Windows 10 driver injection doesn't install during sysprep

  • I know this isn’t directly an issue with Fog, but I wanted to see if anyone else has experienced this problem. In short, manually injecting drivers does not appear to work correctly with Windows 10. Windows 7 worked properly when modifying the devicepath in the registry but not anymore, the drivers do not get installed during Sysprep, resulting in the computer not joining the domain during the Sysprep phase. After the computer reboots to Windows then the drivers are found. I know some have recommend setting the driver path in the offline servicing section of the sysprep answer file, but that answer is not valid. That phase is never processed unless the image is applied using WinPE. You can see the workflow in the attached pic as well as more explanation here.

    I know it’s a long shot, but I was hoping someone had a workaround.

  • Perhaps I should expand.

    This is what I did up to v1607.

    My sysprep answer file sets autologon of Administrator for 99 times. It enables the Administrator account and has the password included (hashed by sysprep). It also includes a FirstLogonCommands to run a cleanup script.

    That cleanup script performs the first part to remove security, rewrites the RunOnce registry value, then restarts the computer. Because the RunOnce registry value was recreated, the auto logon of Administrator launches that script again to perform further functions. After 3 more restarts the script turns off autologon, does not rewrite the RunOnce, re-enables security, then shuts the system down.

    With v1709 I changed how I harvest driver files and have been able to install all drivers without the need to dumb down the security. I now install all general drivers from setupcomplete.cmd .

  • @sudburr @george1421
    Unfortunately neither of those worked for me – maybe a Win10 1709 thing.

    I ended up setting up autologin and setting a PowerShell script as the shell for first logon. This was done via FOS registry edits.
    This script installs the drivers and sets the shell back to Explorer.

    Note this does require a hardcoded Administrator password.

    Working on an improvement now that will set the built-in admin pass via chntpw as well. This will allow an image captured from uknown hardware to be redeployed with new hardware (even when you don’t have the benefit of sysprep / Administrator user setup).

    If you’d like to view my progress see here:

    @george1421 I did borrow heavily from your 2017 tutorial and will be putting you the readme.

  • This is how I handle unsigned or untrusted drivers.

    Windows Registry Editor Version 5.00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security]

    … then restart, install drivers, then

    Windows Registry Editor Version 5.00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
  • Moderator


    I can’t seem to get into my MDT environment at the moment, but I can get at the setupcomplete.cmd file.

    This undoes what our action turns on in MDT

    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f
    bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
    bcdedit.exe -set TESTSIGNING OFF

    [Edit]: Look in this thread:

    Search for: “UAC Lower.bat” to see the premise of what is going on.

  • Moderator

    @fishfox Give me a moment to look at my MDT setup

  • @george1421 How do I turn off driver signing requirements?

    Tried via Local Group Policy, BCDEdit, no luck.

    Thanks for all your help.

  • Moderator

    @fishfox pnputil is the easiest fix if you have signed drivers. If you don’t have signed drivers, turn off driver signing requirements before you sysprep the image then turn the requirements back on after you run pnputil in setupcomplete.cmd. Not an ideal solution and really unsure why MS broken driver loading with 1709. I haven’t touched 1803 yet to see if they’ve fixed it or broke it even worse.

  • @george1421 I’m having this same issue of course – just wondering if anybody had any update on what’s working with 1709?

    Putting the path on offlineServicing does not work (and in fact does not seem like it should as it runs during setup IE image generation).

    Altering HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DevicePath also does not work.

    Using pnputil via SetupComplete.cmd runs into issues if the drivers aren’t signed (currently giving this a go).

    Currently giving dpinst.exe a go.

  • Moderator

    @uwpviolator The setupcomplete.cmd runs outside of UAC as does FOG Snap-ins. Running it interactively you will get a UAC prompt.

    Realize there is no magic bullet here. MS is making it harder with each release of MS Windows for third party imaging solutions. Soon, I fear, the only game in town will be SCCM.

  • @george1421 said in Windows 10 driver injection doesn't install during sysprep:

    @echo off
    echo Please wait wile we install some things you’ll need
    %~dp0\Bluetooth\Setup.exe /quiet /passive /norestart
    %~dp0\WiFi\setup.exe -quiet -passive -norestart

    Trying to test this out and getting stuck. I am trying to get a HP Softpack to install. I extracted the softpack and got the setup.exe. Per the CVA file. The command for it is

    "setup.exe" /s /v"/qn /lv %ProgramData%\Hotkey_setup.log REBOOT=REALLYSUPPRESS"

    If I run this in windows the UAC will pop up. Will this be the same if its being called in setupcomplete? or how do you bypass the UAC? and thinking about how dumb all this is, what is the proper way we are supposed to be adding drivers to Windows as it seems like we are doing it all wrong as this is hard as ^^@&.

  • Moderator

    @uwpviolator Sure no problem, but I hate to disappoint you the stuff is not very sexy.

    In the setupcomplete.cmd file I have this line.

    if exist "c:\drivers\drvinstall.cmd"  call "c:\drivers\drvinstall.cmd"

    If we have .exe type drivers that we need to install on the target computer then we will place the .exe files in the drivers directory with the drvinstall.cmd batch so they are copied to the target computer when the rest of the .inf drivers are copied over.

    Here is an example of a drvinstall.cmd batch file.

    @echo off
    echo Please wait wile we install some things you'll need
    %~dp0\Bluetooth\Setup.exe /quiet /passive /norestart
    %~dp0\WiFi\setup.exe -quiet -passive -norestart 

    One other (new) thing is we looked at how we were installing the drivers via pnputil. We have a bit cleaner command syntax.

    pnputil.exe /add-driver "c:\drivers\*.inf" /subdirs /install

  • @george1421 Do you mind sharing that part of you setupcomplete? I am still checking to see if the driver I am missing is just a inf but this could be helpful in the future.

  • Moderator

    @uwpviolator Putting a 5 or 10 second sleep would not hurt. That would give the drivers a chance to init before you make pass Next.

    As for self installers, I would tag them onto the end of the setupcomplete.cmd file. Just make sure you are sure of the silent install switches.

    I do something a bit more complex with my setupcomplete.cmd I have it check for a certain batch file name in the c:\drivers directory. If that batch file exists I call that batch file towards the end of the setupcomplete.cmd file. Remember that directory comes from the fog server with hardware specific drivers. Well if there are self extracting .exe installers in the driver pack that are hardware specific I include them in the driver directory on the fog server. Those get copied over and the setupcomplete.cmd file will call the batch file in the c:\drivers directory which installs the hardware specific .exe drivers and applications.

  • @george1421 So in setupcomplete.cmd should I tell it to sleep for a period of time between the command or do you just do

    REM Inject any missing drivers for hardware discovered during oobe
    forfiles /p "C:\Drivers" /s /m *.inf /c "cmd /c pnputil -a @Path"
    forfiles /p "C:\Drivers" /s /m *.inf /c "cmd /c pnputil -a @Path"
    forfiles /p "C:\Drivers" /s /m *.inf /c "cmd /c pnputil -a @Path"

    Also can I do about non .inf that want to be installed? Example HP Hot Key to make keyboard FN keys work?

  • Moderator

    @uwpviolator I’ve found that I need to call that pnputil 2-3 times to find all hardware hidden behind other hardware.

    I agree that 1709 did some bad things to the non SCCM image cloners.

  • @george1421 This seems to be working for me. I think I must be missing some drivers that I did not upload to FOG or my model doesn’t like 1709 which by a few forum post might be the case. M$ really screwed up with 1709. Its like the Vista of the Win 10 builds.

  • @george1421 Testing that now. Both of the other ways did not work for me.

  • Moderator

    @uwpviolator Ah, sorry. I thought you were talking about my last post.

    Well it sucks getting old, I didn’t use dism (after looking at the code) this is what I used to force the drivers in.

    REM Inject any missing drivers for hardware discovered during oobe
    forfiles /p "C:\Drivers" /s /m *.inf /c "cmd /c pnputil -a @Path"

  • @george1421 said in Windows 10 driver injection doesn't install during sysprep:

    @uwpviolator I ran into the same issue when I was working on our 1709 image (which was put on hold for the moment). I ended up with a hack to use dism in the setupcomplete.cmd to load in all of the drivers in c:\drivers directory.

    This is what I was referring to. How did you call this in the setupcomplete.cmd to pull drivers from C:\Drivers?