RE: Windows 11 image can be deployed with secure boot disabled

Doesn’t secure boot use unique keys? Have you been able to boot with secure boot enabled on machines that you deployed the image to?

@george1421 The USB ipxe boot method works perfectly, from a USB drive. The idea is to somehow make that ipxe process boot BEFORE Windows on the hard drive itself instead of the usb drive, and have a countdown to boot from first hardrive. This way I can set a deploy or capture task remotely and it would work. As for specifying the IP address, I already did. Ipxe sees the FOG server on the same vlan, but on a different vlan ipxe asks for the FOG server address.

GOAL: Manage remote clients for imaging on a non-PXE enabled network
Obstacles: Boot method and process
Since we don’t have pxe set up on our prod network sigh, I have been using the USB drive boot method for imaging from our secondary FOG server which does not have DHCP enabled. So the images get pulled from the NFS share. I noticed that when I boot the USB on the same network as the FOG server, the boot process does not ask for the FOG server IP address. But If I am on a different VLAN, it will ask. So thats issue #1.

Issue #2 is that I have the FOG menu password protected. So if I had a task set up to deploy for a particular device, I believe that password protection will stop the process, unless I’m wrong and it will just continue. Obviously for any of this to work the hosts will have to be registered.

So I’d like to take the USB method and make that the first boot option of the main drive in a PC. Put a timeout option to 3 seconds. And also keep the menu protected. Could I do this?

Try updating the Kernel drivers? I’ve seen varying ipxe performance from different hardware. For example, I’ve seen ipxe boot faster on an Optiplex 7020 vs 3020 which is a newer model.

So since we don’t manage PCs using FOG, we use SCCM, we don’t have registered hosts. But is there a way to find out how many devices have had images deployed to them?

I would guess a Group capture would be necessary. If we can find out what commands/scripts run when you run a Group Capture task, we can then send it to a cronjob that would run on a schedule. Can the devs chime in?

Where do I set the password required at the ipxe menu? The username is “fog” but I need to reset that password.

Got it. Script works. Thanks!

@junkhacker Cool thanks. I only know some coding and scripting but nothing about python. I replaced “username” with “user” as you instructed and got a new error this time:

Traceback (most recent call last):
  File "checkimages.py", line 4, in <module>
    mydb = mysql.connector.connect(
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/__init__.py", line 179, in connect
    return MySQLConnection(*args, **kwargs)
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/connection.py", line 95, in __init__
    self.connect(**kwargs)
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/abstracts.py", line 716, in connect
    self._open_connection()
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/connection.py", line 208, in _open_connection
    self._do_auth(self._user, self._password,
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/connection.py", line 137, in _do_auth
    packet = self._protocol.make_auth(
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/protocol.py", line 99, in make_auth
    packet += self._auth_response(client_flags, username, password,
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/protocol.py", line 58, in _auth_response
    auth = get_auth_plugin(auth_plugin)(
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/authentication.py", line 190, in get_auth_plugin
    raise errors.NotSupportedError(
mysql.connector.errors.NotSupportedError: Authentication plugin 'caching_sha2_password' is not supported

Does python think the “password” is a hash and not an actual password?

@junkhacker I built an ipxe image using the fog’s kernels and files and made them into a vISO then mounted it to my vm. Boot from it, then normally it would load ipxe and eventually the fog menu. since I updated vbox it stopped working. yeah I’ll have to play with it.

@junkhacker yup I had an underscore where it shouldn’t have been. bang.

I found the sql creds and placed them into your script. Ran it and got:

python3.8 checkimages.py 
Traceback (most recent call last):
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/abstracts.py", line 301, in config
    DEFAULT_CONFIGURATION[key]
KeyError: 'username'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "checkimages.py", line 4, in <module>
    mydb = mysql.connector.connect(
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/__init__.py", line 179, in connect
    return MySQLConnection(*args, **kwargs)
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/connection.py", line 95, in __init__
    self.connect(**kwargs)
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/abstracts.py", line 713, in connect
    self.config(**kwargs)
  File "/home/administrator/.local/lib/python3.8/site-packages/mysql/connector/abstracts.py", line 303, in config
    raise AttributeError("Unsupported argument '{0}'".format(key))
AttributeError: Unsupported argument 'username'

I know this might be more of a VirtualBox issue than a fog issue but I was able to boot into my fog usb iso using VB 6.1 to test things out and experiment. As of today though, it just hangs at initializing ipxe devices. I tried changing the vnic to PCFast III and while it does get me the fog menu, it stops at downloading the bzimage file. Any ideas?

@junkhacker So I can’t remember what password I set for the mysql db. But I have a new question related to the topic. I captured an image, uploaded to the main fog server. I copied that image folder from /images to the /images folder on my secondary FOG server. I created a new image in FOG web ui and pointed it to the folder I just copied. When I try to deploy the image from the secondary FOG server, an error comes up saying that image store could not be found. I’m guessing its because the image doesn’t really exist in the db even though I created it in the web UI.

@junkhacker Wow thanks! I will try that!

@Sebastian-Roth So as long as the “Image path” is correct, the name of the image in the FOG UI doesn’t really matter. I’ll go through and clean them up. Thanks again!

UPDATE: I saved that code into a file called checkimages.py and ran python3 checkimages.py as root and got this error:
Traceback (most recent call last):
File “checkimages.py”, line 1, in <module>
import mysql.connector
ModuleNotFoundError: No module named ‘mysql’
I entered my sql password in the script as well.

I have secondary FOG server. I imported images from the main server and while I also copied all the images from the main, or tried to, not all of them made it over, the secondary server has much less drive capacity. So now I have a bunch of invalid and dup entries on the secondary FOG web ui image list. Is there a way to delete all of the images from the list and make the server rescan /images to repopulate that List all Images list?

Wait nevermind I figured it out. I enabled the “Hide Menu” option under Fog Configuration>iPXE General Configuration>Menu Hide/No Menu settings. Pressing ESC after entering the FOG tftp server IP shows the login menu. Perfect!

I have been experimenting with booting the FOG ipxe menu via USB drive with great success. During the ipxe boot process it asks for the fog server IP. Is there way to password protect the next step after this? I want to secure the initial fog menu that has options like Deploy Image, Register, etc. The reason for this is that I added Hirens WinPE as an option. My concern is that Hirens has a utility to reset the admin password for Windows on the local hard drive. So if someone knows the FOG server IP, they can just build their own FOG USB drive and get into Hirens to reset the password or gain unauthorized access to user files.

@sebastian-roth Nor did I assume it would be!
I haven’t tried any of this yet, but I am assuming that this would have to be done for each image.

@sebastian-roth
cat /images/DOHWIC_7450AIO/d1.minimum.partitions

label: gpt
label-id: 665ED030-2751-4506-B81A-D098A006B220
device: /dev/sda
unit: sectors
first-lba: 34
last-lba: 976773134
sector-size: 512

/dev/sda1 : start=        2048, size=     1024000, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=93F996F2-F2D7-4086-87CD-765BF2355148, name="EFI system partition", attrs="GUID:63"
/dev/sda2 : start=     1026048, size=      262144, type=E3C9E316-0B5C-4DB8-817D-F92DF00215AE, uuid=7A4B87F6-F8A8-4A6B-A90E-3445738EC128, name="Microsoft reserved partition", attrs="GUID:63"
/dev/sda3 : start=     1288192, size=    45294648, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, uuid=30391013-A07B-4662-8088-8082ABF79A72, name="Basic data partition"
/dev/sda4 : start=   967014400, size=       96256, type=DE94BBA4-06D1-4D40-A16A-BFD50179D6AC, uuid=9F46892D-941F-430E-BA27-F56630C6B02F, name="Basic data partition", attrs="RequiredPartition GUID:63"