Yes, It can be done and it is pretty simple to. Here is what you need and how you should do it. Basically, the only thing you need is “BiosConfigUtility.EXE” and a text file with settings in it, add that to the TS and it will work like a charm,

Step One – Get the utility

The utility is a part of HP’s SSM (SP49507), SSM stands for “HP System Software Manager” and version I have been playing with is 2.14 Rev A. Download that from the ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and if you need to see if your PC is in the list, check ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html

Step Two – Create the file

This is how the file should look like and it should have the name TPMEnable.REPSET

If you look at the picture, you can see that in every section there is a *. That is our default value that will be pushed into the bios.

Step Three – Create a Command and verify that it works

Now, be a bit careful, TPM is a security device and if you look your self out, it could be “tricky” to get back, so now you have been notified at least. So, we need a command to set all this and also to set a BIOS password and here it is:

BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:"Password1"

So, if you take the BIOSConfigUtility.exe and TPMEnable.REPSET and put them in the same folder and run the command (elevated) with a password that is better then mine and then reboot the machine, you will see that it is going to enable the TPM chip and now you can just enable BitLocker on the machine.

Step Four – Getting stuff into the TS

Now, this can be done in different ways, one is to create a Script, or a batch file or an MDT Application. The reason for me to have an application, is very simple. When I work at customers I create a lot of “things”, if they are applications, they are pretty easy to copy inside the deployment workbench, from my personal Deployment share to the customers and vice versa. I like drag and drop, it makes life more…relaxed…:-) One other story, if they are applications, you could use the “MandatoryApplications001=” in CS.ini

So this is how it looks in my Task Sequence

(No, sorry, my password for TPM is not 111-something, trust my…)

Now when I have the application I can open my Task Sequence and modify that like this:

In the first picture you can see that I have added the application called “CUSTOM – Hewlett-Packard – BIOS Configuration” and in the other picture you can see that I have one condition to run this and that is same condition as the task “Enable Bitlocker” has.

So, that was pretty easy, right

Step Five – some more things…

Configure BitLocker:

This is my settings (also default)

Just one small thing. Modify/Set this BDEKeyLocation= to something, otherwise the keyfile ends up locally on the c: drive…:-)

Here is a common scenario. You are deploying an operating system using MDT Lite Touch, during the deployment you install some user specific applications. However the users think that the deployment is completed an they close the application installs or perhaps start messing with the machine while it is still logged in as the local administrator. Now you could simply inform the user that they should not touch the computer until the deployment is completed. However in my experience this “don’t touch” approach has not always been 100% successful.

Well now we have a better way, you can hide explorer shell while MDT is “doing it’s thing”!

So how do we do this? It is simple, just add the following line to the customsettings.ini file:

HIDESHELL=YES

I have included before and after shots below:

Look explorer…

,

No explorer…. that’s better!

Today I upgraded a MDT 2010 installation to MDT 2012 Beta 2.

One of the new features is monitoring

To Configure monitoring you find a tab Monitoring on properties of the Deployment Share.
You must set a V Enable monitoring of this deployment share

Under the root of the Deployment Share u see now Monitoring. When you click on Monitoring you can see running deployments.

The latest version of MDT is now available on Connect (Join the MDT 2012 Beta 2 Connect program here!)

MDT 2012 Beta 2 offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and Configuration Manager 2012 as well as integration with the Microsoft Diagnostics and Recovery Toolkit (DaRT) for Lite Touch Installation remote control and diagnostics.

Key benefits include:

• Full use of the capabilities provided by System Center Configuration Manager 2012 for OS deployment.
• Improved Lite Touch user experience and functionality.
• A smooth and simple upgrade process for all existing MDT users.

New features For System Center Configuration Manager customers:

• Support for Configuration Manager 2012 (while still supporting Configuration Manager 2007)
• New User-Driven Installation components for Configuration Manager 2007 and Configuration Manager 2012
  • Extensible wizard and designer, additional integration with Configuration Manager to deliver a more customized OS experience, support for more imaging scenarios, and an enhanced end-user deployment experience
• Ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012

New features For Lite Touch Installation:

• Integration with the Microsoft Diagnostics and Recovery Toolkit (DaRT) for remote control and diagnostics
• New monitoring capabilities to see the progress of currently running deployments
• Support for deploying Windows to computers using UEFI
• Ability to deploy Windows 7 so that the computer will start from a new VHD file, “Deploy to VHD”
• Improved deployment wizard user experience

MDT 2012 the final release will be available download through to January 2012 I think.

"Why deployment is so hard?", “Where can I find all related information?” What else I need to consider?”

Those or similar questions are normal during my any projects. After getting the same questions again and again, The Deployment Guys decided to create a Mindmap with all common links you need to know if you in the deployment space.

Attachment: MINDMAPS.zip Source:Deployment-Mindmaps

1. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Task Sequences.

2. Organize the available task sequences into folders. Task sequences that aren’t in a folder can’t be restricted.

   

3. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Advanced Configuration\Selection Profiles.

4. Create a new selection profile and at “Select the folders that should be included in this selection profile” select the folders below Task Sequences that should be visible for this profile.

   

5. Edit CustomSettings.ini, add UserID to Priority before the value Deffault under [Settings]:

   [Settings]
   Priority=UserID, Default 

6. Define a section in CustomSettings.ini in the form [userid]. Example: if the User ID is Helpdesk then the section should be [helpdesk].

7. Define the selection profile to be used for this user below this section. Example: to give helpdesk access to the Helpdesk selection profile, add the following:

   [helpdesk]
   WizardSelectionProfile=Helpdesk

8. Create a selection profile in which no folder has been selected and place a WizardSelectionProfile=nameofemptyselectionprofile below [Default] if you want none other than the defined user IDs to have access to the task sequences.

9. Now when the user logs into the wizard in the WinPE environment, he/she sees only the task sequences that are available in the selection profile.
   
   

   Source:Microsoft TechNet – MDT Forum – How to hide/show task sequence for specific users/user groups?

I added so as always WSUSServer=http://ward-bh01 to customsettings.ini

When the deploying the image I get de following error

The Error

Solution:

Ad the Port number to de WSUSServer address in customsettings.ini. In my case it was 8530. Because the WSUS site was running on that port number see the pictures

WSUSServer=http://ward-bh01:8530

Microsoft has just released as a public beta the newest version of Microsoft Deployment Toolkit (MDT) 2012 with a few important updates:

• Supporting System Center Configuration Manager (SCCM) 2012.
• Using Lite Touch Installation (LTI), great improvements in the client side look-n-feel.
• Also for LTI, behind-the-scenes enhancements for partitioning, UEFI (Unified Extensible Firmware Interface), and user state migration.
• Some minor bugs fixed.

MDT 2012 Requirements

Same as MDT 2010:

• Windows Automated Installation Kit (WAIK) 2.0. You can download it from here.
  Note: The download page indicates that the WAIK version is “1”; but don’t worry, the actual version is 2.0.
• MSXML 6.0
• PowerShell.
• .Net Framework 3.5 SP1. Available for download here.
  Note: Even though .Net Framework 2.5 SP1 is not a requirement for MDT 2010 installation; one of its features, User-Driven Installation (UDI), does requires the latest Microsoft Framework installed.

MDT 2012 Look-n-Feel

For what I’ve seen so far, the user experience of the Deployment Workbench console is pretty much the same.

MDT 2012 Beta 1 Download

The beta is available in this link from Microsoft Connect,

With the release of the Windows AIK for Windows 7 SP1 supplement (see Windows AIK for Windows 7 SP1 Released for details), there is a new version 3.1 version of Windows PE available. If you plan to install this update, you need to be aware of an issue when using this with MDT 2010 Update 1.

With MDT 2010, Deployment Workbench will look for a “boot.wim” file from one of the imported operating systems that has the same build number as Windows AIK (e.g. “boot.wim” from a Windows 7 RC, build 7100, operating system to go with the Windows AIK for Windows 7 RC). If it finds a match, it will use that WIM instead. Why do we do this? Because the “boot.wim” contains the Windows Recovery Environment (Windows RE), a component that isn’t available in Windows AIK.

So let’s get a little more specific. First, some background details:

• The build number for the RTM version of Windows 7 is 6.1.7600.16385.
• The build number for Windows AIK for Windows 7, released with Windows 7 RTM, is also 6.1.7600.16385. This is stored in the registry.
• The build number for Windows 7 SP1 is 6.1.7601.17514.
• The build number for the files included in the Windows 7 AIK for Windows 7 SP1 supplement, including Windows PE 3.1 and all the Windows PE feature packs, is also 6.1.7601.17514. But since this supplement is installed by replacing files in the Windows AIK installation directory using XCOPY, the registry isn’t updated so MDT still thinks the Windows 7 RTM version (6.1.7600.16385) of Windows AIK is installed.

Now, let’s assume that you have Windows 7 RTM x86 installation files present in your deployment share, and you haven’t installed the Windows 7 AIK for Windows 7 SP1 supplement. MDT’s processing when creating a boot image will look like this:

• Is there a boot.wim available with the same version number as Windows AIK (6.1.7600.16385 = 6.1.7600.13685)? Yes, copy it to a temporary folder and mount it.
• Inject the required Windows PE optional components from the Windows AIK installation directory into this mounted boot image.
• Inject the needed MDT scripts.
• Commit the changes to the WIM file and copy it to the deployment share.

Now, install the Windows 7 AIK for Windows 7 SP1 supplement and update the deployment share:

• Is there a boot.wim available with the same version number as Windows AIK (6.1.7600.16385 = 6.1.7600.13685)? Yes (because MDT doesn’t know that Windows AIK has been updated, the registry still says it is version 6.1.7600.16385), copy it to a temporary folder and mount it.
• Try to Inject the required Windows PE feature packs from the Windows AIK installation directory into this mounted boot image. All fail, because they are for Windows PE 3.1 and won’t work with the Windows PE 3.0 boot image copied from the Windows 7 RTM files.
• Stop.

The actual error will look something like this (repeated for each Windows PE feature pack):

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7600.16385
Processing 1 of 1 – Adding package WinPE-HTA-Package~31bf3856ad364e35~x86~~6.1.7601.17514
Error: 0x800f081e
The specified package is not applicable to this image.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
Exit code = –2146498530
DISM /Add-Package failed for component C:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\winpe-hta.cab, rc = -2146498530.

Solution:

Modify the Settings.xml file in the deployment share’s “Control” folder to tell MDT to never use the boot.wim. The settings look like this:

<Boot.x86.UseBootWim>True</Boot.x86.UseBootWim>
<Boot.x64.UseBootWim>True</Boot.x64.UseBootWim>

They should be changed to instead say:

<Boot.x86.UseBootWim>False</Boot.x86.UseBootWim>
<Boot.x64.UseBootWim>False</Boot.x64.UseBootWim>

As a result of this change, MDT will no longer use the boot.wim from the Windows 7 RTM installation files. Instead, it will always use the winpe.wim from Windows AIK. And since the Windows PE feature packs in Windows AIK should always match the winpe.wim in Windows AIK, this will always work.

Note that this will never be an issue with MDT-generated boot images used with ConfigMgr 2007, as MDT will always use the winpe.wim from Windows AIK when generating these. (ConfigMgr 2007 doesn’t yet support Windows PE 3.1, so don’t install the Windows AIK for Windows 7 SP1 supplement yet if you are using ConfigMgr.)

More info check: Issue with MDT 2010 Update 1 and Windows AIK for Windows 7 SP1 Supplement