SP2 Unattend working in final release?

[rattler]

One of our many problems with the "forced" nature of the SP2 install from automatic updates is that the installed firewall is removing our ability to monitor our desktops.

We are planning on blocking all traffic to windowsupdate.microsoft.com to make sure that the updates do not come down on the 16th. Then we are planning on releasing SP2 (using update.exe) while adding some exemptions to the firewall configuration to allow our security machines to monitor certain ports.

The Problem;

MS has removed the /unattend:<path>\unatted.txt switch from the SP2 install. I have been through all of the MS documentation and can not find a way to include a custom firewall configuration with the SP2 install.

BTW. we have already created a slipstream CD for new XO installs but this will not help with my existing XP desktops.

Any ideas?

[peachy]

Have you seen this tool from Microsoft to temporarily block Automatic Update from downloading SP2?

As for your other problems, I'm not sure how to fix that, yet.

[Alanoll]

expand netfw.in_ from teh SP2 network install. (I'm assuming you've already extracted teh 200 meg file to it's components). There is a docuemnt on teh Microsof tservers on how to add entries for what you want (trusted sites and settings) Go to the MSFN main page, and go to search >> Firewall (i'll put a link in a sec).

http://www.microsoft.com/downloads/details...&DisplayLang=en

when done modifying it, makecab netfw.inf

As far as I'm aware, the original SP1a executable had NO /unattend either. It uses teh simple update.exe file, with teh typicaly switches to mke it silent ( /N /Z /O /Q or some such /? for more info). That will install SP2 and use your settings from netfw.inf taht you specify.

[rattler]

Thanks for the replies!!

I had gone through the same documents but came up with some other problems;

When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files. They are in i386\ip and i386\ic, not sure which one would be the one to use. Both files look like;

MSCF ® , F ¸ 1!± netfw.inf hJÅF`¸[€€? ‚+ 4" `ofATH÷ Åë$O¶ËY†tH–(æ@*ïíàÛjwï§ÿý” š  :Bb\â‰KaìÄ‚N¸-‘$”JMÿ‚ÿÿÿÿ ÿ @ ?

,……ðø¯ÿ¿Ëü€7xTÛ´·îé«$Bˆ…WL ëKM:õèJ-±

‰>Áê?ñÇ'5â²9Ídeß[¦Ìàkb’ˆ5f—bÙêBK%*4¨nL¹?¥Bl*,ú¹:åŒkÎ΀º&5›(~Ýõu¨ÜœkõaMÇÞrlzÖB”• ƒÒC" C±·ã

Úîe:–6jì¼|Ý~E?@if3žúúúJ

÷ÂêbÔØ]ýnú}«ˆãÖUC–:ÝÇ_æ°Ö1ãaå@õóþy¿?Yp!<ݳ¹Ÿ<ä^§`òP…1¶LæM„mÝ5²ÇÆ]ø&?Ì{ð?8

According to the MS documentation these files should be readable. And I should be able to update the files, rename them to netfw.ini and then the settings will take. My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade.

I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want.... Stupid me!

Either way, it looks like I am stuck.

FYI. In order to get around this, we are just running a registry hack that adds the exceptions we want. Real easy, just import a .reg file to the registry with;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"135:TCP"="135:TCP:192.168.5.0/255.255.255.255:Enabled:Port 135"

Change the key to StandardProfile\GloballyOpenPorts\List for non AD domain desktops. The syntax is

"<Port>:<UDP/TCP>"="<Port:<TCP/UDP:<IP Address>/<Subnet>:<Enabled/Disabled>:<Common Name>"

Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception.

Same thing as netfw.in_, just a little less automated.

[gamehead200]

Thanks for the replies!!

I had gone through the same documents but came up with some other problems;

When I expand out WindowsXP-KB835935-SP2-ENU.exe I get two netfw.in_ files.  They are in i386\ip and i386\ic, not sure which one would be the one to use.  Both files look like;

---

According to the MS documentation these files should be readable.  And I should be able to update the files, rename them to netfw.ini and then the settings will take.  My understanding, though, is that netfw should be included, like the unattend.txt file, with a full OS, windows XP (SP2), install not just the SP2 upgrade.

I guess I was assuming that since MS was forcing this update on us, they would give us the ability to configure it the way we want....  Stupid me!

Either way, it looks like I am stuck.

FYI.  In order to get around this, we are just running a registry hack that adds the exceptions we want.  Real easy, just import a .reg file to the registry with;

---

Port is the port you want to allow through, address/subnet is the address of the remote machine that you want to allow through and common name is whatever you want to label this exception.

Same thing as netfw.in_, just a little less automated.

You have to expand the files!

Open CMD.exe and do:

expand netfw.in_ netfw.ini

(I'm not too sure if its an INI or an INF file, try both and see which one works!

[maxXPsoft]

I have been through all of the MS documentation and can not find a way to include a custom firewall configuration with the SP2 install.

Deploying Windows Firewall Settings for Windows XP Service Pack 2

Ever wondered how to customize the operational mode and exception list entries in the new Windows Firewall in Windows XP SP2? Learn more about this powerful new feature and how to modify its settings before or after installation.

Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2

Ever wondered how to customize settings such as the operational mode and exception list entries in the new Windows Firewall in Windows XP SP2? Learn more about this powerful new feature and how network administrators can modify its settings before or after installation

These help?

They all come from here

http://www.microsoft.com/technet/prodtechn...n/winxpsp2.mspx

[tbone587]

im using sp2 2149 how come windows update hasnt downloaded the sp2 final yet? I am planning on formatting soon with the final sp2 but not yet..

[prathapml]

Open CMD.exe and do:

expand netfw.in_ netfw.ini

(I'm not too sure if its an INI or an INF file, try both and see which one works!

Or rename to "netfw.cab" and use winrar to extract.

It contains a text file called "netfw.inf".

[Gunr]

If this is for a company, are you using AD? If you are, update a GPO with the new firewall settings that you require open and push it down that way. We are using that at our company and it works great. If you find later that you need another port open, modify the GPO and when the clients refresh they will get the new settings automatically.

[rattler]

You have to expand the files!

Open CMD.exe and do:

expand netfw.in_ netfw.ini

(I'm not too sure if its an INI or an INF file, try both and see which one works!

That's exactly what I was looking for...

Thanks, I'm sorry if I should have known that! I definitely did not read that in any of the documentation. MS's document reads;

1. Copy the default Windows Firewall INF file (Netfw.in_) from a Windows XP SP2 CD image.

2. Make the desired modifications to the INF file. Directions for modifying the INF file are provided in the "Configuration Options Provided in the Windows Firewall INF File" section of this article.

3. Save the modified INF file as Netfw.in_.

Step 4 says;

Sign the modified Netfw.in_.

May be something I should no how to do, also, but how do I "sign" the file?

5. Replace the default Netfw.in_ with the modified Netfw.in_ in the Windows XP SP2 CD image.

Should I replace both the Netfw.in_ files sitting in the ic an ip directories? Would that modify the default settings for the SP2 install?

6. Install Windows XP SP2 as normal from the modified Windows XP SP2 CD image.

Again, thanks a lot for all of your help!!

[rattler]

OK, I should learn to read everything!

makecab netfw.in_ will sign it and make it ready for install, right?

[neleus]

Ok .. here it is .. in case noone has posted otherwise .. the how to step by step

How to disable the Windows XP SP2 Firewall DURING Installation

1. There are 2 netfw.in_ files in the Network installation download of SP2 for IT professionals.

2. Take 1, and go to a command prompt, type "expand netfw.in_ netfw.inf"

3. Open it up and make the file look like what is below

[version]

Signature = "$Windows NT$"

DriverVer =07/01/2001,5.1.2600.2180

[DefaultInstall]

AddReg=ICF.AddReg.DomainProfile

AddReg=ICF.AddReg.StandardProfile

[iCF.AddReg.DomainProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","EnableFirewall",0x00010001,0

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","DisableNotifications",0x00010001,1

[iCF.AddReg.StandardProfile]

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,0

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,1

4. Once you have made this file, use "makecab netfw.inf netfw.in_" and copy this new netfw.in_ back into the IC and IP directory. This will make the firewall disabled upon installation.

[eixt]

Cheers mate. Any ideas how i could then get this modified pack to be installed by SUS?

[Denney]

Just on the expand command...

You should use the command "expand -r netfw.in_".

That way, it automatically extracts whatever file is inside it and then renames it the way it should be named.

[eth0]

Cheers mate. Any ideas how i could then get this modified pack to be installed by SUS?

I think you might prefer using the extracted sp2 files and use the update.msi in an installation GPO (you're using SUS, so I presume you're running AD anyway).