anyweb

very cool indeed, once you get the hang of UEFI it's very straightforward, next you need to try UEFI and pre-provisioning of bitlocker together ! by the way the Dell E6430 has Network UEFI boot capability

currently SP1 BETA is NOT supported in production, so only do this in your LAB, or use the supported OS and you'll be just fine.

we are not using Wake on Lan in this setup therefore you need to manually start up the virtual machine, I hope that explains it for you

so is your primary server running Server 2012 ?

standalone media only supports one task sequence.

you do not need MDT, you need up to three components from the Windows Assessment and Deployment Kit all described in great detail here. The requirement for the ADK is in order to deploy Windows 8 and Windows Server 2012. Side note: while you do not need MDT (Microsoft Deployment Toolkit) it is a very useful addition to any Configuration Manager deployment.

Configuration Manager 2012 SP1 provides several new features when it comes to OSD and one in particular that I like is the ability to deploy hidden task sequences, what this means is that you can target task sequences to a collection and they will be hidden from view in Software Center, Boot Media and PXE boot unless you know how to access them. I will assume that you already have a Deploy Windows 8 X64 (or similar) task sequence created at this point and now want to avail of making one hidden. Why would you want to hide a task sequence ? well perhaps you are still testing features within the task sequence that you do not want readily available to your users so hiding it is a good idea indeed. Step 1. Create a Hidden collection We will be deploying our hidden task sequence to a specific collection, so to make this easy to understand we'll create a new collection called Deploy Windows 8 Hidden, right-click on Device Collections and choose Create Device Collection, give the collection a suitable name like Deploy Windows 8 hidden and limit it to All Systems and click your way through the rest of the wizard, no need to configure any membership rules at this point as we will add computers to the collection later. Step 2. Copy an existing task sequence Locate a task sequence that you want to make hidden or create a new one from scratch, right click on the task sequence and choose Copy. once the task sequence is copied you'll get a message informing you. Locate the copied task sequence (the name was in the message above) and right click on it and rename it by choosing Properties, append the word Hidden. You can optionally add a category of Hidden and change the custom text to read Hidden Task Sequence as per the screenshot below. Step 3. Add a prestart file to a custom boot image This step is important as in order to access the hidden task sequence we need to add a prestart command via a file added to a custom boot image. The boot image should be separately created from your default X86 and X64 boot images as we don't want our normal task sequence deployments to be prompted with the prestart script. To create the custom boot image do as follows, right click on boot images and choose Add Boot Image. browse to the UNC path of your default X86 boot image (something like \\sccm.server2008r2.lab.local\SMS_P01\osd\boot\i386\boot.wim) and select that boot wim file fill in some details about this custom boot image including it's version (x86) and click your way through to the end of the wizard. Now that we have a custom boot image, let's right click on it and add some changes. select the Customization tab, and make sure to place a checkmark in the following options Enable prestart command Include files for the prestart command Enable command support (testing only) so that it is like the screenshot below Point the prestart command to the following script file by typing cscript.exe get_SMSTSPreferredAdvertID_via_Prestart.vbs here's the VBS get_SMSTSPreferredAdvertID_via_Prestart.vbs.txt Note: remove the .TXT extension on the file above before using it. save get_SMSTSPreferredAdvertID_via_Prestart.vbs to \\sccm\sources\os\extrafiles next click on the Deploy tab, make sure that Deploy this boot image from the PXE enabled distribution point is selected click ok and answer NO when prompted to update to Distribution points as we have not selected any distribution points for this boot image yet. Continue to the end of the wizard. Step 4. Distribute our prestart boot image Right click on our Prestart boot image and choose Distribute Content the distribute content wizard appears, add your distribution points and continue through the wizard until completion once done, right click on the Prestart Boot Image and choose Update Distribution Points, continue through that wizard. Step 5. Attach our prestart boot image to our hidden task sequence In Task Sequences, select our hidden task sequence, right click and choose properties, select the Advanced tab and change the boot image from the X86 default boot image to our hidden prestart boot image as per the screenshot below click apply and ok. Step 6. Add a computer to the hidden collection using direct membership (or whatever method you wish) add a computer to the hidden collection, verify the computer object exists in the collection before moving on to the next step. Step 7. Deploy the hidden task sequence right click on our new Hidden task sequence and choose Deploy choose our previously created Deploy Windows 8 hidden collection and click next and on the Deployment Settings screen click the down arrow beside Make available to the following and select Only media and PXE (hidden) click your way through the rest of this wizard. Step 8. Locate the Deployment ID of the hidden task sequence In Task sequences, select our hidden task sequence and click on the Deployments tab below it our Deployment is listed, click on the column in a blank space and right click to add new column options, select Deployment ID from the list. and now we can see our Deployment ID, take note of what it says (write it down). Step 9. PXE boot your client Now that the hard work is done, PXE boot the computer you added to the hidden collection, note the boot WIM file listed is the Image ID of our Prestart Hidden boot wim if you did everything above correctly you'll see the following immediatly after entering your PXE password (if you set one) and before the task sequences are normally displayed (assuming you have some available task sequences) enter the Deployment ID we noted from above, that was P012001B or don't enter it and just get to see the normal list of available task sequences. and if you entered the Deployment ID correctly you'll see your hidden task sequence kicking off, cool huh ? yup, cool. until next time, adios ! Next Steps: Perform the above 'on-demand', if you want to learn how, click here.

Now that we have Configuration Manager 2012 SP1 beta to test, there is a new BitLocker step in the default task sequences that allows us to enable BitLocker during the deployment and it is called pre-provision BitLocker. Pre-provision BitLocker gives us the ability to Encrypt the data on the disc (not the free space, just the used space) on the fly and that means you end up with an encrypted disc much faster than we are currently used to. Before you undertake this task though you'll need a few things in place, namely you need Configuration Manager 2012 Service Pack 1 installed and you'll need to be familiar with Deploying Windows 8 and BitLocker itself. WinPE 4 is a key part of pre-provisioning BitLocker, so if you don't have that version of WinPE you can forget about trying this. Installation of the ADK will upgrade your default WinPE boot images to the correct version. In this guide I'm assuming that you have already upgraded to Configuration Manager 2012 Service Pack 1 and that you have imported a Windows 8 install.wim image as described here. Step 1. Verify that Active Directory is ready for BitLocker perform the following on your Active Directory domain controller as a domain administrator. As part of our task sequence we will use the built-in Enable BitLocker which is configured by default to store the recovery key in Active Directory. Note: You can save BitLocker recovery information in AD DS if your domain controllers are running Windows Server 2003 with Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2. You cannot save recovery information in AD DS if the domain controller is running a version of Windows Server earlier than Windows Server 2003 with SP1. In this guide I'm using a domain controller running Windows Server 2008 R2 Service Pack 1. On your active directory domain controller start up AdsiEdit, right click on Default naming context and select settings The Connection Settings window appears, in the Select a well known naming context section click on the drop down menu and select Schema. you should see a bunch of values starting with ms-FVE (scroll down to see them, it's a long list). The common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInformation. You have now verified that the Active directory Schema has the nescessary objects to store the keys. CN=ms-FVE-KeyPackage – attributeSchema object CN=ms-FVE-RecoveryGuid – attributeSchema object CN=ms-FVE-RecoveryInformation – classSchema object CN=ms-FVE-RecoveryPassword – attributeSchema object CN=ms-FVE-VolumeGuid – attributeSchema object CN=ms-TPM-OwnerInformation – attributeSchema object If the above objects are not present and you are running an earlier version of Windows Server then you may need to extend the Active Directory Schema to support Bitlocker, please review this page on Technet for information on that. If you want to easily check BitLocker recovery keys from within Active Directory then add the Windows Server BitLocker features below and reboot the server if prompted Step 2. Create a BitLocker Policies Group Policy Object perform the following on your Active Directory domain controller as a domain administrator. Start up Group Policy Management and right click on your domain name, choose Create a GPO in this Domain and link it here. give the new GPO a name, call it BitLocker Policies as per the screenshot below. Right click on the newly created GPO and choose Edit navigate to Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives and select the following policy, Choose how BitLocker-protected operating system drives can be recovered. Right click on the policy, choose edit, then Enable the setting and apply your changes. At this point our Group Policy is complete. Note: You can use a GPO Policy setting for encryption type. You can use Group Policy settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Group Policy settings for BitLocker Drive Encryption are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of Group Policy Editor Step 3. Create a new deploy task sequence with Bitlocker enabled perform the following on your Configuration Manager Server as SMSadmin BitLocker options get dynamically added to your task sequence during the create task sequence wizard based on the choices you make during the wizard. In the operating system deployment workspace of ConfigMgr right click on task sequences and select Create Task Sequence. The Create Task Sequence wizard appears, choose the first option Install an existing image package. fill in the Task Sequence Information, be specific, and select a boot image, we are deploying Windows 8 X64 in this example with BitLocker, however we select an X86 boot image. Note: If you are deploying Windows 8 X64 in UEFI mode in combination with BitLocker then you need to select a X64 boot image in this step otherwise it will not boot. The Install the Windows Operating System step decides whether or not we'll get the BitLocker steps added to our task sequence. By default the Bitlocker options are greyed out until we add an image that is BitLocker capable. (Windows Vista, Windows 7, Windows 8, however pre-provisioning with Vista is not supported). so select a Windows 8 image that you've added earlier and enter the product key and set an administrative password. Now you can see the BitLocker option is available, make sure that Configure Task sequence for use with BitLocker is selected. enter your domain join user credentials in the Configure Network step we can click through the next few screens (with the default settings) as we are only interested in BitLocker operations for the purpose of this guide Step 4. Add support for TPM operations in WinPE perform the following on your Configuration Manager Server as SMSadmin For the purposes of this guide we need to edit the task sequence to remove some un-needed functionality and add required functionality. We will disable all Capture and Restore User State Groups in the task sequence, we don't need those steps for verifying Pre-Provisioning of BitLocker, so right click on our newly created task sequence, choose Edit and disable the Capture and Restore User state sections as per the screenshot below. You can always re-enable these sections later to complete your deployment solution but for now, disable them. Next we need to add support for the hardware in question in terms of enabling the TPM in WinPE, I've covered this in great detail in the following post and in this task sequence we will use the exact same steps and software (I've tested and verified this on Dell Latitude E4200, E5510, E6320, should newer models require a newer version of CCTK for WinPE or a different method of doing this in Windows PE then i'll update this post with that information). Update: I've confirmed the above works even on brand new Dell Hardware (Dell Latitude E6430 bios version A03) using the latest CCTK available from here. Below is the same task sequence with the Enable TPM for BitLocker in WinPE section added from the post referenced above. Failure to add this section to your task sequence will mean you cannot do any TPM operations in WinPE. The Pre-Provision Bitlocker step looks like so in the task sequence and the Enable BitLocker step is already set to store the recovery key in active directory domain services as you can see here Tip: If you have no access to your AD environment and really want to test pre-provisioning BitLocker you can select the second option (do not create a recovery key) which will allow your Task sequence to complete but it of course won't store the recovery key anywhere and data could get lost if you don't know what you are doing. Be warned. Note: If you want to download the task sequence I created above then import the following ZIP file. Deploy Windows 8 X64 - with BitLocker Provisioning.zip Step 5. Deploy the task sequence perform the following on your Configuration Manager Server as SMSadmin Right click your new task sequence and choose Deploy, deploy it to a suitable collection as an Available deployment. for Deployment Settings choose Configuration Manager Clients, media and PXE click your way through to the end of that wizard. Step 6. PXE boot and monitor the deployment perform the following on your client computer PXE boot the computer and select our newly deployed Available (optional) task sequence (Deploy Windows 8 X64 - with BitLocker Provisioning) and off it goes....if you have a chance press F8 and type the following line manage-bde -status this should reveal something similar to the following saying that it's fully decrypted in order to set TPM options in Windows PE we use CCTK on Dell hardware, and these actions will reboot the computer, after the reboot it'll fly through the Pre-Provision BitLocker step so the thing to remember here is the Pre-Provision BitLocker is FAST, really FAST, so in order to see it you have to be fast, press F8 after that reboot and keep cycling through the manage-bde -status command while it gets to the Pre-Provision Bitlocker step and just after, you'll see something like this (sorry for the screenshots, it's on real hardware so difficult to take photos) here directly after the Pre-Provision BitLocker step we see encryption in progress seconds later it's up to 7.5%, yes that was seconds later !! you'll also note it's applying the operating system and it's referring to Enfo Workplace day, so if you are in the South of Sweden on September 28th drop by and say hi and i'll demo this in action. Let me know you are coming ok ? a few seconds later and it's done, yup 100% used space only encrypted ! while you are waiting for Windows 8 to deploy you can review SMSTS.log in X:\windows\temp\smstslog\smsts.log here's what mine looks like during the apply operating system step right after it has successfully Pre-Provisioned BitLocker, the screenshot below shows the step from the log on another computer just to highlight the step for you and what the TPM actions above it should look like. smsts.log after the Setup Windows and ConfigMgr step is complete the Enable Bitlocker step will take place and if you configured Active Directory correctly it will store the recovery key in AD, look for the line creating recovery password and escrowing to active directory. Below is the SMSTS.log file after the task sequence has completed... smsts.log At this point you can check Active Directory, in Active Directory Users and Computers right click n the computername in question and choose the BitLocker Recovery tab and that's it, you can verify it on the computer in question by opening a command prompt in Windows 8 and typing the following line manage-bde -protectors -get c: and finally, even though we already saw that Encryption was at 100% while in WinPE you'll notice that your hard disc is NOT busy encrypting because it's already DONE. Recommended Reading What's New in BitLocker - http://technet.micro...y/hh831412.aspx Bitlocker Changes in Windows 8 - http://www.windowsit...indows-8-142661 Backing Up BitLocker and TPM Recovery Information to AD DS - http://technet.micro...529(WS.10).aspx Verify BitLocker and TPM Schema Objects - http://technet.micro...3(v=ws.10).aspx Requirements to save Bitlocker Recovery Key to AD using MDT - http://blogs.technet...-using-mdt.aspx Understand and Troubleshoot BitLocker in Windows Server "8" Beta - http://www.microsoft...n.aspx?id=29032 BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 2) - Cluster Share Volume Support - http://www.windowsecurity.com/articles-tutorials/Windows_Server_2012_Security/BitLocker-Enhancements-Windows-Server-2012-Windows-8-Part2.html So there you have it, Pre-Provisioning BitLocker in WinPE during a Windows 8 deployment (Update: or Windows 7) is possible right now using Configuration Manager 2012 SP1. And doesn't it just rock ? oh yeah :-) Enjoy ! cheers niall

if you want it to be zero touch then you should make your deployments Required (mandatory) but be very very careful doing so, only target these task sequences to Deploy OS collections and never to collections containing lots of computers (like All Systems)

review this post, does it give you some ideas. also, include some logs so that we can understand your issue better.

error 31 is usually related to the product key specified in the apply operating system step, however it can be other things as determined via the smsts.log or setupact.log files.

not supported, so no, uninstall ConfigMgr, remove the server from that domain, rejoin it to a new domain and start again.

Configuration manager Capture takes care of sysprep for you, the task sequence prompts for sysprep files only if you are using Windows XP in which case you have to specify the files needed

and why did you add webdav ? I don't recall listing that anywhere in the guides. explain what problems it gave you please

make sure you've enabled PXE in three places, the dp, the boot image, and the deployment, make sure both boot images are updated to the dp's make sure that the computer is in a collection targetted with a deployed task sequence search for the MAC address of the computer you are pxe booting in the SMSPXE.log file cheers niall

just read the guides for installing the CAS and Primary and you'll be all set, it's all covered in there

and what is a standard task sequence or MDT integrated ? more info please about how you created it etc....

how much ram is in that computer ?

if you only have 500 systems to manage then you don't need a CAS. A standalone primary Configuration Manager 2012 server will be enough

is the configmgr client installed ?

which I pointed out in Step 11.

why do you ask ?

regarding deploying updates, you can use maintenance windows on collections to decide when the updates are applied and you can use Automatic deployment rules to deploy the updates automatically, as long as the computers have the configmgr client installed on them and can receive policy from their management point they should be ok even if they are workgroup computers.

With Windows 8, Windows RT devices, and Windows Phone 8 coming soon, we are excited to give you a preview of the new client management capabilities and vision we’ll be delivering in the coming months: System Center 2012 Configuration Manager Service Pack 1 Interoperability of Windows Intune and System Center Configuration Manager Console Management of Windows RT and Windows Phone 8 Windows Intune Licensing Changes Support for the Management of Windows Embedded devices System Center 2012 Configuration Manager Service Pack 1 (SP1) We are very pleased with the reception System Center 2012 has had since its release in April. Many organizations are in the process of deploying System Center 2012 Configuration Manager to help embrace consumerization while still maintaining corporate compliance and control. Over the past few months we’ve been detailing our plans for Configuration Manager Service Pack 1, and we’re happy to announce that the beta is now available for download on the Microsoft Download Center. This blog post focuses on the Configuration Manager capabilities in the service pack, as well as new information about Windows Intune. For information about the datacenter and cloud management capabilities of SP1, see the post on this blog. Configuration Manager SP1 enhancements include: Deployment and management of Windows 8 and Windows Server 2012 Distribution point for Windows Azure to help reduce infrastructure costs Automation of administrative tasks through PowerShell support Management of Mac OS X clients and Linux and UNIX servers One of the great new benefits of this platform are Windows 8 apps, and ConfigMgr 2012 SP1 allows you to deploy and update these apps alongside your existing native and virtual applications. SP1 will support the deployment and management of Windows to Go USB drives, as well as enable you to more easily manage policies for new Windows 8 client-side caching, roaming user profiles, and folder redirection features. For mobile workers, ConfigMgr 2012 SP1 Beta will include the new ability to detect 3G and 4G network connections to prevent delivering software at a time when data charges may apply. Interoperability of Windows Intune and System Center Configuration Manager Console The proliferation of mobile devices presents unique challenges for organizations of all sizes. These devices run various operating systems. With the concept of Bring Your Own Device (BYOD), they’re likely to be owned and controlled by the individual and cannot be “managed” like a typical corporate-controlled PC. They’re also typically not on the corporate network but instead utilize the Internet for connectivity, even to access corporate data. These challenges require flexibility in the way corporate policies are defined, such as determining which policies can and should be applied to which devices, and how those devices should be managed. Microsoft offers two separate endpoint management solutions – System Center 2012 Configuration Manager for on-premises management, and Windows Intune for management through the cloud. With System Center 2012 Configuration Manager Service Pack 1 and the next version of Windows Intune, Microsoft is taking the first step in delivering interoperability between these products through Configuration Manager’s administration console. This will enable customers to add mobile devices managed through the cloud with Windows Intune into their System Center 2012 Configuration Manager Service Pack 1 console and manage all the devices through one tool. While you can continue to use Windows Intune as your “fully in the cloud” management solution for PC and mobile device managment, the interoperability of our on-premises and cloud services is a big step forward for organizations that want to manage all of their devices from one place. Management of Windows RT devices and Windows Phone 8 If you already have System Center 2012 Configuration Manager, SP1 and the next version of Windows Intune will enable you to extend the reach of your management infrastructure to include mobile devices via the cloud. Windows Phone 8 and Windows RT devices will be managed by the next release of Windows Intune. IT Pros will have the flexibility of using either the Windows Intune or Configuration Manager 2012 SP1 console to set mobile security policies, distribute mobile apps and view reports. We’ll share more details as we get closer to the next release of Windows Intune. Windows Intune Licensing Changes To help organizations benefit from our Windows Intune and Configuration Manager SP1 solution for BYOD and other device management scenarios, we are changing our licensing for Windows Intune in the next release: We are shifting from a per-device to a per-user licensing model. Each user license for Windows Intune covers up to 5 managed devices. There will be a Windows Intune user license that includes the rights to System Center 2012 Configuration Manager, enabling organizations to manage those devices through either Windows Intune or Configuration Manager, or both. Organizations that already own System Center 2012 Configuration Manager licenses, such as through the Core CAL, will have access to Windows Intune at a reduced price. Today, all managed PCs covered by a Windows Intune license may be upgraded to Windows Enterprise as long as the qualifying OS is one of the following editions of Windows: Business, Professional, Ultimate, or Enterprise. This will continue to be available, but we will also make a version of Windows Intune available without rights to Windows Enterprise, thereby lowering the cost for organizations that are not ready to move to the latest operating system. Further details on pricing will be provide at a later date. Support for the Management of Windows Embedded devices With Service Pack 1, the capabilities of System Center 2012 Configuration Manager will be extended to manage Windows Embedded thin clients, Point-of-Sale (POS) terminals, digital signage, kiosks, and ThinPCs. This functionality means additional devices can be managed by System Center 2012 Configuration Manager SP1 without requiring any additional software. The upcoming Windows Embedded Standard 8, which will be available within three months from Windows 8 General Availability, has been architected for even easier management by System Center 2012 Configuration Manager. Next Steps If you are already deploying System Center 2012 Configuration Manager, you should continue the deployment to benefit from its management capabilities, while testing Configuration Manager SP1 in your lab. If you have not begun your deployment, we encourage you to evaluate all the benefits of Configuration Manager with SP1. To evaluate the current release of Windows Intune, you can sign up for a free 30-day trial of Windows Intune at http://www.windowsintune.com. Look for availability of System Center 2012 Configuration Manager SP1 and the next release of Windows Intune in early 2013. Thanks for reading! Server & Cloud Platform Team via > http://blogs.technet.com/b/server-cloud/archive/2012/09/10/system-center-2012-configuration-manager-sp1-beta-and-windows-intune-update.aspx

check this post which covers build and capture of Windows 7 X64 SP1, and you'll see that you can manage everything from the CAS, of course all the clients get their content from their nearest Distribution Point, and in a simple layout of CAS plus Primary, that's on the primary, almost everything you create in the console on the CAS is replicated throughout your heirarchy