Migrating to the SCCM UDI for OSD, part 6a: Operations – Drivers

Continued from part 5:

The following is a operational procedure for updating applications, specific to the UVM environment. Use it as a template for managing your own procedures:

  1. If adding a new model: Establish the driver package source:
    1. Download the driver packages from Dell (or Lenovo). You will need different packages for each supported OS.
    2. Determine the WMI model name:
      1. Wmic computersystem get model -or-
      2. Get-WmiObject -class win32_computersystem
        (or more verbosely get-wmiobject -namespace root\cimv2 -class win32_computersystem -property model)
    3. Create a new folder under the matching OS version folder (i.e. Win7 or Win8) within the driver import source directory: “\\confman3\sources\drivers\import“. The name of this new folder must match the model information discovered in step 2. Extract the new drivers into this folder.
  2. If updating a model: Update the driver source:
    1. Locate the source folder for the driver package to update. Remove all contents of the directory including the “.hash” file in the root.
    2. Extract the new drivers into this folder.
  3. If updating a model: Cleanup existing drivers in SCCM:
    1. Find the package to be updated in the SCCM management console. Delete it.
    2. Right-click and get the properties on any driver in the SCCM console. Call up the list of driver categories, and delete the category for the driver to be updated.
  4. Import the drivers from source:
    1. Run C:\local\scripts\CM-Drivers\ImportDrivers.ps1 to import the new drivers into the SCCM environment. The script will create new packages and driver categories for each new folder that you created.
    2. Wait.
  5. Distribute the drivers:
    1. Refresh the SCCM console to reveal the new driver packages and categories.
    2. Right-click the driver package and select “Distribute Content”. Distribute the drivers to “Confman2”.
    3. Monitor the distribution process in the bottom pane of the SCCM console. Make sure distribution succeeds before proceeding.
  6. If adding a model/package: Update the MDT files with the new driver information:
    1. Run C:\local\scripts\CM-TaskSequences\build-UdiInfoFiles.ps1 on Confman3
    2. Locate the “MDT 2013 Files” package in the SCCM console under Software Library->Application Management->Packages, and run an “Update Distribution Points” action. Verify that distribution was successful before proceeding. This will publish a new list of drivers packages to the UDI clients.
  7. If adding a model/package: Update the OS Installation Task Sequence:
    1. Run C:\local\scripts\CM-TaskSequences\Update-DriverInjectionTaskSequence.ps1. Specify the name of the Task Sequence to update when prompted, or provide the name using the “-name” parameter. This script will update the Task Sequence to allow for injection of the new driver package, if one is available for the current model.
  8. If adding or updating WinPE, Peripheral, or “Other” drivers: Update the boot media:
    1. In the SCCM console under Software Library->Operating Systems->Drivers, select “Saved Searches”, then select WinPE 64-bit or WinPE 32-bit. Once the drivers have been filtered, Select All, and then right-click and select Edit->Boot Images. Select the MDT boot image for your architecture (32-bit or 64-bit).
    2. Select “Task Sequences” in the console, then select “Create Task Sequence Media”:
      1. Select to create “Bootable Media”
      2. Select “Site Based Media”
      3. Select “CD/DVD Set”, and specify the path: \\CONFMAN3\sources\os\boot\mdt\iso\UDI-x64.iso
      4. Clear “Protect media with password”, and select “Import PKI certificate”. Select a certificate and password from our super-secret source location. Select “Allow user device affinity with auto-approval”. (If the certificate is expired, see the separate procedure below for generating a new workgroup computer certificate.)
      5. For boot media, select the MDT boot image that you updated in part 8a. For distribution point, select CONFMAN2. For Management Point, select CONFMAN3.
      6. Complete the wizard, and then distribute the boot media to the usual locations (\\files\software\deploy).

As noted above, you need a custom Workstation Authentication certificate to generate the boot media.  If your certificate has expired or you want to generate a new certificate for any other reason, use the following procedure, adopted from:


  1. From a workstation that has access to your Certificate Authority web interface, open Internet Explorer using your admin account, and access:
    Logon as a user with rights to generate workgroup certificates.  Currently this is scoped to high-level admins in our organization.

    1. Add the site to the “Trusted sites” zone in your Internet Settings Control Panel.
    2. Activate “compatibility view” if your CA is still running on Server 2008 R2, otherwise the required ActiveX controls will not load.
    3. Select “Request a certificate”.
    4. Select “Create and submit a request to this CA”.
    5. Select the template: “UVM – SCCM Workgroup or WinPE Client Authentication”
      • Note: This is a lightly-modified copy of the stock “Workstation Authentication” certificate template.  As per MS requirements, the certificate has been forced to use the legacy “Server 2003” certificate format, not the Vista+ “CNG” format.
      • An Enterprise Admin can add permissions to the template to allow enrollment rights for additional users/groups, if necessary.
    6. Fill in the identifying information and friendly name for the certificate.  Make sure to select the option to “Mark keys as exportable”, then click “Submit”.
    7. When prompted, install the certificate.  The certificate will be installed into the “Personal” or “My” store for the user running Internet Explorer.
  2. Run MMC.EXE as the user who requested the certificate:
    1. Add the “Certificates” snap-in for the current user.
    2. Navigate to the “personal” store.  Locate the new certificate.
    3. Right-click the certificate and select All Tasks -> Export.
      1. In the certificate export wizard, select the option “Yes, export the private key.”
      2. Select Personal Information Exchange – PCKS #12 (.PFX), and ensure that “Include all certificates in the certification path if possible” AND “Export all extended properties” are checked, then click Next.
      3. Type in a password and confirm it in the boxes provided on the Password screen, then click Next. (Save this password for later use)
      4. Browse for a location to which to export the certificate.  Make sure that it is somewhere accessible from SCCM, give it a name (i.e. ‘WinPE-Cert.pfx’) and click Save.
  3. Use this new certificate file when completing step 8.4, above.


Series Index: