RE: postdownload script

@geekyjm Are you using a postdownload script to dynamically update your unattend.xml file so sysprep will join the domain with the settings given by fog?
Or are you using the fog service to join the domain during the oobe firstlogon phase, or after that?

@r-pawlowski I would be happy to help in anyway I can. Personally, I deploy a bootmanager (grub2win) and the ipxe.efi file to each machines efi partition. Then I can just change the boot managers default to boot straight to fog. It takes a bit of time to get setup, but I found it to be the most reliable as I then didn’t have to worry as much about the bios settings. Theoretically you can use bcdedit commands to change the boot order to boot to network, but that also differs on different hardware.

I digress though, the easy bit for queueing an image to deploy

• Follow the setup instructions for the fog API (involves installing the module from powershell gallery and then inputting your API keys and fog server address)
• Then make sure the host you’re imaging is assigned the correct image, this can be changed in the API if you need that, but for this quick example, we’ll pretend it’s set correct.
• For an example, we’ll say the hostname of a computer in fog is ‘test-computer’, so this will find the host in fog, then queue an image to deploy on it right now

$hostID = (Get-FogHost -hostname 'Test-Computer').id
#create a quick json string, this can also be done in a powershell object and converted, but this is just a quick example.
#tasktypeID of 1 is a deploy task, if no runtime/schedule time is specified, it defaults to instant deploy
# shutdown = 0 is not scheduling with shutdown
# I believe other2 = 0 means not a debug
# other4 = 1 means to enable wol
# isactive =1 means the task is active
$jsonData = "{`"taskTypeID`": 1,`"shutdown`":`"0`",`"other2`":`"0`",`"other4`":`"1`",`"isActive`":`"1`" }";
# make the API call to create the new task for your host
New-FogObject -type objecttasktype -coreTaskObject host -jsonData $jsonData -IDofObject $hostId;

Once you have this all setup in a powershell module or script internally, you can get things automated pretty smoothly. It’s meant to be modular so it can be applied to any infrastructure or workflow and built upon.

If you need more help let me know and I’ll see what I can do.

@jape You can use the api (See the powershell api module links in my signature). You can use it to create the scheduled task. i.e. (provided you got the module all setup prior) the following would create a scheduled deploy task for host with id ‘1234’
at 8 pm tonight. The following is all powershell that can be run from your admin workstation.

#define the schedule time in the linux format
$startAtTime = (get-date 8pm)
$EpochDiff = New-TimeSpan "01 January 1970 00:00:00" $($startAtTime)
$scheduleTime = [INT] $EpochDiff.TotalSeconds - [timezone]::CurrentTimeZone.GetUtcOffset($(get-date)).totalseconds
#define the schedule time in human readable format
$runTime = get-date $StartAtTime -Format "yyyy-M-d HH:MM"
$jsonData = @"
                    {
                        "name":"Deploy Task",
                        "type":"S",
                        "taskTypeID":"1",
                        "runTime":"$runTime",
                        "scheduleTime":"$scheduleTime",
                        "isGroupTask":"0",
                        "hostID":"1234",
                        "shutdown":"0",
                        "other2":"0",
                        "other4":"1",
                        "isActive":"1"
                    }
"@
#create the scheduled deploy task with the defined json
New-FogObject -type object -coreObject scheduledtask -jsonData $jsonData

@wayne-workman My first instinct is to say “whoa there, lets not abandon centos and its enterprise grade security”.
But at the same time, I’m still using CentOS 7 for Fog and never took the time to upgrade to 8 as I’ve read in this forum and other places of troubles. I didn’t even know there was a thing called CentOS Stream (keeping up with windows constant OS version upgrades takes up all my OS research time). So, despite my instinctive hesitance I’m all for this idea, simplifying development requirements for the win.

However, there are many that were taught the mentality in various ways that RHEL = better for business, and ubunutu = for linux beginners. This isn’t a true statement, especially nowadays, it is a mentality that still exists though. So if we’re going to discontinue native installer support for CentOs, I think we should write something up for our public pages, like on the fogproject.org download page, to help not deter users with this old thinking of ‘RHEL is better for business’ engrained in their soul. Just my 2 cents.

Also, for those 122 of us on the older CentOS 7/8, would this change to the installer make it so we need to move distros for future updates?

Also, if we’re going to focus the installed on ubuntu and debian, might we look at creating and publishing an apt package to make installs even easier?

@jj-fullmer I haven’t done a full thorough fog windows 11 test. But it seems that some of the cpu and bios security “requirements” aren’t hard requirements. As long as your cpu supports TPM 1.2 you can do a clean install of windows 11, you just can’t in place upgrade (without a registry change).

I am also posting this on a computer with windows 11 on it, with an i7-6700. I didn’t use fog, and secure boot got enabled by the windows 11 installer (it might have already been enabled, I didn’t double check sadly). However I just disabled secure boot and could still boot.

So the concerns about a secure boot requirement may be unfounded. This is my home computer and I don’t have a fog server at home, but I’ll come back here once I get a chance to test creating and deploying a windows 11 image to see if there are any issues with secure boot. If anyone wants to test this out @testers before I get some time, you can download a windows 11 iso here https://www.microsoft.com/en-us/software-download/windows11?ranMID=24542&ranEAID=0JlRymcP1YU&ranSiteID=0JlRymcP1YU-aILwA1rXpThxrraz01AUgg&epi=0JlRymcP1YU-aILwA1rXpThxrraz01AUgg&irgwc=1&irclickid=_2cqgd3xf9kkf6xflm1yfj9km9e2xoz2ov3bwz2yp00

@sebastian-roth I need to get back into those docs. Things have been just so crazy lately. When you have something working let me know and we’ll get it documented.

My solution for this problem has been to use the api the remove usb macs when my provisioning script is done. I have it working by using the client.
The basics are

• Computer gets registered with usb adapter
• My custom provisioning starts and the fog service is started which will add pending macs
• I leave the usb adapter plugged in until my provisioning is complete (so software install and whatnot happens over ethernet not wifi)
• Last step of provisioning uses a powershell api function to remove any existing usb macs (I have a saved list in the powershell of macs in my code)
• Adapter can then be removed and used on the next device

My custom functions uses my published fogapi powershell module, particularly this function https://fogapi.readthedocs.io/en/latest/commands/Remove-UsbMac/
Here’s a link to the code on github https://github.com/darksidemilk/FogApi/blob/master/FogApi/Public/Remove-UsbMac.ps1
The function also handles making a new mac the client found be the primary mac if the usb mac is the current primary.
If you’re not using the client, you could also create a custom automation to find the mac addresses of the machine during a postscript/firstlogon/provisioning step and have it use https://github.com/darksidemilk/FogApi/blob/master/FogApi/Public/Add-FogHostMac.ps1 to add a new unique mac then use the remove-usbmac function to remove specified usb macs.

If you’d like more info or examples I’d be happy to help, just wanted to offer a quick overview of a possible solution.

@sebastian-roth said in boot php - denied:

@robertkwild said in boot php - denied:

the desktop in question that gets the error is a hp z640

Searching the forum I found that @JJ-Fullmer also has used HP Z640 machines some time ago. I am wondering if you have HTTPS enabled on your FOG server as well?

Holy cow that was a long time ago. That’s when we added nvme support. Good times.

Glad to hear you got it working @robertkwild sounds like it probably was the cmos/time issue.

@austinjt01 Have you tried different versions of bzImage and or init.xz?
i.e. try downloading the latest kernel from the kernel update screen in your fog gui and giving it a name like bzImage5 and then set that case sensitive name as the kernel on the fog host in question and see if it makes a difference.

Also, have you checked in the fog web task manager when it is stuck to see if it shows progress there? It’s rare, but I remember once seeing it look like it was stuck but the computer just wasn’t displaying the progress and it was actually working.

@cello said in How to create a Windows 10 Image:

Is it also possible without Sysprep?

It’s a trap!

While there are ways that appear to work without sysprep, you’ll have a much better time if you just use sysprep.
I learned this the hard way. Sysprep has gotten faster and a bit easier (in some respects at least).
If you don’t use it, you’ll end up with windows licenses with the same universal identifiers, which breaks volume license activation tools.
You can also end up with driver problems if the image wasn’t created on the same model computer and you don’t use sysprep.

If I were to sum up our steps for creating a win 10 image (but like @george1421 said it’s a bit out of scope and would take days to answer in full detail, also we don’t use MDT, just to provide another method) I would say

1. Download iso of latest version of most recent windows 10 H2 release (i.e. 20H2, ltsb versions are also a trap unless truly neccessary)
2. Create an unattend file using windows system image manager (see also https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/windows-system-image-manager-how-to-topics) I personally took the time a few years ago to ready through all the options available, it’s pretty extensive. But you can also make it pretty basic with setting some simple settings, adding some first logoncommands, and then just make sure you read up on using the ‘reseal’ options to make the sysprep phases go in your desired order. (i.e. I have mine go Audit System - adds (but doesn’t install) network drivers to the driver store -> Audit User - reseals to generalize -> Generalize - removes drivers not added by sysprep and makes the image general for any device -> I have it send to shutdown from here -> I Upload it to fog -> When it deploys it starts the specialize phase -> Then it goes through oobe (which you can make unattended, there are some skip oobe options to be sure it doesn’t show, but you want to be sure all settings that would be set during interactive oobe are set by your unattend.xml created with windows system image manager)
3. Install the iso on a vm (or whereever you want to capture your image from), at the oobe screen after install hit ctrl+shift+f3 to enter audit mode
4. DO NOT OPEN THE WINDOWS STORE (if apps are updated in the store, sysprep won’t run, it’s a whole thing)
5. Add customizations/files you want on all machines (some will be removed by sysprep, figuring it out involves some reading and trial and error) and add the unattend.xml file to “C:\Unattend.xml” and “C:\Windows\System32\Sysprep\Unattend.xml” (I like using both places as a fail safe to be sure its used). I personally use custom powershell modules to automate this whole process, scripting it in some way is a good idea once you get it dialed in. I suggest limiting program installation at this step, I have found its better to use a provisioning method such as snapins and or chocolatey triggered by the firstlogoncommands to add programs, easier to keep them up to date and if something goes wrong with an install it’s not then on every single one of your computers.
6. Run sysprep (i.e. sysprep.exe /audit /reboot /unattend:"C:\unattend.xml") and capture the image to fog
7. Deploy the image with fog and watch the magic happen

Part of the oobe phase can involve auto-logging in as the administartor and running the firstlogoncommands, which is where (if you didn’t add it during audit mode) you can make sure the fogservice is there and will get your computer connected to your domain.

This is all a very high level overview and there may be some steps in between beyond creating scripts and other infrastructure. docs.microsoft.com has many helpful guides for the available unattend.xml options and creating images, I thought I had some of the more helpful ones bookmarked/referenced in internal docs but I can’t find them at the moment. I’ll share them if I find them later and remember.

If you take the time to do it right and get it all setup, it becomes very easy to create new images and deploy them.
You could also easily use fogs scheduled tasks to deploy the image nightly on machines. You’ll just need to dial in the firstlogoncommands to work they way you want it to.

According to the official page from microsoft https://www.microsoft.com/en-us/windows/windows-11-specifications it just says “secure boot capable” I guess we’ll just have to wait till it’s released to insiders to get some real world information.

I realize this was only just announced today, but windows 11 is coming as early as this year and it now (allegedly) requires secure boot and tpm to be enabled to be installed (see also https://www.windowscentral.com/windows-11-system-requirements)

There’s been past discussion about getting secure boot supported for fog, but it looks like the time soon comes where we have to do it (which seems to be a theme with a lot of things in tech recently and in the coming year)

So I just wanted to open up a new thread to get the discussion going to see what needs to be done.

@mechalas More help? Yes Please!

@jj-fullmer said in FOG 1.5.4 API host module settings:

@JJ-Fullmer said in FOG 1.5.4 API host module settings:

@Jamaal Glad you got it figured out, sorry I didn’t see this early as adding it to the host splat that you convert to json adds it to the json data that @Tom-Elliott references here. I will make a note about adding something with setting modules to my module in the future

Look, I made a note https://github.com/darksidemilk/FogApi/issues/1

@Jamaal I also finally did something with this. I hope to at some point develop this a lot further and have dynamic parameters for snapins and groups when adding a host in powershell. But for now there is at least a basic new-foghost function that will create a host with a given name and mac list and enable the modules that you have set as default in your fog server.

This is published in version 2103.2.12
https://www.powershellgallery.com/packages/FogApi/2103.2.12
https://github.com/darksidemilk/FogApi/releases/tag/2103.2.12

@Jamaal
@jj-fullmer said in fog API powershell help:

Glad I had the code for get-foggroups somewhere to be found. It looks like something weird happened to the get-foggroups function and all the code disappeared from it. I’ll need to get that fixed as soon as I can as that function is used all over the place. I have made an issue for it https://github.com/darksidemilk/FogApi/issues/3

I just published a new version of the module fixing the issue with get-foggroups and subsequently get-foggroupsbyname if you update to the new version 2103.2.12 those functions should work now.

A new small bugfix and feature release has just been published.
This fixes issues related to getting fog groups and adds functions for creating fog hosts.

https://github.com/darksidemilk/FogApi/releases/tag/2103.2.12

https://www.powershellgallery.com/packages/FogApi/2103.2.12

@jamaal I created my own infrastructure to handle this. It was not a simple process, but it works pretty well.
I have what I call profile packages for each department, we use chocolatey for that and each one has a snapin.
I have a powershell module for provisioning. I use sysprep/unattend firstlogoncommands to trigger its start and then it goes through a series of commands and restarts amongst that I have it use the api to get the fog group a host is in and then it adds the associated snapin that I associate through code and file structure.
Once you get that far you can add a list of snapins to a host, deploy them, and then remove them (so the host remains ready to be deployed in a different department without having to remove old snapins) all with the api.

Check out

• Set-fogsnapins for setting a list of snapins to a host https://fogapi.readthedocs.io/en/latest/commands/Set-FogSnapins/
  (I just noticed I forgot to remove the $dept parameter in that function, that was for my internal use, you can just ignore it)
• Start-FogSnapins for starting the deploy all snapins task on a host
  https://fogapi.readthedocs.io/en/latest/commands/Start-FogSnapins/
• Remove-FogObject for removing the snapins from a host, looks like I haven’t published a helper function for removing the snapins just yet.
  https://fogapi.readthedocs.io/en/latest/commands/Remove-FogObject/
  • here’s an example of how you would remove the snapins. To remove them you have to remove the snapinassociation object.

#create a list/array of the snapins you want to remove
$snapinsToRemove = @('snapin','names','here'); 

#get all the snapin associaion objects
$AllAssocs = (Get-FogObject -type object -coreObject snapinassociation).snapinassociations

# Get the snapins associated with your host
$AllHostSnapins = Get-FogAssociatedSnapins -hostId $hostID;

#get the ids of the snapins you want to remove, from the list of snapins attached to your host.
$snapinIds = ($AllHostSnapins | Where-Object name -in $snapinsToRemove).id

#Get a list of the snapinassociation ids that match your host id and are in the list of snapin ids attached to your host
$assocsToRemove = $allAssocs | Where-Object { $_.hostID -eq $hostID -AND $_.snapinID -in $snapinIds}

# loop through the found associations and remove them
$assocsToRemove | ForEach-Object {
    Remove-FogObject -type object -coreObject snapinassociation -IDofObject $_.id;
}

I believe there is also a fog plugin for persistent groups that can do more of what you describe natively in fog.

Granted, I will need to get the get-foggroups function fixed for some of this to work properly. Maybe I’ll have some time this weekend.

Made a fogapi git issue, so that I hopefully don’t forget about this idea https://github.com/darksidemilk/FogApi/issues/4

@jamaal I see that you’re using the powershell ISE. While that is still a great tool, I would personally recommend giving vscode with the powershell extension a try. That’s what I use for all my development and find it faster and easier to use.

@jamaal I have a function for inventory here https://fogapi.readthedocs.io/en/latest/commands/Get-FogInventory/
It gets the same inventory information via powershell and adds it to fog.
I can also help you with queuing the native inventory task, but that might be a bit trickier. I think you can schedule more than one task for a machine when it’s a scheduled task, but I’m not sure.

Glad I had the code for get-foggroups somewhere to be found. It looks like something weird happened to the get-foggroups function and all the code disappeared from it. I’ll need to get that fixed as soon as I can as that function is used all over the place. I have made an issue for it https://github.com/darksidemilk/FogApi/issues/3