The solution is to have setupcomplete.cmd enable the service, and then restart the machine. I’m putting it into the wiki here momentarily.
Also - it renaming the host would indicate that you have Early Hostname Changer enabled. This is going to cause you problems in the long run if you’re sys-prepping and using the new client. you should disable that. It’s in fog settings.
The certificate is the central and single point of success or failure of security for the fog client. If an attacker could get it by any means at all, all security is compromised. Having an actual feature that allows it to be downloaded would increase the risk of compromise several times fold.
a local admin ought to be the only person that can touch it.