Kosvarnin

Autounattend - Open File - Security Warning

17 posts in this topic

Here's the deal guys, and I am hoping someone out there has not had this issue. Technically I have two, but the "Open File - Securty Warning" is the bigger of the two. My unattended install works if I do not put any RunSyncgronousCommands, which we know is the new way to do RunOnce in Windows 7. I can get it to load without it, but if I add programs into the system I come across the issue. Obviously, the goal like most anyone is to have it run the files in order and without issue.

The programs I have tried to load and had this error are:

  1. Java RunTime Installer
  2. Filezilla
  3. 7 Zip
  4. Shockwave Re-Distributable Install
  5. Flash Re-Distributable Install
  6. Adobe Reader Re-Distributable Install
  7. Citrix XenApp Web Client 11.2
  8. etc...

I have tried the cmd.exe /c style of calling the applications and get the error. I have tried it without and get the error. I have tried using RunSyncgronousCommands in the 4-Specialize section of the XML and in the SyncgronousCommands of the 7-oobeSystem section of the XML.

Please note I am using the WAIK and that I am trying do this with Windows 7 Professional - x64 bit version. Has anyone had success with this? If so, how? The easiest way to get everyone on the same page is to just try getting Filezilla and Java installed without getting the prompt. Also, I have found that after RunSyncgronousCommands under 4-specilize get through the Deployment section, that is errors on the Deployment option for some reason. Windows won't give me much more of an error than that. Any help would be awesome.

0

Share this post


Link to post
Share on other sites

Take a look at this, there seems to be a fix after the OS is installed. But you would have to figure out how to push the needed reg settings into your profile before the synchronous commands run.

http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/e3008c75-48b4-4a6c-bc14-5a20ce72cd7f

One method might be to mount your WIM offline and edit the hives manually, another could be to script it to occur during the setupcomplete.cmd stage.

I haven't had this problem at all with any .EXE during setupcomplete.cmd, maybe before going to all the above trouble, first try installing your apps using SetupComplete.cmd via the $OEM$ folders.

HINT: SetupComplete.cmd runs in an administrative context, while any synchronous commands only run as the logged in user.

Edited by MrJinje
0

Share this post


Link to post
Share on other sites

Take a look at this, there seems to be a fix after the OS is installed. But you would have to figure out how to push the needed reg settings into your profile before the synchronous commands run.

http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/e3008c75-48b4-4a6c-bc14-5a20ce72cd7f

One method might be to mount your WIM offline and edit the hives manually, another could be to script it to occur during the setupcomplete.cmd stage.

I haven't had this problem at all with any .EXE during setupcomplete.cmd, maybe before going to all the above trouble, first try installing your apps using SetupComplete.cmd via the $OEM$ folders.

HINT: SetupComplete.cmd runs in an administrative context, while any synchronous commands only run as the logged in user.

This is the first I have heard of the SetupComplete.cmd method. To dig through the forums I will go to figure out that method. Should make things easier.

0

Share this post


Link to post
Share on other sites

Take a look at this, there seems to be a fix after the OS is installed. But you would have to figure out how to push the needed reg settings into your profile before the synchronous commands run.

http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/e3008c75-48b4-4a6c-bc14-5a20ce72cd7f

One method might be to mount your WIM offline and edit the hives manually, another could be to script it to occur during the setupcomplete.cmd stage.

I haven't had this problem at all with any .EXE during setupcomplete.cmd, maybe before going to all the above trouble, first try installing your apps using SetupComplete.cmd via the $OEM$ folders.

HINT: SetupComplete.cmd runs in an administrative context, while any synchronous commands only run as the logged in user.

Worked very well. I even figured out how to get around the "Open File - Security Warning" on any files that would prompt that question, I would go to my PC and right-click the files and goto Properties. At the bottom of the properties windows is a button marked "Unblock". So, if I hit unblock on the file and save it to the media (which is a USB for me), then during unattended installation, the system will not have the issue. Not sure if other Vista or XP will not show the issue then or if there is a way to do this on them. However, if you have windows 7 OS as the system you are building you unattended on, then you should have that option. Also, I did not have to do it for MSI files even though they had the option. Anyways, thanks!

0

Share this post


Link to post
Share on other sites

When I used to run XP systems, the first time the lab machine would run across this I would simply uncheck the "warn me..." box on that dialog, and it would do basically the same thing and noone else would have the issue running that same executable again.

0

Share this post


Link to post
Share on other sites

I run firstlogon commands via network share, and I get this warning too. Now, how exactly do I elevate it... does anybody have any good ideas?

0

Share this post


Link to post
Share on other sites

I run firstlogon commands via network share, and I get this warning too. Now, how exactly do I elevate it... does anybody have any good ideas?

I was going to ask this! Network share always prompts you as it is an Untrusted Zone. What I end up doing (to get past this issue) is to copy the installer files to the HDD and then have the installs run from there. The local machine is a trusted zone, and should not prompt you to run the programs. Of course, I copy the installers over before the machine boots and write a registry key so the programs load when the Desktop loads.

0

Share this post


Link to post
Share on other sites

In IE8, if i were to add file://bbx (bbx is a network computer to advanced under intranet, this popup vanishes

So I've tried several of these in autounattend.xml

<LocalIntranetSites>\\bbx\</LocalIntranetSites>

<LocalIntranetSites>file://bbx/</LocalIntranetSites>

<LocalIntranetSites>files://bbx</LocalIntranetSites>

nothing works. entering ie8, local intranet, i dont see this added.

can anyone help

0

Share this post


Link to post
Share on other sites

Since adding sites to a security zone is just a registry setting, why not make sure these are in the default user hive?

0

Share this post


Link to post
Share on other sites

how exactly would i do that?

It might be easier to export them from your registry. (then merge using a first login command or setupcomplete.cmd)

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

0

Share this post


Link to post
Share on other sites

I'll give that a shot, in any case, what's up with localintranetsites, how does that directive work, does anybody know?

0

Share this post


Link to post
Share on other sites

I'll give that a shot, in any case, what's up with localintranetsites, how does that directive work, does anybody know?

http://technet.microsoft.com/en-us/library/cc749588(WS.10).aspx

LocalIntranetSitesLocalIntranetSites specifies the URL for local intranet sites whose content can be trusted by administrators and users for whom Internet Explorer Enhanced Security Configuration (ESC) is enabled.

When Internet Explorer ESC is enabled, it reduces the exposure of your server to potential security attacks from Web pages that do not belong to the Local intranet zone.

For more information, see Microsoft-Windows-IE-ESC.

cc749588.note(en-us,WS.10).gifNote This setting is available only for Windows Server® 2008 family editions.

0

Share this post


Link to post
Share on other sites


<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Path>reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bbx" /v "file" /t REG_DWORD /d 1 /f</Path>
<Description>Whitelist BBX</Description>
</RunSynchronousCommand>
<!-- <RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Path>reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1806" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "CurrentLevel" /t REG_DWORD /d 0 /f</Path>
<Description>Elevate open file security warning.</Description>
</RunSynchronousCommand>-->
</RunSynchronous>
</component>

any idea why this doesnt work?

0

Share this post


Link to post
Share on other sites

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bbx" /v "file" /t

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1806" /t REG_DWORD /d 0 /f && reg add

any idea why this doesnt work?

to quote in an xml when you have blank spaces

cmd /c reg add [color=#FF0000]"[/color]HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bbx[color=#FF0000]"[/color] /v

Edited by maxXPsoft
0

Share this post


Link to post
Share on other sites

Fixed it. doesnt require cmd /c.

Used HKLM instead of HKCU.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.