@taylorcockrell Well there is no easy answer here. If you need secure boot enabled in your environment then you can create a self signed key and apply it to each workstation. Then you can sign both ipxe.efi and bzImage with the same key. Once that is done you can secure boot using FOG. I created a tutorial on this on the steps needed. For an opensource project its a bit impractical to get microsoft signed kernels and efi boot loaders to do it any other way. I wish there was a better solution.
In the case of the hardware, I know for Dell hardware you can use a Dell offered utility to modify the firmware from within the host OS. Thinking that you can turn off secure boot (which will break bitlocker, but you will reimage the computer anyway) then reboot the computer into PXE booting with FOG.
If you require an IT tech to sit in front of the computer to image it, then they can simply turn off secure boot and then boot into pxe booting via the uefi boot manager. The imaging tech would have the access and capabilities to disable secure boot prior to imaging.