Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment

Aaexy

Background / Environment
Component Details
FOG version
1.5.10 (fresh install)

OS on FOG server
Ubuntu 22.04 LTS

Boot services
Proxy DHCP via dnsmasq (no ISC‑DHCP on same network)

Client hardware
Mixed Dell OptiPlex 7× / Latitude 5× series (UEFI‑only)

Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).

What I’ve attempted
Replaced FOG’s default bootloaders with Microsoft‑signed shim (bootx64.efi) and GRUB (grubx64.efi).

Updated dnsmasq.conf to hand out the signed shim.

Configured GRUB to chain‑load FOG’s ipxe.efi.
Result: GRUB launches but i can’t make it boot to fog

If you have a Secure‑Boot‑friendly FOG setup—or tips on signing iPXE/adjusting the boot chain—I’d greatly appreciate:

george1421

@Aaexy said in Deploying FOG in a Secure‑Boot‑Mandated UEFI Environment:

Secure Boot policy Must remain enabled at all times; only Microsoft‑signed keys are in the firmware (no option to enrol custom keys).

If this is the case there is nothing you can do with FOG. You will need to get the ipxe kernel (ipxe.efi / snp.efi) and bzImage signed with the microsoft keys so they can boot in your environment. While this pains me to say, you would probably be better off with a different imaging solution than FOG.