@cerebron That is a great tip! Thank you for posting!

#wiki worthy

@Wayne-Workman said in New Fog client and security:

@LibraryMark said in New Fog client and security:

It’s just that for my situation, in a public library with public hosts on a network totally separate from our staff net, I am not sure I have a need for bullet-proof security there.

You’re public users are not a security risk? And I know you say you have HDD locking software (Centurion SmartShield or Faronics DeepFreeze probably), but this doesn’t really matter. If there’s a security hole and someone knows how to exploit it, they can exploit it every time they want. Once there’s a compromise, those computers are no longer safe for users to use, no matter how many times they are rebooted and ‘reset’. The legacy client is not secure. The legacy-enabling functionality server-side is also not secure. It is advised that once you have moved to the new fog client, to remove legacy passwords from the FOG server.

We are using Reboot Restore Rx. Are you talking about the fog client still?

@Wayne-Workman said in FOG Imaging Over MPLS:

Throwing options out there… Intel NUC with a 120GB drive, fanless, for 230 bucks. You could totally make these into fog storage nodes (George already did, I think).
http://www.thebookpc.com/product-p/de3815tykhe.htm?gclid=CMKPvuSQvc4CFQuLaQodNsUEhA

Yeah. probably not those. We used them for a few digital signage projects. They are a bit sluggish with the single core atom processor. (windows performance index of 1.1) You can get a dual core celeron with wireless and bluetooh card build it for just a little more and they are smaller: http://www.thebookpc.com/product-p/dn2820fykh.htm?gclid=CKTtmP2Rvc4CFQaQaQodiNkLYg

Or an i3 for about $270USD https://www.amazon.com/Intel-D34010WYK-DisplayPort-i3-4010U-Consumer/dp/B00F3F381A

You have to understand these are kit computers, you also need to purchase ram and a hard disk (SSD) to make it a complete bit of kit.

Thank you above command working…And i got the loaction of the files

Storage nodes per-building is also an option.

If you want to go with a mobile fog laptop server using dnsmasq, I actually have a project that can automate this for you.

@Wayne-Workman Agreed, I figured I should file it as a bug anyway. Thanks for the help here. I’ll post shortly regarding this.

@cnewman402
Check out what I have done in my server with this iPXE boot menu. I’ve got quite a few ISO’s booting on my setup using memdisk.

:dban menu DBAN Nuke Menu item autonuke AutoNuke DoD 3-Pass item zero AutoNuke 1-Pass Zero Wipe item choose-disk Single Disk Selection item return Back to top menu... item choose --default return --timeout 10000 target && goto ${target} :autonuke kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe --autonuke" silent vga=785 boot || goto failed :zero kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe --autonuke --method zero" silent vga=785 boot || goto failed :choose-disk kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe" silent vga=785 boot || goto failed :return chain ${boot-url}/service/ipxe/boot.php?mac=${net0/mac} || prompt goto MENU :WHDD kernel http://${fog-ip}/whdd/whdd.bzi initrd http://${fog-ip}/whdd/initramfs boot :HDT initrd http://${fog-ip}/hdt/hdt.iso chain http://${fog-ip}/hdt/memdisk iso raw boot :AVG initrd http://${fog-ip}/avg/avg.iso chain http://${fog-ip}/avg/memdisk iso raw boot :BreakIn initrd http://${fog-ip}/breakin/breakin.iso chain http://${fog-ip}/breakin/memdisk iso raw boot

@Wayne-Workman Sounds good. I appreciate the advice! I’m just glad it installed. 🙂

@Joe-Gill Yep. Correct until Tom makes another change to it.

@sudburr said in What is the Automatic Order of Operations of the New Fog Client?:

I would strongly vote against renaming and joining the domain in a single reboot. This can lead to Active Directory issues. Namely you end up with two objects on the AD, one with the original name and another with the new name, or it may retain the old name anyways.
My vote is to mandatory restart after renaming, then mandatory restart after joining the domain. This is the MS method as well.

I would agree. I have experience in this area, it’s never gone well.

@Wayne-Workman
Ok… so once I made some tweaks on this… I ran into a small issue getting the DBAN working properly while doing the timeout config. Ultimately here is where I stand with my current menu. This includes a new choice for disk selection as well as a default timeout of 10 seconds. It will then kick back to the main menu if it times out. I reverted back to using ${fog-ip} as well. After looking back at it as my ${boot-url} is http://${fog-ip}/${fog-webroot}. but all of my ISO’s whether mounted or chained using memdisk are mounted or stored in a directory off of webserver root instead of buried under the fog subdirectory.

:dban menu DBAN Nuke Menu item autonuke AutoNuke DoD 3-Pass item zero AutoNuke 1-Pass Zero Wipe item choose-disk Single Disk Selection item return Back to top menu... item choose --default return --timeout 10000 target && goto ${target} :autonuke kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe --autonuke" silent vga=785 boot || goto failed :zero kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe --autonuke --method zero" silent vga=785 boot || goto failed :choose-disk kernel http://${fog-ip}/dban/dban.bzi nuke="dwipe" silent vga=785 boot || goto failed :return chain ${boot-url}/service/ipxe/boot.php?mac=${net0/mac} || prompt goto MENU

Excellent. Thank you! It’s good to know that a netdom pull is no longer required.

Good to know. Thank you!

Celebrate your vestigial umbilical cord!

@Wayne-Workman i am not really used with github but i can upload it somewhere and share it sure.
Give me some time, if you like you can share it via github.

EDIT:

Post 1 updated @Wayne-Workman

Regards X23

@cnbgeren Yeah it looks like your dhcp server isn’t running.

Since it appears you have a unbuntu server you might want to review this document. https://help.ubuntu.com/community/isc-dhcp-server

Try resetting the encryption for that particular host. this is done through the web interface, in the host’s general area.

Just wanted to thank everyone for their suggestions( @george1421 @Wayne-Workman). We did install LAPS on a test OU and it works perfectly. We’ll likely be rolling it out in the next week or two. For those machines off the domain, oh well…

I’m pretty sure he is. He started slowing down access to the forums once I started making a lot of effort on keeping things up to date. I haven’t seen him in a while though 😞

SetupComplete.cmd

@ECHO OFF TITLE Post Sysprep Configuration Script REM *** Activating Windows TITLE Activating Windows 10... cscript slmgr.vbs /skm sx.org cscript slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX cscript slmgr.vbs /ato REM *** Activate Office TITLE Activating Office... cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /sethst:x.org cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /act REM *** Starting FOG Service after boot TITLE Start FOG Service... sc config FOGService start= auto net start FOGService REM *** Finalize Script Actions and Cleanup the Scripting Environment TITLE Finalizing Script Actions... DEL /Q /F c:\Windows\System32\Sysprep\unattend.xml DEL /Q /F c:\Windows\panther\unattend.xml RD /S /Q c:\windows\setup\scripts

Unattend.xml

<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <servicing></servicing> <settings pass="windowsPE"> <component name="Microsoft-Windows-PnpCustomizationsWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <DriverPaths> <PathAndCredentials wcm:action="add" wcm:keyValue="b895faa4"> <Path>C:\Windows\Drivers</Path> </PathAndCredentials> </DriverPaths> </component> </settings> <settings pass="generalize"> <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SkipRearm>1</SkipRearm> </component> </settings> <settings pass="specialize"> <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SkipAutoActivation>true</SkipAutoActivation> </component> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Description>Activates Built-in Administrator account</Description> <Order>1</Order> <Path>net user administrator /active:yes</Path> </RunSynchronousCommand> </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <DesktopOptimization> <ShowWindowsStoreAppsOnTaskbar>false</ShowWindowsStoreAppsOnTaskbar> <GoToDesktopOnSignIn>false</GoToDesktopOnSignIn> </DesktopOptimization> <OEMInformation> <Logo>C:\Windows\System32\oobe\info\info.bmp</Logo> <Manufacturer>Hewlett Packard</Manufacturer> <SupportHours></SupportHours> <SupportURL></SupportURL> </OEMInformation> <TimeZone>Eastern Standard Time</TimeZone> <RegisteredOrganization>Name Here</RegisteredOrganization> <RegisteredOwner>Name Here</RegisteredOwner> <CopyProfile>true</CopyProfile> <ComputerName>*</ComputerName> </component> </settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>en-us</InputLocale> <SystemLocale>en-us</SystemLocale> <UILanguage>en-us</UILanguage> <UserLocale>en-us</UserLocale> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <OOBE> <ProtectYourPC>1</ProtectYourPC> <HideEULAPage>true</HideEULAPage> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideLocalAccountScreen>false</HideLocalAccountScreen> </OOBE> <UserAccounts> <AdministratorPassword> <Value>pw_here</Value> <PlainText>false</PlainText> </AdministratorPassword> <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>pw_here</Value> <PlainText>false</PlainText> </Password> <Name>Administrator</Name> <Group>Administrators</Group> <DisplayName>Administrator</DisplayName> <Description>Local Administrator</Description> </LocalAccount> </LocalAccounts> </UserAccounts> <VisualEffects> <FontSmoothing>ClearType</FontSmoothing> </VisualEffects> <RegisteredOrganization>Name</RegisteredOrganization> <RegisteredOwner>Name</RegisteredOwner> <TimeZone>Eastern Standard Time</TimeZone> <AutoLogon> <Password> <Value>pw_here</Value> <PlainText>false</PlainText> </Password> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Username>administrator</Username> </AutoLogon> </component> </settings> <cpi:offlineImage cpi:source="wim:c:/users/laner/desktop/windows%2010%20deployment/sw_dvd5_win_edu_10_1511.1_64bit_english_mlf_x20-93836/sources/install.wim#Windows 10 Education VL" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>

Windows 10 for Education x64.