How to speed up PXE boot in WDS (MDT)

 

During a PXE boot, when the boot image file is being loaded in the client, it should not take any longer than a few minutes time depending on the size of the boot.wim and your network. If it seems that your PXE boot times are extremely slow, you may be able to speed up the process by increasing the TFTP block size. This article will show you how to speed up PXE boot in WDS and SCCM.

Trivial File Transfer Protocol (TFTP) is the network protocol used for downloading all files during network boots. TFTP is an inherently slow protocol because it requires one ACK (acknowledgment) packet for each block of data that is sent. The server will not send the next block in the sequence until the ACK packet for the previous block is received. As a result, on a slow network, the round-trip time can be very long.

Change the Maximum Block Size to 16784 on your WDS server Winking smile

image

MDT Packages & WSUS a very nice feature.

I long time ago I wrote a acticle mdt-automatisch-updates-via-wsus-laten-installeren-tijdens-het-deployen-van-het-os (Dutch) about using wsus with MDT.

After you deploy a Windows 7 SP1 machine updating takes a lot of time.

You can slipstream windows security updates when you deploy a machine… Windows 7 / Windows 8 / Windows 2008 R2 / Windows 2012.

How you do this: It’s quit simpley. Import de WSUS Content in to Packages.

 1

2

3

4

5

The error is normal because not everything is imported.

Important:

Delete every time you do this. Update & Hotfix packages. If you don’t you will end in a error state when you deploy a machine.

Enable Bitlocker with MDT

Bitlocker is a password centered disk encryption system built into Windows which encrypts your volumes and server platforms.

When your do a new deployment on a new computer with MDT you want automatically enable the TPM chip and encrypt the disk.

On 1 Feb 2012 a wrote an article about how to Enable TPM devices on HP Laptops trough MDT.

When you create a new client task sequence enable Bitlocker is default on.

After that I found a bug in MDT 2012 witch cost me al lot of time finding the answer.
MDT 2012 – Settings Per Task Sequence

So let’s begin.

Open Customsettings.ini

Change the following

[Settings]
Priority=Default
Properties=MyCustomProperty

to

[Settings]
Priority=TaskSequenceID, Default
Properties=MyCustomProperty

Add the following text.

[HP6560B] = TaskSequenceID in my Case
MachineObjectOU=ou=laptops,ou=ward,dc=wardvissers,dc=local
BdeInstallSuppress=NO
BDEDriveLetter=S:
BDEDriveSize=300
SkipBitLocker=NO
BDEInstall=TPM
BDERecoveryKey=AD
OSDBitLockerWaitForEncryption=TRUE
BDEKeyLocation=\\ward-bh01.wardvissers.local\Bitlocker$

And change the following SkipBitLocker=YES under [DEFAULT]

In my case on the OU Laptops I created the following Bitlocker Group Policy

image

Important:

Group Policy’s will break deployment’s

HP takes the next step and provides ready-made driver packages for MDT and SCCM

HP takes the next step and provides ready-made driver packages for MDT and SCCM for the business models of notebooks, desktops and workstations. The packages can be obtained via SoftPaq Download Manager (SDM) or from the HP support website. It appears they are primarily for the current generation of products.
To get the download manager, navigate to the HP manageability website: www.hp.com/go/easydeploy or directly to www.hp.com/go/sdm

Here are screenshots from the new packages in SoftPaq Download Manager and from the HP support website.


Special Thanks to: Deploymentresearch

Enable TPM devices on HP Laptops trough MDT

Yes, It can be done and it is pretty simple to. Here is what you need and how you should do it. Basically, the only thing you need is “BiosConfigUtility.EXE” and a text file with settings in it, add that to the TS and it will work like a charm, 🙂

Step One – Get the utility

The utility is a part of HP’s SSM (SP49507), SSM stands for “HP System Software Manager” and version I have been playing with is 2.14 Rev A. Download that from the ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and if you need to see if your PC is in the list, check ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html

Step Two – Create the file

This is how the file should look like and it should have the name TPMEnable.REPSET

image

If you look at the picture, you can see that in every section there is a *. That is our default value that will be pushed into the bios.

Step Three – Create a Command and verify that it works

Now, be a bit careful, TPM is a security device and if you look your self out, it could be “tricky” to get back, so now you have been notified at least. So, we need a command to set all this and also to set a BIOS password and here it is:

BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:"Password1"

So, if you take the BIOSConfigUtility.exe and TPMEnable.REPSET and put them in the same folder and run the command (elevated) with a password that is better then mine and then reboot the machine, you will see that it is going to enable the TPM chip and now you can just enable BitLocker on the machine.

Step Four – Getting stuff into the TS

Now, this can be done in different ways, one is to create a Script, or a batch file or an MDT Application. The reason for me to have an application, is very simple. When I work at customers I create a lot of “things”, if they are applications, they are pretty easy to copy inside the deployment workbench, from my personal Deployment share to the customers and vice versa. I like drag and drop, it makes life more…relaxed…:-) One other story, if they are applications, you could use the “MandatoryApplications001=” in CS.ini

So this is how it looks in my Task Sequence

image image

(No, sorry, my password for TPM is not 111-something, trust my…)

Now when I have the application I can open my Task Sequence and modify that like this:

image image

In the first picture you can see that I have added the application called “CUSTOM – Hewlett-Packard – BIOS Configuration” and in the other picture you can see that I have one condition to run this and that is same condition as the task “Enable Bitlocker” has.

So, that was pretty easy, right 🙂

Step Five – some more things…

Configure BitLocker:

image

This is my settings (also default)

Just one small thing. Modify/Set this BDEKeyLocation= to something, otherwise the keyfile ends up locally on the c: drive…:-)

The Deployment Guys released Deployment Mindmaps

"Why deployment is so hard?", “Where can I find all related information?” What else I need to consider?”

Those or similar questions are normal during my any projects. After getting the same questions again and again, The Deployment Guys decided to create a Mindmap with all common links you need to know if you in the deployment space.

Attachment: MINDMAPS.zip Source:Deployment-Mindmaps

MDT Restricting the available Task Sequences by user

  1. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Task Sequences.

  2. Organize the available task sequences into folders. Task sequences that aren’t in a folder can’t be restricted.

    image

  3. Within DeploymentWorkbench go to Deployment Shares\<YourDeploymentshare>\Advanced Configuration\Selection Profiles.

  4. Create a new selection profile and at “Select the folders that should be included in this selection profile” select the folders below Task Sequences that should be visible for this profile.

    image

  5. Edit CustomSettings.ini, add UserID to Priority before the value Deffault under [Settings]:

    [Settings]
    Priority=UserID, Default 
  6. Define a section in CustomSettings.ini in the form [userid]. Example: if the User ID is Helpdesk then the section should be [helpdesk].

  7. Define the selection profile to be used for this user below this section. Example: to give helpdesk access to the Helpdesk selection profile, add the following:

    [helpdesk]
    WizardSelectionProfile=Helpdesk
  8. Create a selection profile in which no folder has been selected and place a WizardSelectionProfile=nameofemptyselectionprofile below [Default] if you want none other than the defined user IDs to have access to the task sequences.

  9. Now when the user logs into the wizard in the WinPE environment, he/she sees only the task sequences that are available in the selection profile.

    image

    Source:Microsoft TechNet – MDT Forum – How to hide/show task sequence for specific users/user groups?