issue on an OptiPlex 7020 .cab.

    Someone else on the forum was building a 7070 and had the same results where setupcomplete.cmd never finished. What we found is it was hanging injecting the drivers because of an unsigned driver and the continue message was on a hidden desktop.
    I wonder if this will be an issue with those using SCCM or MDT to build their images? MS may just turn it off to avoid failure then turn it back on when done, I don’t know. But its very bad when a hardware manufacturer releases unsigned drivers. I had an issue with Intel NUCs a few years ago where the driver was signed, but it was signed with a MFG certificate. I had to import the certificate into the cert store on the reference image to get the drivers to load correctly on a post deploy driver injection.

    If you have a service account with Dell I sure would give them a call and ask is this normal. If you rerun the pnputil command interactively with a desktop you may be able to trap which driver(s) are causing the problem and eject them from the driver pack and have solid info when calling Dell support.


  • Moderator

    @george1421 said in FOG Post install script for Win Driver injection:

    @fry_p said in FOG Post install script for Win Driver injection:

    BCDEDIT /set nointegritychecks ON

    Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?

    I legitimately want to ask, is it really dangerous to have that off for that short period of time? I turn it back on after the next automated reboot. I suppose if something failed, it would be stuck in that state… I need to not be lazy and find which one(s) is(are) unverified. Sadly, the message does not specify in sysprep.

    This may be a fluke because I am testing and found this issue on an OptiPlex 7020 .cab. It is not the newest gen by any means.


  • Moderator

    @fry_p said in FOG Post install script for Win Driver injection:

    BCDEDIT /set nointegritychecks ON

    Right this needs to be put into your golden image. Its a bad hack. But its VERY strange that Dell would release unsigned drivers, that’s so 2015. Are they not signed, or are they signed but have an unidentified certificate?


  • Developer

    @fry_p Thanks, fixed.


  • Moderator

    @Sebastian-Roth

    https://wiki.fogproject.org/wiki/index.php/FOG_Client#FOG_Client_with_Sysprep

    "Place these lines within the file, and then save.

    sc config FOGService start= auto
    shutdown -t 0 -r

    As the filename indicates, the script is called by windows after an image is deployed and post-sysprep operations are complete. It will re-enable the FOGService and then reboot the computer gracefully. After the computer reboots, the FOGService will start automatically and rename the computer if necessary, reboot if necessary, join the domain and reboot if necessary, and then perform any associated snapins. "


  • Developer

    @fry_p said in FOG Post install script for Win Driver injection:

    It is in the wiki article as auto.

    Which wiki article is this?


  • Moderator

    @Sebastian-Roth Whoops, I did not know that was the norm now. It is in the wiki article as auto. My bad, I can certainly change that before I try again.

    EDIT: fixed my first post with the delay and a missing space just in case it works and someone uses it later


  • Developer

    @fry_p said in FOG Post install script for Win Driver injection:

    sc config FOGService start= auto

    Why do you set it to auto instead of delayed?


  • Moderator

    I hate to admit it took me a full day to realize there should be no space in the directory structure for the driver folders when I (poorly) read George’s instructions in the 2017 thread (lmao)

    I also have a question that is related to the driver injection concept, but it is after the post download scripts.

    For one of the machine types, the .cab comes with an unknown amount unsigned driver for some stupid reason. This complicates things because a prompt to “install the unverified driver(s)” during the setupcomplete.cmd. I can’t find a method to force/silently say yes to this with pnputil.

    Most fixes involve an extra reboot to turn off driver integrity checks. I am trying a really roundabout method:

    Setupcomplete.cmd

    BCDEDIT /set nointegritychecks ON
    shutdown -t 0 -r
    

    Then, a script that lives in the startup folder found at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup does the following, then deletes itself after it runs once.

    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    pnputil.exe /add-driver "C:\Drivers\*.inf" /subdirs /install
    rmdir /Q /S C:\drivers
    BCDEDIT /set nointegritychecks OFF
    (goto) 2>nul & del "%~f0"
    

    Finally, I have a scheduled task built into the image that takes care of the commands usually in the typical setupcomplete.cmd, then deletes itself as well. The reboot should theoretically take care of the client service config and turning the integrity check back on.

    sc config FOGService start= delayed-auto 
    shutdown -t 0 -r
    

    I got to the point of being ready to test this yesterday, but the workday ended. I will test in a few hours when I am in. I am open to suggestions of how to make this less clunky (if it even works).



  • Hello,

    Thanks a lot for all this stuff ! We used it since year start (HP/Dell, a dozen of differents models, 300 computers). We made some minor update on this script, if it can be reused :

    # lowercase machine name and remove all spaces
    machine=$(echo $machine | tr A-Z a-z | tr -d ' ')
    

    So, our drivers directory looks like :

    /images/drivers
    ├── forAll
    ├── hpelitedesk800g3twr
    ├── hpz230towerworkstation
    ├── optiplex7040
    ├── optiplex7050
    ├── optiplex7060
    ├── optiplex9010
    ├── optiplex9020
    ├── optiplex9030aio
    
    

    Another one concern the drivers download (unicast/NFS) by each client. By default, all unicast rsync start after the last multicast session. To make «subgroups» of rsync based on last IP number:

    dots "Calculate IP (wait4sync)"
    MY_IP=$(ip route get 9.9.9.9 | awk '{print $7}')
    IP_LAST=$(echo ${MY_IP} | cut -f 4 -d '.')
    
    # IP OK ?
    if ! [[ ${IP_LAST} =~ ^[0-9]{1,3}$ ]]
    then
      IP_LAST=4
      echo -n " bad IP..., use ${IP_LAST},"
    fi
    # Want each to wait ((IP_LAST % 5) ) * 3mn
    ## w.x.y.zz0|5|10|... => no wait
    ## w.x.y.zz1|6|11|... => wait 3mn
    ## w.x.y.zz2|7|12|... => wait 6mn
    WAIT=$((${IP_LAST} % 5 * 3))m
    echo " IP: ${MY_IP} => wait ${WAIT}"
    sleep ${WAIT}
    
    dots "Preparing Drivers"
    ...
    

    the last one concern the «forAll» directory, used for all common drivers like «pci simplified communication»:

    remotecommondriverpath="/images/drivers/forAll"
    [[ ! -d "${clientdriverpath}" ]] && mkdir -p "${clientdriverpath}" >/dev/null 2>&1
    dots "Common drivers In Progress"
    rsync -aq "$remotecommondriverpath" "$clientdriverpath" >/dev/null 2>&1
    [[ ! $? -eq 0 ]] && handleWarning "Failed to download common drivers"
    echo "Finish"
    


  • @george1421 Thank you! all is appreciated! I’m sorry for the bombardment of questions.


  • Moderator

    @agray The unattend.xml file is required if you want an unattended windows setup. You can use an online unattend.xml generator to create this file: http://www.windowsafg.com/ or craft one by hand with your site specific configuration.

    The setupcomplete.cmd file is run by windows setup at the end of the OOBE process and just before the first windows logon is displayed. You place batch commands in there to be executed before the user’s first login. Google “setupcomplete.cmd” to find out its location and structure.



  • @george1421 From what I’m getting from all the threads, the unattend.xml file is required with win10 now. Is that no longer the case?
    If it is, is that required to be edited in the master image before cloned?
    Later in your 2017 ed thread you gave an update on the 1703+ Win, saying “add the following lines to your setupcomplete.cmd batch file.” That batch file already created, if not, where can i find code for it, or it that it in the code box?


  • Moderator

    @agray Ok you can ignore that section. It is in there to remove the unattend.xml file if its found in the setup directory. There should be only one unattend.xml file and it should be in c:\windows\panther directory.

    What the fog.ad script does, it dynamically update the unattend.xml file with fog run time parameters. If you are not using an unattend.xml file or using the FOG client to connect the computer to AD and give it its name then you don’t need the fog.ad script at all.

    If you look at the fog.postdownload script in this section

            debugPause
            # . ${postdownpath}fog.log
            . ${postdownpath}fog.drivers
            # . ${postdownpath}fog.ad
            umount /ntfs
    

    You will see that the call to those scripts are commented out. The only script that is required is fog.drivers the others provide functionality beyond driver injection.

    As for the 2017 ed why are they different? Because we’ve learned things since this thread was published. I would look at the 2017 version if you are doing a new install. This thread gives the background behind why the 2017 is the way it is.



  • @george1421 fog.ad-the 3rd post
    I’m not getting anything of this either. Looking at the thread here, and here (https://forums.fogproject.org/topic/11126/using-fog-postinstall-scripts-for-windows-driver-injection-2017-ed) the scripts are different. What is right? What do you name everything/make the file type?


  • Moderator

    @agray said in FOG Post install script for Win Driver injection:

    @george1421 Why do you have lines 7-12 REMed out? I know very very very little bash so this is like looking at french for me.

    In which script?



  • @george1421 Why do you have lines 7-12 REMed out? I know very very very little bash so this is like looking at french for me.



  • @george1421

    Ok, thanks for the explaination George, appreciate your help.


  • Moderator

    @jamaal You have to remember the script was designed to work directly with the Dell CAB file format. I understand you are working with lenovo, but as long as you have inf file format you can adapt it easily.

    osid vs osname. In the case of FOG it knows internal osid == a certain operating system. So instead of requiring the FOG IT admin to create directories based on an integer number to represent windows 7 or windows 10, I created a map so when osid == 5 that mapped to a directory path of win7 and osid == 9 would be win10 and so on. That way when you looked at the directory path you would know the win7 drivers go into the win7 directory and not the “5” directory. That is the logic of the osid to osn name matching.


Log in to reply
 

367
Online

6.6k
Users

14.0k
Topics

132.3k
Posts