General A to Z support (FOG)
-
Hey there,
I’m relatively new to FOG Project and from what I read it could be an interesting addition to the firm I work with. We’re basically an IT service provider, but also supply products and equipment to our clients. Many of those are laptops or desktop computers.
After having manually prepared these systems for over a year now, I figured it was time to invest some time into automating it, but I’ve been struggling a ton.The most common OS we’re installing currently is Windows 11. We often reinstall new laptops to get rid of bloatware as well as provide a ready-to-go system for our clients by installing basic software.
The way it’s currently being done is:
-
RUFUS formatted USB Drive with Windows 11 22H2 (this allowed us to skip some of the OOBE steps when installing)
-
Custom Batch script that adjusts some settings, installs software using Chocolatey and searched for Windows updates and installs them.
A lot of these still require a little bit of user interaction and I’d like to bring that down to zero.
But the combination of limited experience with deployment and scripting might be hindering me.My goal: Unbox a laptop, plug in the ethernet cable and boot from network. From there, it will automatically install Windows 11, automatically create a user account, automatically install our basic set of software and install the latest updates for Windows (or at least the first batch).
Sidenote: I am aware that it would be best if we had a golden image, considering we work with different models and both laptops and desktops. Drivers are generally not a big issue due to Windows updates and in the rare case that we do need extras, it’s fine if that has to happen manually.I would appreciate if someone was able to give me a bit of a guiding hand in setting this up in a detailed manner. I am hoping to document everything for future reference aswell.
Thanks in advance!
-
-
@FoxNBeard Quite a few MSPs and system builders use fog for image deployment. So its possible to do, but it WILL take WORK on your side to setup the environment to get an efficient work flow. Once you have everything setup correctly you can go from bare metal to first user login in about 12 minutes. With a 25GB golden image push in about 4.5 minutes, the reset of the time is windows, being windows…
I would first start with a golden image, load all of your common apps into the golden image except Enterprise AV or any app that utillize a unique ID for each device. These apps need to be installed post deployment. You may need one of these golden images per customer if they have different core application mixes. The goal here is to be able to take a bare metal computer to a finished image as quick as possible for a system builder. So spend a little more time on the front end setting up your environment and reclaim the benefits on the back end.
I would suggest that you use Microsoft’s MDT for golden image creation. MDT will take about 1hr to create your golden image because it builds the golden image from the master DVD image, much like you would do by hand, but in an automated manner. Using MDT you will be able to customize your golden image builds on a per customer basis. I know this sounds counter intuitive, but use MDT to build a predictable and repeatable golden image. MDT will install all of the latest windows update if needed for you. Then you will only be out of date from the last time you created the golden image. Capture the golden image with FOG and then use FOG for the one to many deployments. Develop your golden image in a virtual machine environment to make the golden image hardware neutral. If you need hardware specific drivers, fog can place them on the target computer so that Windows OOBE/WinSetup can find and install them.
FOG uses block level cloning, which is super fast but not deploy time flexible. MDT uses file level cloning, which is deploy time flexible but slow. Each tool has its best use case and they fit together well.
In your golden image use an unattend.xml file to configure the workstation, like creating user accounts, tweaking the windows environment, or installing apps. This is all windows os tuning and standard windows deployment, not related to FOG.
Now back to fog, you have the golden image captured and stored in FOG. Normally you need to register each computer you want to image with FOG so you can deploy an image to it. But in your case once you load the target OS on the computer FOG will never see that computer again, so registering and deploying with FOG just adds extra steps. There is a process I use called “Load and Go”. This is where you pxe boot a target computer and pick “Deploy image” from the FOG iPXE menu. You would then select the image and then FOG will deploy to that system without requiring it to be registered. Once the image has been deployed then FOG forgets all about the target system. There are some caveats here like post install activities like deploying snapins (apps) and a few other FOG maintenance functions which you won’t use in your case. So make the golden image fully self contained. FOG will only push the image to the target computer quickly then forget about the computer using the Load and Go method.
So how might you deploy post install apps, use the setupcomplete.cmd or in the unattend.xml file under the auto login / first run section to call Chocolatey to do its thing to the computer.
-
@george1421
Thank you for the detailed response. I have been messing around in MDT in the past and had it working to the point of installing Windows completely unattended, but it had a few issues I couldn’t seem to solve:- It would install with the Administrator account activated. Through the unattend.xml I was able to figure out how to have it make a second user with administrator priviledges, but I couldn’t seem to solve how to not have the administrator account active and only the user.
- I presume due to limited knowledge, I couldn’t figure out how to let MDT install both updates and applications correctly.
I was wondering if I was able to manually configure a VM and pull an image to FOG that way?
I was able to do this once but bumped into a few issues:- Hostname was identical to the original machine (Although I think, unless wrongly configured, the hostname changer in FOG was active).
- I remember that in the past you were supposed to sysprep a machine to deal with SID’s and what not, but I haven’t been able to succesfully sysprep a machine since Windows 11 came out. Is sysprepping necessary for what I am trying to achieve? How does FOG deal with Windows SID’s and the likes?
And last but not least, are there any “newbie-friendly” guides that could help me through the entire process? Preparation time is not an issue, as long as in the end, I can quickly image new computers to be ready-to-use for our clients without needing to interact with the process
Thanks!
-
@FoxNBeard said in General A to Z support (FOG):
It would install with the Administrator account activated. Through the unattend.xml I was able to figure out how to have it make a second user with administrator priviledges, but I couldn’t seem to solve how to not have the administrator account active and only the user.
Use the setupcomplete.cmd batch file to do this. With something like this in batch
REM Rename the default administrator account to something else wmic useraccount where name='administrator' rename slipperyjim net localgroup administrators slipperyjim /add REM Rename the guest user account wmic useraccount where name='guest' rename debbiedowner REM Create a fake administrator account for hackers to bang on net user Administrator NeG@tiveNancy-F@nT@#13s /ADD /comment:"Built-in account for administering the computer/domain" /PASSWORDCHG:NO /active:NO /Y REM Be sure to remove from administrators and users groups, add to guest group to limit access net localgroup Administrators Administrator /delete net localgroup Guests Administrator /add net localgroup Users Administrator /delete REM create new System Admin user net user sysstarr "1cecr3am-SanWitch0" /add /EXPIRES:NEVER /PASSWORDCHG:NO /active:YES /Y net localgroup Administrators sysacce55 /add wmic useraccount where Name='sysacce55' set PasswordExpires=FALSE REM Disable slipperyjim (real admin/root user account) net user slipperyjim /active:noI presume due to limited knowledge, I couldn’t figure out how to let MDT install both updates and applications correctly.
There is a task sequence to apply windows updates. It helps if you have a local WSUS server to cache the packages. When I was just getting started in imaging this site helped out quite a bit. https://www.deploymentresearch.com/
I was wondering if I was able to manually configure a VM and pull an image to FOG that way?
Yes developing your golden image on a VM is the best choice so you can use snapshots to fix o-crap moments while perfecting your golden image.
Hostname was identical to the original machine (Although I think, unless wrongly configured, the hostname changer in FOG was active).
This is true because fog is a block level cloner, it knows nothing about the target system. To use the hostname changer will you will to register the computer with FOG and have the FOG client installed. That is not something you probably want as a system builder. You can have FOG set a name of the computer at deploy time via using a custom FOG post install script that will inject a new host name into the unattend.xml file at deployment time.
Yes I would still sysprep your windows system. For full disclosure I have not had to build an image for Windows 11 yet, so I might be incorrect here. BUT I would also build your golden image so that its protected from getting to the internet. I have seen on windows 10 if the workstation can get to the internet it will try to down stuff causing sysprep to fail.
I would spend my time getting MDT to do what you want it to do to give you the perfect golden image. The capture and deploy with FOG is the easy part (kind of). If you want to do more of the advanced stuff like editing the unattend.xml file on the fly it will take some time but I have examples for that.
