Fog Zero-Touch Imaging with PDQ Deploy

UPDATE 4/19/16
This post has been superseded by an easier way, detailed in this post!

PDQ Deploy + Fog = Imaging Happiness take 2

I’ve been a happy user of Fog for years here in my district. It’s made imaging an easy, thoughtless process that works quickly for me. However, there has been one drawback that I haven’t really liked, and that is it’s reliance of fat images. If you’re not familiar, a fat image is an image with everything and the kitchen sink thrown in. Drivers, applications, settings, shortcuts, you name it, it’s in there. Now, there are some benefits to this. Mostly that you can push a button and boom, you know it’s all there. The problem, however, comes when it comes time to do updates to any of those parts of the fat image. You usually have to either rebuild the entire image (if you didn’t do it in a VM and use snapshots..) or at worst, have to fire up your golden image vm and update there, then reupload all that back to Fog. It’s time consuming, annoying, and something people usually pushed off.

##Enter PDQ Deploy

PDQ Deploy is a tool from Admin Arsenal that is all about getting software to your clients in a fast, easy way. It users all kinds of witchery to send out packages to your clients and install them silently, and it does so well. It’s licensing is very agreeable, and all in all, it’s a great product. One of the cool things you can do with it, with a license, is access a library of pre-packaged and ready to go applications to put into your deployments. Things like Java, Flash, Chrome, Adobe Reader are all there, ready for you to send out to your users. Whats even cooler is that it allows you to nest these packages, to make some kind of package Voltron that can do anything you want. They also let you make your own packages, that include anything from commands, batch files, powershell scripts to just copying a file over the network. It’s super powerful.

PDQ Deploy also have a commandline interface, allowing you to script it. We’re going to be abusing that with this system, by using a powershell script from the client to invoke the deployment of a specific package to itself from PDQ Deploy. And we’re going to use Fog to initiate that powershell script after a fresh image, allowing us to literally push the “image” button in Fog, have our device WoL boot, pull down a Windows image, and then pull down updated versions of all your programs from PDQ automatically. While joining a domain, setting up Wifi, the whole she-bang.

Yes, it’s pretty awesome.

##So, here are the steps

So, this system is assuming that you have a Fog server setup, in my case 1.2.0, and it’s working well. If you don’t have that, please refer to the instructions on their website to take care of it, it’s pretty simple.

First, go ahead and make your Windows image. Install it, boot into Audit mode, run updates, and install some of your big software, like Office2013, you wouldn’t want sent out over the network. Personally, I install Office2013, some software we need for FACS that takes forever on a network, and our CAD software.

Secondly, to allow the FOG snapin to run, we’ll need to make a tweak to the local group policy. Fog snapins need UAC to be  not prompting, else they won’t run as there is no gui for them to allow you to click. Some of you may scoff at this, and understandably so. However, to make it work, this is a needed feature.  So, do the following: -Start/ Run/ secpol.msc -Find Under Local Policies/Security Options/User Account Control: Behavior of the Elevation prompt for Administrators in Admin approval mode and set it to “Elevate without prompting” -Also find User Account Control : Switch to secure desktop for elevation and set it to disabled.  image This sets us up to allow our snapins to run . You can now go ahead and run your normal sysprep, and capture the image up to Fog.  Thirdly, we need to make a snapin in Fog that runs the scripts we need. Making a snapin in fog is a pretty easy process, one that I’ll go over here. You’ll need 2 pieces of software installed on the machine that making the snapin, 7Zip and 7ZiPSFXMaker. First, we need to make a powershell script. This script is completely lifted from a user on the Admin Arsenal forums, so thanks very  much Paul Thompson! Don’t worry about having the domain password in there in plain text either. It only runs as a snapin, users never see it, and it deletes itself. It’s fine.

***NOTE*** – If you password has a $ in it, you have to include, what I believe is called, a delimiter. Basically, if your password was “AbC123$”, you would have to enter it below as “AbC123’$” <— Simply, you adding an apostrophe just before the $. 🙂 $secpasswd = ConvertTo-SecureString “DOMAIN_ADMIN_PASSWORD” -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential (“DOMAIN\DOMAIN_ADMIN”,$secpasswd) $remotecomputer = Get-Content env:computername Invoke-Command -ComputerName SERVER_RUNNING_PDQ_DEPLOY -Credential $creds -ScriptBlock { param($name) & ‘C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeploy.exe’ Deploy -Package ‘PDQ_DEPLOY_PACKAGE_NAME’ -Target $name } -ArgumentList $remotecomputer

Save that file as pdqdeploy.ps1. Now, fog snapins can’t run powershell scripts natively. Why, I’m not sure, but they don’t. So we need a batch file to call this powershell script for us. And it’s attached here:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: CLS ECHO LPA New Image Deployment Suite ECHO Deploying new software, please wait powershell.exe -noprofile -executionpolicy bypass -file .\pdqdeploy.ps1 sleep.exe 10 exit

The important part about this one is pretty simple, you need the exectutionbypass part to allow it to rrun. Since powershell isn’t by default allowed to run scripts, the machine needs to bypass the policy to let it go. Annoying, but it works.

So, now, install the SFX Maker just like you would anything else, and run it as an administrator. Running as admin is important, as you need this for it to work. While your installing that, select both of those files we made, right click, and under 7zip, add it to a new 7z file.

Go ahead and launch SFX Maker. On the first screen it will ask you which file you want to include. This is the 7zip archive we made in the last step. So hit the plus icon and navigate to the SFX Adobe folder where archive is.


Now move to the “General” Tab at the top. Set the extraction path to a temporary folder. Make sure you choose “hide extraction progress” and “delete the SFX file after extraction”.



Now move to the “Execute” Tab. This is important, this is the path to the file that we want the SFX Maker to run after it is extracted on the machine. In this case we want to use this path:
This will follow the temporary path where the SFX is extracted to, and run our command to install to pull from PDQ.


Now choose “Make SFX” at the bottom right of the window. That’s it! Make sure you test the SFX thoroughly. If it works then you can upload the Snapin to FOG for deployment. REMEMBER: The finished SFX will delete itself after being extracted, so make sure you make a copy somewhere.


Alright, time to get the Snapin into fog.

We do this by going into our fog server, logging in, and selecting the Snapin management Menu Item. We then select “create new snapin” on the left. Give your snapin a name, I call mine new image deployment, and a description. Leave the arguments alone, no one needs those at the moment. When it asks for a while to upload, upload the file you created with the SFX maker. It should be something.sfx.exe. Then click add.

Associate this snapin with the image you  made, and associate that with a host.

Now, we need to go into PDQ deploy and setup the packages we want to install. Getting packages figured out alot better described in their support videos, so I’m just going to give you the basics.

First, you’ll want to import everything you want installed. Lets say you want Flash, Adobe Reader, Chrome, and Java 8u45. You have those all imported into your library. Next, you want to create a nested package.  You do this by shift selecting everything you want, and on the right hand side clicking the blue text to create a nested package. It basically just chains them together.

Now, to make this even easier, you can add steps to the end to do other things. My personal fave is to add a step to import a wireless profile. Just have your wireless profile file xml ready to go, and then run a netsh wlan add profile -file filename.xml user:all and boom, now all users have that wifi profile and it hooks up automatically. It’s huge.

Reboot your test machine, and image it with your new image. After it joins the domain, you should wait between 2-10 minutes and see PDQ deploy has a new deployment ru nning for that machine. The software installs, and your good to go. Mine takes, from start to finish, 31 minutes to be done.


Leave a Reply