Windows 10 driver injection doesn't install during sysprep

george1421

@uwpviolator Putting a 5 or 10 second sleep would not hurt. That would give the drivers a chance to init before you make pass Next.

As for self installers, I would tag them onto the end of the setupcomplete.cmd file. Just make sure you are sure of the silent install switches.

I do something a bit more complex with my setupcomplete.cmd I have it check for a certain batch file name in the c:\drivers directory. If that batch file exists I call that batch file towards the end of the setupcomplete.cmd file. Remember that directory comes from the fog server with hardware specific drivers. Well if there are self extracting .exe installers in the driver pack that are hardware specific I include them in the driver directory on the fog server. Those get copied over and the setupcomplete.cmd file will call the batch file in the c:\drivers directory which installs the hardware specific .exe drivers and applications.

UWPVIOLATOR

@george1421 Do you mind sharing that part of you setupcomplete? I am still checking to see if the driver I am missing is just a inf but this could be helpful in the future.

george1421

@uwpviolator Sure no problem, but I hate to disappoint you the stuff is not very sexy.

In the setupcomplete.cmd file I have this line.

if exist "c:\drivers\drvinstall.cmd"  call "c:\drivers\drvinstall.cmd"

If we have .exe type drivers that we need to install on the target computer then we will place the .exe files in the drivers directory with the drvinstall.cmd batch so they are copied to the target computer when the rest of the .inf drivers are copied over.

Here is an example of a drvinstall.cmd batch file.

@echo off
echo Please wait wile we install some things you'll need
%~dp0\Bluetooth\Setup.exe /quiet /passive /norestart
%~dp0\WiFi\setup.exe -quiet -passive -norestart 

One other (new) thing is we looked at how we were installing the drivers via pnputil. We have a bit cleaner command syntax.

pnputil.exe /add-driver "c:\drivers\*.inf" /subdirs /install

UWPVIOLATOR

@george1421 said in Windows 10 driver injection doesn't install during sysprep:

@echo off
echo Please wait wile we install some things you’ll need
%~dp0\Bluetooth\Setup.exe /quiet /passive /norestart
%~dp0\WiFi\setup.exe -quiet -passive -norestart

Trying to test this out and getting stuck. I am trying to get a HP Softpack to install. I extracted the softpack and got the setup.exe. Per the CVA file. The command for it is

"setup.exe" /s /v"/qn /lv %ProgramData%\Hotkey_setup.log REBOOT=REALLYSUPPRESS"

If I run this in windows the UAC will pop up. Will this be the same if its being called in setupcomplete? or how do you bypass the UAC? and thinking about how dumb all this is, what is the proper way we are supposed to be adding drivers to Windows as it seems like we are doing it all wrong as this is hard as ^^@&.

george1421

@uwpviolator The setupcomplete.cmd runs outside of UAC as does FOG Snap-ins. Running it interactively you will get a UAC prompt.

Realize there is no magic bullet here. MS is making it harder with each release of MS Windows for third party imaging solutions. Soon, I fear, the only game in town will be SCCM.

fishfox

@george1421 I’m having this same issue of course – just wondering if anybody had any update on what’s working with 1709?

Putting the path on offlineServicing does not work (and in fact does not seem like it should as it runs during setup IE image generation).

Altering HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DevicePath also does not work.

Using pnputil via SetupComplete.cmd runs into issues if the drivers aren’t signed (currently giving this a go).

Currently giving dpinst.exe a go.

george1421

@fishfox pnputil is the easiest fix if you have signed drivers. If you don’t have signed drivers, turn off driver signing requirements before you sysprep the image then turn the requirements back on after you run pnputil in setupcomplete.cmd. Not an ideal solution and really unsure why MS broken driver loading with 1709. I haven’t touched 1803 yet to see if they’ve fixed it or broke it even worse.

fishfox

@george1421 How do I turn off driver signing requirements?

Tried via Local Group Policy, BCDEdit, no luck.

Thanks for all your help.

george1421

@fishfox Give me a moment to look at my MDT setup

george1421

@fishfox

I can’t seem to get into my MDT environment at the moment, but I can get at the setupcomplete.cmd file.

This undoes what our action turns on in MDT

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f
bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING OFF

[Edit]: Look in this thread: https://social.technet.microsoft.com/Forums/en-US/865bc19b-c3f5-4a87-b1fb-b255de072180/temporary-disable-driver-signing-check-in-windows-7?forum=w7itproinstall

Search for: “UAC Lower.bat” to see the premise of what is going on.

sudburr

This is how I handle unsigned or untrusted drivers.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security]
"DisableSecuritySettingsCheck"=dword:00000001

… then restart, install drivers, then

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000001
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

fishfox

@sudburr @george1421
Unfortunately neither of those worked for me – maybe a Win10 1709 thing.

I ended up setting up autologin and setting a PowerShell script as the shell for first logon. This was done via FOS registry edits.
This script installs the drivers and sets the shell back to Explorer.

Note this does require a hardcoded Administrator password.

Working on an improvement now that will set the built-in admin pass via chntpw as well. This will allow an image captured from uknown hardware to be redeployed with new hardware (even when you don’t have the benefit of sysprep / Administrator user setup).

If you’d like to view my progress see here: https://github.com/grlcboi/fogscripts

@george1421 I did borrow heavily from your 2017 tutorial and will be putting you the readme.

sudburr

Perhaps I should expand.

This is what I did up to v1607.

My sysprep answer file sets autologon of Administrator for 99 times. It enables the Administrator account and has the password included (hashed by sysprep). It also includes a FirstLogonCommands to run a cleanup script.

That cleanup script performs the first part to remove security, rewrites the RunOnce registry value, then restarts the computer. Because the RunOnce registry value was recreated, the auto logon of Administrator launches that script again to perform further functions. After 3 more restarts the script turns off autologon, does not rewrite the RunOnce, re-enables security, then shuts the system down.

With v1709 I changed how I harvest driver files and have been able to install all drivers without the need to dumb down the security. I now install all general drivers from setupcomplete.cmd .