Welcome to my blog, quickest way to find articles is usually to search for them.
Deploying Windows Server 2012 R2 to Intel NUC devices using MDT 2013
The Intel NUC devices have turned out to be a great machine for a small but efficient Hyper-V host. The challenge is that Intel doesn’t get that, and in fact block their network adapter device drivers for Windows Server 2012 R2 (with some exceptions). In this post you learn how to fix this properly:
When it comes to solving the Windows Server 2012 R2 network drivers issues for the Intel NUC device, you have three options:
- By one of the few (well two) Intel NUC models that actually does have a network driver for Windows Server 2012 R2.
- Fix the driver yourself and sign it like a boss
- Fix the driver yourself, go cheap, disable driver enforcement in Windows Server 2012 R2, install the driver (semi-manually), and enable driver enforcement again.
This post is focusing on the real deal, doing what you should be doing, for a real world production environment. e.g. Option 2 :)
Option 1 – Buy the special Intel NUC models
Not much to say about, buy one of the DC53427HYE or NUC5i5MYHE Intel NUC kits, download the LAN_Server2012R2_64_19.5.exe driver, and import as usual into MDT 2013.
Option 2 – Sign the Driver Like a Boss!
This is where you want to be, and for this you need get a real driver certificate that is cross-signed with Microsoft. I ended up buying Kernel-Mode Code Signing Certificates from Digicert for 223 USD (1 year) but I have seen deals as low as 178 USD / year. I just happen to like Digicert because they are awesome. Here are the steps for fixing and signing the Intel network drivers for Windows Server 2012 R2. In these steps I assume you have bought a certificate:
- Download the Intel NUC network driver for Windows 8.1 (LAN_Win8.1_64_19.5.exe) from https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24198&lang=eng&ProdId=3744 and extract to a folder.
- The driver you want to modify is in the lan_win8.1_64_19.5\PRO1000\Winx64\NDIS64 folder. In this guide I created a new folder, C:\Drivers\IntelNUC, and copied the copied the NDIS64 folder to it.
The NDIS64 folder copied from lan_win8.1_64_19.5\PRO1000\Winx64.
- Modify the e1d64x64.inf file per Jay-R Barrios instructions in his post: Intel NUC D54250WYKH: Installing LAN Driver on Windows Hyper-V Server 2012 R2
- Download and install Windows Driver Kit 8.1 Update 1 from http://www.microsoft.com/en-us/download/details.aspx?id=42273 . Don’t worry about the notes saying you must have Visual Studio 2013 installed, because you don’t.
Installing Windows Driver Kit 8.1 Update 1.
- Since you modified the e1d64x64.inf file you have broken the signing. To fix this you generate new catalog files, and sign them with your certificate.
- Generate the new CAT files by starting an elevated command prompt and run the following commands:
Cd "C:\Program Files (x86)\Windows Kits\8.1\bin\x86"
inf2cat.exe /driver:"C:\Drivers\IntelNUC\NDIS64" /os:Server6_3_X64
Generating the catalog files.
- Next up is to sign the catalog files, you can either do that using the Signtool.exe utility, or if you are using Digicert, you can use digicert util to do this. If you are doing the command line route, download the "DigiCert High Assurance EV Root CA.crt" from digicert to the folder where you have signtool.exe, and run the following command:
signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Deployment Artist AB" /t http://timestamp.digicert.com /sha1 12210EDE21C48E90511476F35B18671665EEC14A "C:\Drivers\IntelNUC\NDIS64\e1d64x64.cat"
Note: You need to replace the above command with your certificate name and SHA1 value (If you only have once certificate with that name you can skip the /sha1 switch).
- If you use the DigiCert utility, just add the CAT files to sign, don’t forget to check “Kernel Mode Signing”, and click Sign.
- Now the drivers are signed and you simply add them to MDT 2013. The Intel NUC tested with this guide was D54250WY, and since I always use the Total Control approach (click for details), I have that logical folder in my Deployment Workbench as well.
”Fixed” network driver added to the workbench.
- You are Done! MDT 2013 will no happily inject the driver into the driver store during deployment! During deployment, during the WinPE phase you can verify the injection into the driver store by pressing F8, and open the X:\Windows\Logs\DISM\Dism.log file.
Dism.log file showing successful install of the modified driver.
Option 3 – Go cheap and trick the system
If you want to cheap, and don’t mind having a manual task in the deployment (brr), you can disable driver enforcement in Windows Server 2012 R2, install the driver, and enable driver enforcement again. This post by Jay-R Barrios show you how: Intel NUC D54250WYKH: Installing LAN Driver on Windows Hyper-V Server 2012 R2
Meet the experts!
May 15. MMS 2017, Minneapolis, US
Oct 23, IT / Dev 2017, San Francisco, US
May 2, 2017, Oslo, NO
May 8, 2017, Culemborg, NL
May 22, 2017, Phoenix, US
May 29, 2017, Oslo, NO
Jun 12, 2017, Berlin, DE
Aug 7, 2017, New York, US
Nov 13, 2017, Culemborg, NL