@rodluz

ok scrap the local GPO done this and it works

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v firstlogon /t REG_SZ /d powershell -noexit -ep bypass c:\users\admin\sysprep\firstlogon.ps1 /f

@Tom-Elliott is there a way to find out where its failing

i have the PCAP file if interested?

tbh i am running fog on centos 7 so maybe its time to re install the OS to rocky 9.5 or ubuntu 24

what OS do you recommend?

any help?

@robertkwild This is ours, it boots into Windows automatically, where FOG starts (using the startup script) and renames the PC and adds to domain

<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="windowsPE"> <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SetupUILanguage> <UILanguage>en-GB</UILanguage> </SetupUILanguage> <InputLocale>en-GB</InputLocale> <SystemLocale>en-GB</SystemLocale> <UILanguage>en-GB</UILanguage> <UILanguageFallback>en-US</UILanguageFallback> <UserLocale>en-GB</UserLocale> </component> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <DiskConfiguration> <WillShowUI>OnError</WillShowUI> <Disk wcm:action="add"> <CreatePartitions> <CreatePartition wcm:action="add"> <Order>1</Order> <Size>500</Size> <Type>Primary</Type> </CreatePartition> <CreatePartition wcm:action="add"> <Order>2</Order> <Type>EFI</Type> <Extend>false</Extend> <Size>100</Size> </CreatePartition> <CreatePartition wcm:action="add"> <Order>3</Order> <Size>16</Size> <Type>MSR</Type> </CreatePartition> <CreatePartition wcm:action="add"> <Extend>true</Extend> <Order>4</Order> <Type>Primary</Type> </CreatePartition> </CreatePartitions> <ModifyPartitions> <ModifyPartition wcm:action="add"> <Format>NTFS</Format> <Label>WinRE</Label> <Order>1</Order> <PartitionID>1</PartitionID> <TypeID>DE94BBA4-06D1-4D40-A16A-BFD50179D6AC</TypeID> </ModifyPartition> <ModifyPartition wcm:action="add"> <Format>FAT32</Format> <Label>System</Label> <Order>2</Order> <PartitionID>2</PartitionID> </ModifyPartition> <ModifyPartition wcm:action="add"> <Order>3</Order> <PartitionID>3</PartitionID> </ModifyPartition> <ModifyPartition wcm:action="add"> <Format>NTFS</Format> <Label>Windows</Label> <Letter>C</Letter> <Order>4</Order> <PartitionID>4</PartitionID> </ModifyPartition> </ModifyPartitions> <WillWipeDisk>true</WillWipeDisk> <DiskID>0</DiskID> </Disk> </DiskConfiguration> <ImageInstall> <OSImage> <InstallTo> <DiskID>0</DiskID> <PartitionID>4</PartitionID> </InstallTo> </OSImage> </ImageInstall> <UserData> <ProductKey> <Key>**REDACTED**</Key> </ProductKey> <AcceptEula>true</AcceptEula> <Organization>**REDACTED**</Organization> </UserData> <Display> <HorizontalResolution>1920</HorizontalResolution> <VerticalResolution>1080</VerticalResolution> </Display> </component> </settings> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ComputerName>*</ComputerName> <RegisteredOwner>**REDACTED**</RegisteredOwner> <RegisteredOrganization>**REDACTED**</RegisteredOrganization> <TimeZone>GMT Standard Time</TimeZone> </component> </settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>en-GB</InputLocale> <SystemLocale>en-GB</SystemLocale> <UILanguage>en-GB</UILanguage> <UILanguageFallback>en-US</UILanguageFallback> <UserLocale>en-GB</UserLocale> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <OOBE> <HideEULAPage>true</HideEULAPage> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <ProtectYourPC>1</ProtectYourPC> </OOBE> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>**REDACTED**</Value> <PlainText>false</PlainText> </Password> <Description>Admin</Description> <DisplayName>Admin</DisplayName> <Group>Administrators</Group> <Name>Admin</Name> </LocalAccount> </LocalAccounts> </UserAccounts> <Display> <HorizontalResolution>1920</HorizontalResolution> <VerticalResolution>1080</VerticalResolution> </Display> <AutoLogon> <Password> <Value>**REDACTED**</Value> <PlainText>false</PlainText> </Password> <Username>Admin</Username> <LogonCount>1</LogonCount> <Enabled>true</Enabled> </AutoLogon> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <CommandLine>C:\Windows\Setup\scripts\SetupComplete.cmd</CommandLine> <Order>1</Order> <RequiresUserInput>false</RequiresUserInput> </SynchronousCommand> </FirstLogonCommands> </component> </settings> <cpi:offlineImage cpi:source="wim:c:/customise/win10/sources/install11edu.wim#Windows 11 Education" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>

@Tom-Elliott looks like i have to update my fog to 1.6 instead of 1.5 as i thought i resolved it by updating fog to the latest 1.5 but the error is still there on 1.5, i thought it went at first as when i made my first image it saved as a folder but on my second capture its saving as a file again

@Tom-Elliott i had the exact same error on another pc i wanted to image, you were right Tom, as the CMOS battery died it had the wrong date/time so i amde it correct and voila

thanks for pointing me in the right direction!!!

@robertkwild ok i read you can do 10 or other so fine, il close

@george1421 result!!!

i bought a HP NIC as i have a HP laptop and it works

this one if anyone is inteerested

https://www.amazon.co.uk/HP-N7P47AA-Network-DesignJet-Adapters-Black/dp/B01618WGMY?th=1

as literally star tech, ugreen, tp link, realtek or asix chipsets didnt work

@AlexPDX @Sebastian-Roth it was something simple in the end

BIOS > advanced > system options

i turned off/unticked - configure storage controller for VMD

basically its there version of RAID, untick it and its AHCI

@robertkwild said in updating fog on centos 7:

it took ages compiling the ipxe binarys but now its been succesfully updated

THat’s right. Usually takes a few minutes depending on the CPU you have.

@robertkwild Yes, at least by default. I don’t know how frequently we’ve had things actually usable from a partition to partition image, but typically the flow is:

Erase the Existing drive
Configure the Existing with the image partitioning schema
Write the image to the disk
(If resizable - expand partitions)
Reboot

great thanks @george1421 i understand now, basically to do this right, you need to sysprep using an unattended xml file which i dont do, so best case scenario is i can just leave the drivers there and install once im on the desktop,

thanks again george

@george1421 the good thing is, you only need to do the reg hack and app removal on the GI, once you sysprep the GI and capture it, when you deploy it, you have to do nothing and you can deploy to multiple laptops, vms etc

the pic i shows you shows a laptop with TPM enabled, using the deployed image
20220414_181954.jpg

@robertkwild I can’t say about v11. I use 10.7 at the moment and install from DVD (kind of). It does prompt you to sync with an internet repository but will just use the DVD if you say no to the internet. Understand that your install will be out of date on patches but Debian will run just fine.

@george1421 made it into all one script, even the mkkeys.sh

#!/bin/bash apt-get update apt-get upgrade -y apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev perl -e'use CPAN; install "File::Slurp"' mkdir -p /opt/fog/secureboot/efikeys cat << EOF > /opt/fog/secureboot/mkkeys.sh #!/bin/bash # Copyright (c) 2015 by Roderick W. Smith # Updated 26-Nov-2021 by George1421 for the FOG Project # Licensed under the terms of the GPL v3 NAME=FOGProjectSB openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \ -out efikeys/PK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \ -out efikeys/KEK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \ -out efikeys/DB.crt -days 3650 -nodes -sha256 openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` echo $GUID > efikeys/myGUID.txt cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl rm -f efikeys/noPK.esl touch efikeys/noPK.esl sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth chmod 0600 efikeys/*.key echo "" echo "" echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB" echo "flash drive or to your EFI System Partition (ESP)." echo "For use with most UEFIs' built-in key managers, copy the *.cer files;" echo "but some UEFIs require the *.auth files." echo "" EOF chmod a+x /opt/fog/secureboot/mkkeys.sh cd /opt/fog/secureboot/ ./mkkeys.sh git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git cd /opt/fog/secureboot/efitools make mkdir -p /opt/fog/secureboot/hwkeys cd /opt/fog/secureboot/ efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl chmod 666 /opt/fog/secureboot/hwkeys/* cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/ cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/ cd /opt/fog/secureboot/efitools cat hw_db.esl > DB.esl cat hw_KEK.esl > KEK.esl cat hw_dbx.esl > dbx.esl rm LockDown*efi LockDown.so LockDown.o make cp LockDown-signed.efi EnrollKeys.efi mkdir -p /tftpboot cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot mv /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned mv /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned mv /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi mv /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi mv /tftpboot/snp.efi /tftpboot/snp-unsigned.efi sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snp.efi /tftpboot/snp-unsigned.efi

@sebastian-roth when George says this

mkdir -p /opt/fog/secureboot/hwkeys
cd /opt/fog/secureboot/

sudo efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
sudo efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
sudo efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
sudo chmod 666 /opt/fog/secureboot/hwkeys/*

He says he got the certs above on a debian instance running on a hardware pc,

What about if this a Ubuntu vm?