RE: FOG Client Unable to Decrypt AES Error

@Zer0Cool for the SnapinPack. you’d have it run start.bat. start.bat Would then copy & run removeclient.*** as a separate task. This means start.bat would exit fairly quickly, and so the client could inform the server the snapin ran successfully. removing it from the FOG task list. I would, however, recommend putting a short sleep delay at the beginning of removeclient, just to give the client enough time to inform the server before it is uninstalled.

As for PCI/FIPS compliance, I have done some work for that here: (https://github.com/FOGProject/zazzles/commit/90b76038210175a532a5da522b7d61b281d23a99), but last I tested it still had issues. Right now the ticket is targeted to be done on v1.7 of the FOG server, but if you’d like to see it done sooner, you could hopefully assist me. To continue development/testing I’d either need to turn FIPS compliance on in one of my dev VMs or be able to remote into a machine with it enabled. The latter may be quicker. Feel free to PM me if you’d be interested in helping.

@Zer0Cool snapins act like children processes attached to the client. This means if the client is stopped (via an uninstall), it’ll likely also stop and delete any running snapins. I’d recommend using a SnapinPack. There could be 2 files in it: a start.bat and a removeclient.[bat/cmd/ps1]. Essentially the start.bat would copy removeclient to another folder, as otherwise it’ll get removed on client uninstall, and then run that script as a new backgrounded process.

@Joe-Gill on sleep, all programs and services are suspended. This means the client can not operate during this period, and so there’s not much it can do to actually perform a shutdown.

@Joe-Gill can you attach the C:\fog.log from one of the problematic machines?

@fernando-gietz said in Which is the best way to install/deploy the FOG client?:

in the sysprep proccess I install the client again

So to be clear, the image itself does not have a client installation? It’s installed during sysprep?

And by “uninstalling / re-installing the client” I’m referring to manually uninstall the client on an existing installation that is running.

@Fernando-Gietz a reset encryption data should only be done if a client installation losses its security token somehow. This can either be caused via the Debugger, manually deleting it, or uninstalling / re-installing the client. If it is being lost for another reason, then there is some other issue at play here.

@Fernando-Gietz resetting encryption data should not be needed, and doing it often/in-bulk posses security risks. Can you describe exactly what you do prior to resetting encryption being needed? In general this only occurs if the client is manually reinstalled, as the server should be handling the case where computers are deployed, automatically. (If it’s not, then it’s a bug).

@LaurentB unfortunately, once a client installation occurs, it “locks itself” into the server you first point it at. If you had the old server available, I’d recommend doing: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_Server.

Now, since you don’t have the old server(s), you will have to uninstall, and then install each client. However, if the machines are bound to an Active Directory domain, you should be able to automate this with a simple batch script, and deploy it via GPO.

@foghelp I’d recommend re-entering the AD password field on the web ui. Its possible that somehow a bad copy of the password got placed in the database.

I could see us adding a warning if a node cannot connect. However, I am in agreement with @Tom-Elliott that straight up preventing credential entering would cause more issues than it would solve.

@fogjam this is definitely not expected behavior, thanks for reporting it. I’ll look into it and post in this thread with my findings.

@boyan-biandov that is certainly strange and I’ve never seen it happen before. I’m not sure what you’ve tried so far, but here’s a couple ideas to hopefully at least workaround the issue:

• Try copying c:\users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy to C:\Users\Default\AppData\
• I suppose you could use Logon script via GPO to also manually copy over that folder every time

Would you also be able to share your unattend file? Feel free to strip out any sensitive information in it.

@EJoc242 possibly, it’d be worth trying.

@EJoc242 if you aren’t already, I would recommend sysprepping your images before capture. When deploying to vastly different hardware, it may be necessary, as it allows Windows to properly configure itself to your target hardware.

@dsloan-ethra is Kaspersky AV started once as the Snapin Pack finishes? I’m thinking this may be AV related.

@dsloan-ethra what build of Windows are the systems running? (E.g Windows 10 1709)

@Coconutdog I would recommend switching to an earlier LTS, or a different distribution such as Debian or CentOS if you need to get your FOG server working as soon as possible. Ubuntu 18.04 was released only a few days ago, and there are likely multiple things they changed that will break FOG until we can identify and patch them. With that said, if you are still interested in using Ubuntu 18.04, then we’ll definitely help patch your issue and any other 18.04 issues you encounter.

In general, new Ubuntu releases actually tend to be the least compatible with FOG compared to most other distributions, as they derivative from certain conventions and take their own approach on things.

@Coconutdog it would appear the instructions on our download page were incorrect (as pointed out by Tom). I’ve updated the page with the correct instructions.

@jpLeca this issue is caused by newer versions of mono having a broken keystore. I hope to circumvent this issue in the future but in the mean time:

Try uninstalling the client, removing mono and installing an older build, and then installing the client . Note that may have to repeat these steps until you find a mono build that does not have the bug.

@Tom-Elliott it seems the server is not sending the password correct.