Yes, It can be done and it is pretty simple to. Here is what you need and how you should do it. Basically, the only thing you need is “BiosConfigUtility.EXE” and a text file with settings in it, add that to the TS and it will work like a charm,

Step One – Get the utility

The utility is a part of HP’s SSM (SP49507), SSM stands for “HP System Software Manager” and version I have been playing with is 2.14 Rev A. Download that from the ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and if you need to see if your PC is in the list, check ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html

Step Two – Create the file

This is how the file should look like and it should have the name TPMEnable.REPSET

If you look at the picture, you can see that in every section there is a *. That is our default value that will be pushed into the bios.

Step Three – Create a Command and verify that it works

Now, be a bit careful, TPM is a security device and if you look your self out, it could be “tricky” to get back, so now you have been notified at least. So, we need a command to set all this and also to set a BIOS password and here it is:

BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:"Password1"

So, if you take the BIOSConfigUtility.exe and TPMEnable.REPSET and put them in the same folder and run the command (elevated) with a password that is better then mine and then reboot the machine, you will see that it is going to enable the TPM chip and now you can just enable BitLocker on the machine.

Step Four – Getting stuff into the TS

Now, this can be done in different ways, one is to create a Script, or a batch file or an MDT Application. The reason for me to have an application, is very simple. When I work at customers I create a lot of “things”, if they are applications, they are pretty easy to copy inside the deployment workbench, from my personal Deployment share to the customers and vice versa. I like drag and drop, it makes life more…relaxed…:-) One other story, if they are applications, you could use the “MandatoryApplications001=” in CS.ini

So this is how it looks in my Task Sequence

(No, sorry, my password for TPM is not 111-something, trust my…)

Now when I have the application I can open my Task Sequence and modify that like this:

In the first picture you can see that I have added the application called “CUSTOM – Hewlett-Packard – BIOS Configuration” and in the other picture you can see that I have one condition to run this and that is same condition as the task “Enable Bitlocker” has.

So, that was pretty easy, right

Step Five – some more things…

Configure BitLocker:

This is my settings (also default)

Just one small thing. Modify/Set this BDEKeyLocation= to something, otherwise the keyfile ends up locally on the c: drive…:-)

"Why deployment is so hard?", “Where can I find all related information?” What else I need to consider?”

Those or similar questions are normal during my any projects. After getting the same questions again and again, The Deployment Guys decided to create a Mindmap with all common links you need to know if you in the deployment space.

Attachment: MINDMAPS.zip Source:Deployment-Mindmaps

1. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Task Sequences.

2. Organize the available task sequences into folders. Task sequences that aren’t in a folder can’t be restricted.

   

3. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Advanced Configuration\Selection Profiles.

4. Create a new selection profile and at “Select the folders that should be included in this selection profile” select the folders below Task Sequences that should be visible for this profile.

   

5. Edit CustomSettings.ini, add UserID to Priority before the value Deffault under [Settings]:

   [Settings]
   Priority=UserID, Default 

6. Define a section in CustomSettings.ini in the form [userid]. Example: if the User ID is Helpdesk then the section should be [helpdesk].

7. Define the selection profile to be used for this user below this section. Example: to give helpdesk access to the Helpdesk selection profile, add the following:

   [helpdesk]
   WizardSelectionProfile=Helpdesk

8. Create a selection profile in which no folder has been selected and place a WizardSelectionProfile=nameofemptyselectionprofile below [Default] if you want none other than the defined user IDs to have access to the task sequences.

9. Now when the user logs into the wizard in the WinPE environment, he/she sees only the task sequences that are available in the selection profile.
   
   

   Source:Microsoft TechNet – MDT Forum – How to hide/show task sequence for specific users/user groups?

I added so as always WSUSServer=http://ward-bh01 to customsettings.ini

When the deploying the image I get de following error

The Error

Solution:

Ad the Port number to de WSUSServer address in customsettings.ini. In my case it was 8530. Because the WSUS site was running on that port number see the pictures

WSUSServer=http://ward-bh01:8530

With the release of the Windows AIK for Windows 7 SP1 supplement (see Windows AIK for Windows 7 SP1 Released for details), there is a new version 3.1 version of Windows PE available. If you plan to install this update, you need to be aware of an issue when using this with MDT 2010 Update 1.

With MDT 2010, Deployment Workbench will look for a “boot.wim” file from one of the imported operating systems that has the same build number as Windows AIK (e.g. “boot.wim” from a Windows 7 RC, build 7100, operating system to go with the Windows AIK for Windows 7 RC). If it finds a match, it will use that WIM instead. Why do we do this? Because the “boot.wim” contains the Windows Recovery Environment (Windows RE), a component that isn’t available in Windows AIK.

So let’s get a little more specific. First, some background details:

• The build number for the RTM version of Windows 7 is 6.1.7600.16385.
• The build number for Windows AIK for Windows 7, released with Windows 7 RTM, is also 6.1.7600.16385. This is stored in the registry.
• The build number for Windows 7 SP1 is 6.1.7601.17514.
• The build number for the files included in the Windows 7 AIK for Windows 7 SP1 supplement, including Windows PE 3.1 and all the Windows PE feature packs, is also 6.1.7601.17514. But since this supplement is installed by replacing files in the Windows AIK installation directory using XCOPY, the registry isn’t updated so MDT still thinks the Windows 7 RTM version (6.1.7600.16385) of Windows AIK is installed.

Now, let’s assume that you have Windows 7 RTM x86 installation files present in your deployment share, and you haven’t installed the Windows 7 AIK for Windows 7 SP1 supplement. MDT’s processing when creating a boot image will look like this:

• Is there a boot.wim available with the same version number as Windows AIK (6.1.7600.16385 = 6.1.7600.13685)? Yes, copy it to a temporary folder and mount it.
• Inject the required Windows PE optional components from the Windows AIK installation directory into this mounted boot image.
• Inject the needed MDT scripts.
• Commit the changes to the WIM file and copy it to the deployment share.

Now, install the Windows 7 AIK for Windows 7 SP1 supplement and update the deployment share:

• Is there a boot.wim available with the same version number as Windows AIK (6.1.7600.16385 = 6.1.7600.13685)? Yes (because MDT doesn’t know that Windows AIK has been updated, the registry still says it is version 6.1.7600.16385), copy it to a temporary folder and mount it.
• Try to Inject the required Windows PE feature packs from the Windows AIK installation directory into this mounted boot image. All fail, because they are for Windows PE 3.1 and won’t work with the Windows PE 3.0 boot image copied from the Windows 7 RTM files.
• Stop.

The actual error will look something like this (repeated for each Windows PE feature pack):

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7600.16385
Processing 1 of 1 – Adding package WinPE-HTA-Package~31bf3856ad364e35~x86~~6.1.7601.17514
Error: 0x800f081e
The specified package is not applicable to this image.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
Exit code = –2146498530
DISM /Add-Package failed for component C:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\winpe-hta.cab, rc = -2146498530.

Solution:

Modify the Settings.xml file in the deployment share’s “Control” folder to tell MDT to never use the boot.wim. The settings look like this:

<Boot.x86.UseBootWim>True</Boot.x86.UseBootWim>
<Boot.x64.UseBootWim>True</Boot.x64.UseBootWim>

They should be changed to instead say:

<Boot.x86.UseBootWim>False</Boot.x86.UseBootWim>
<Boot.x64.UseBootWim>False</Boot.x64.UseBootWim>

As a result of this change, MDT will no longer use the boot.wim from the Windows 7 RTM installation files. Instead, it will always use the winpe.wim from Windows AIK. And since the Windows PE feature packs in Windows AIK should always match the winpe.wim in Windows AIK, this will always work.

Note that this will never be an issue with MDT-generated boot images used with ConfigMgr 2007, as MDT will always use the winpe.wim from Windows AIK when generating these. (ConfigMgr 2007 doesn’t yet support Windows PE 3.1, so don’t install the Windows AIK for Windows 7 SP1 supplement yet if you are using ConfigMgr.)

More info check: Issue with MDT 2010 Update 1 and Windows AIK for Windows 7 SP1 Supplement

The error was: The task sequence has been suspended.
LiteTouch has encountered and Environment Error (Boot into WinPE)

I had a strange problem with MDT. When I booted the in WinPE.

Rebooting and again started the WinPE image did nothing same error again.

Solution is very simple.

You have to remove two directory’s C:\_SMSTaskSequence\nul  and C:\MININT

After that you can resume deploying the OS TaskSequence you want.

For sure I cleaned the Disk with Diskpart.