Yes, It can be done and it is pretty simple to. Here is what you need and how you should do it. Basically, the only thing you need is “BiosConfigUtility.EXE” and a text file with settings in it, add that to the TS and it will work like a charm, :-)
Step One – Get the utility
The utility is a part of HP’s SSM (SP49507), SSM stands for “HP System Software Manager” and version I have been playing with is 2.14 Rev A. Download that from the ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and if you need to see if your PC is in the list, check ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html
Step Two – Create the file
This is how the file should look like and it should have the name TPMEnable.REPSET
If you look at the picture, you can see that in every section there is a *. That is our default value that will be pushed into the bios.
Step Three – Create a Command and verify that it works
Now, be a bit careful, TPM is a security device and if you look your self out, it could be “tricky” to get back, so now you have been notified at least. So, we need a command to set all this and also to set a BIOS password and here it is:
BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:”Password1″
So, if you take the BIOSConfigUtility.exe and TPMEnable.REPSET and put them in the same folder and run the command (elevated) with a password that is better then mine and then reboot the machine, you will see that it is going to enable the TPM chip and now you can just enable BitLocker on the machine.
Step Four – Getting stuff into the TS
Now, this can be done in different ways, one is to create a Script, or a batch file or an MDT Application. The reason for me to have an application, is very simple. When I work at customers I create a lot of “things”, if they are applications, they are pretty easy to copy inside the deployment workbench, from my personal Deployment share to the customers and vice versa. I like drag and drop, it makes life more…relaxed…:-) One other story, if they are applications, you could use the “MandatoryApplications001=” in CS.ini
So this is how it looks in my Task Sequence
(No, sorry, my password for TPM is not 111-something, trust my…)
Now when I have the application I can open my Task Sequence and modify that like this:
In the first picture you can see that I have added the application called “CUSTOM – Hewlett-Packard – BIOS Configuration” and in the other picture you can see that I have one condition to run this and that is same condition as the task “Enable Bitlocker” has.
So, that was pretty easy, right :-)
Step Five – some more things…
This is my settings (also default)
Just one small thing. Modify/Set this BDEKeyLocation= to something, otherwise the keyfile ends up locally on the c: drive…:-)