Disable Bitlocker was no alternative. That’s the result of my tests today.
At first I tried to only unlock the bitlocked drive, but this will not withstand a reboot. So my unlocked image gets locked again when I reboot.
When I disable BL that means I have to remove the BL encryption, so that the dd in funcs.sh ( dd if=$part bs=512 count=1 2>&1 | grep -i ‘-FVE-FS-’ ) is not able to find the BL-signature.
But that would mean I have to deploy truly clean images and encrypt EVERY deployed image afterwards. This is a no-go. It costs time in encryption and (even worse) it creates one dedicated key for every new deployed computer.
We need to use one remotely stored key for all deployed computers. That makes best sense in our use-case an I cannot change that decission. TPM will not work for us and would no make sense either as we need to have that mentioned key. Windows update will not hesitate us here … its an embedded W7 for dedicated systems.
Finally I patched funcs.sh (uncommented that bitlocker check) and made a new init.xz of it.
So my remaining question here:
How I have to use the setupcomplete.cmd correctly in terms of:
- receive the new hostname . Here my first attempt was to wait some time as I observed that snappins take about some minutes until they get delivered … Will that naming take same time?
- set a static IP which depends from hostname ( I already have prepared a batch file for that …)
Will that all have to go into setupcomplete.cmd?
How and when will that get executed?