ConfigMgr 2007: 6/6/10

10 June 2010

Sysprep parameters

You can use the following optional parameters with the Sysprep command in Windows XP:

-activated - Do not reset the grace period for Windows product activation. Use this parameter only if you have activated the Windows installation in the factory.
Important The product key that you use to activate the Windows installation must match the product key that is located on the COA sticker that is attached to that particular computer.
-audit - Restarts the computer in Factory mode without having to generate new security IDs (SIDs) or process any items in the [OEMRunOnce] section of the Winbom.ini file. Use this command-line parameter only if the computer is already in Factory mode.
-bmsd - Populates all the available mass storage devices in the [SysprepMassStorage] section.
-clean - Clears the critical devices database that is used by the [SysprepMassStorage] section in the Sysprep.inf file.
-factory - Restarts in a network-enabled state without displaying Windows Welcome or mini-Setup. This parameter is useful for updating drivers, running Plug and Play enumeration, installing programs, testing, configuring the computer with customer data, or making other configuration changes in your factory environment. For companies that use disk imaging (or cloning) software, Factory mode can reduce the number of images that are required.
When all the tasks in Factory mode are complete, run the Sysprep.exe file by using the -reseal parameter to prepare the computer for end-user delivery.
-forceshutdown - Shuts down the computer after the Sysprep.exe file finishes.
Note Use this parameter with computers that have an ACPI BIOS that do not shut down correctly with the default behavior of the Sysprep.exe file.
-mini - Configures Microsoft Windows XP Professional to use Mini-Setup instead of Windows Welcome. This parameter does not affect Microsoft Windows XP Home Edition, where the first-run experience is always Windows Welcome.
Note that if you plan to use the Sysprep.inf file to automate Mini-Setup, you must either run the Sysprep tool by using the -mini switch, or click to select the MiniSetup check box in the GUI interface. By default, if you do not choose to run Mini-Setup, Windows XP Professional runs the Windows Welcome.
-noreboot - Modifies registry entries (SID, OemDuplicatorString, and other registry entries) without the computer restarting or preparing for duplication. This parameter is mainly used for testing, specifically to see if the registry is modified correctly. Microsoft does not recommend this option because making changes to a computer after the Sysprep.exe file has run may invalidate the preparation that was completed by the Sysprep.exe file. Do not use this parameter in a production environment.
-nosidgen - Runs the Sysprep.exe file without generating new SIDs. You must use this parameter if you are not duplicating the computer where you are running the Sysprep.exe file or if you are preinstalling domain controllers.
-pnp - Runs the full Plug and Play device enumeration and installation of previous devices during Mini-Setup. This command-line parameter has no effect if the first-run experience is Windows Welcome.
Use the -pnp command-line parameter only when you must detect and install previous, non-Plug and Play devices. Do not use the sysprep -pnp command-line parameter on computers that only use Plug and Play devices. Otherwise, you will increase the time that it takes for the first-run experience without providing any additional benefit to the user.
Note When unsigned drivers are unavoidable, use the UpdateInstalledDrivers=yes parameter in conjunction with OemPnPDriversPath= and DriverSigningPolicy=ignore instead of the -pnp command-line parameter to provide a more seamless installation.
-quiet - Runs the Sysprep.exe file without displaying onscreen confirmation messages. This is useful if you are automating the Sysprep.exe file. For example, if you plan to run the Sysprep.exe file immediately after the unattended Setup program finishes, add the sysprep -quiet command to the [GuiRunOnce] section of the Unattend.txt file.
-reboot - Forces the computer to automatically restart, and then starts Windows Welcome Mini-Setup, or Factory mode, as specified. This is useful when you want to audit the computer and verify that the first-run experience is operating correctly.
-reseal - Clears the Event Viewer logs and prepares the computer for delivery to the customer. Windows Welcome or Mini-Setup is set to start the next time that the computer restarts. If you run the sysprep -factory command, you must seal the installation as the last step in your preinstallation process. To do this, run the sysprep -reseal command or click the Reseal button in the Sysprep dialog box.

Sysprep parameters

You can use the following optional parameters with the Sysprep command in Windows XP:

-activated - Do not reset the grace period for Windows product activation. Use this parameter only if you have activated the Windows installation in the factory.
Important The product key that you use to activate the Windows installation must match the product key that is located on the COA sticker that is attached to that particular computer.
-audit - Restarts the computer in Factory mode without having to generate new security IDs (SIDs) or process any items in the [OEMRunOnce] section of the Winbom.ini file. Use this command-line parameter only if the computer is already in Factory mode.
-bmsd - Populates all the available mass storage devices in the [SysprepMassStorage] section.
-clean - Clears the critical devices database that is used by the [SysprepMassStorage] section in the Sysprep.inf file.
-factory - Restarts in a network-enabled state without displaying Windows Welcome or mini-Setup. This parameter is useful for updating drivers, running Plug and Play enumeration, installing programs, testing, configuring the computer with customer data, or making other configuration changes in your factory environment. For companies that use disk imaging (or cloning) software, Factory mode can reduce the number of images that are required.
When all the tasks in Factory mode are complete, run the Sysprep.exe file by using the -reseal parameter to prepare the computer for end-user delivery.
-forceshutdown - Shuts down the computer after the Sysprep.exe file finishes.
Note Use this parameter with computers that have an ACPI BIOS that do not shut down correctly with the default behavior of the Sysprep.exe file.
-mini - Configures Microsoft Windows XP Professional to use Mini-Setup instead of Windows Welcome. This parameter does not affect Microsoft Windows XP Home Edition, where the first-run experience is always Windows Welcome.
Note that if you plan to use the Sysprep.inf file to automate Mini-Setup, you must either run the Sysprep tool by using the -mini switch, or click to select the MiniSetup check box in the GUI interface. By default, if you do not choose to run Mini-Setup, Windows XP Professional runs the Windows Welcome.
-noreboot - Modifies registry entries (SID, OemDuplicatorString, and other registry entries) without the computer restarting or preparing for duplication. This parameter is mainly used for testing, specifically to see if the registry is modified correctly. Microsoft does not recommend this option because making changes to a computer after the Sysprep.exe file has run may invalidate the preparation that was completed by the Sysprep.exe file. Do not use this parameter in a production environment.
-nosidgen - Runs the Sysprep.exe file without generating new SIDs. You must use this parameter if you are not duplicating the computer where you are running the Sysprep.exe file or if you are preinstalling domain controllers.
-pnp - Runs the full Plug and Play device enumeration and installation of previous devices during Mini-Setup. This command-line parameter has no effect if the first-run experience is Windows Welcome.
Use the -pnp command-line parameter only when you must detect and install previous, non-Plug and Play devices. Do not use the sysprep -pnp command-line parameter on computers that only use Plug and Play devices. Otherwise, you will increase the time that it takes for the first-run experience without providing any additional benefit to the user.
Note When unsigned drivers are unavoidable, use the UpdateInstalledDrivers=yes parameter in conjunction with OemPnPDriversPath= and DriverSigningPolicy=ignore instead of the -pnp command-line parameter to provide a more seamless installation.
-quiet - Runs the Sysprep.exe file without displaying onscreen confirmation messages. This is useful if you are automating the Sysprep.exe file. For example, if you plan to run the Sysprep.exe file immediately after the unattended Setup program finishes, add the sysprep -quiet command to the [GuiRunOnce] section of the Unattend.txt file.
-reboot - Forces the computer to automatically restart, and then starts Windows Welcome Mini-Setup, or Factory mode, as specified. This is useful when you want to audit the computer and verify that the first-run experience is operating correctly.
-reseal - Clears the Event Viewer logs and prepares the computer for delivery to the customer. Windows Welcome or Mini-Setup is set to start the next time that the computer restarts. If you run the sysprep -factory command, you must seal the installation as the last step in your preinstallation process. To do this, run the sysprep -reseal command or click the Reseal button in the Sysprep dialog box.

Join the computer silently to the Domain

Or, in the command you want to use:

netdom join /d:mydomain.com Computertobeaddednamehere /ud:mydomain.com\administrator /pd:oil@22

Join the computer silently to the Domain

Or, in the command you want to use:

netdom join /d:mydomain.com Computertobeaddednamehere /ud:mydomain.com\administrator /pd:oil@22

Batch file for loop in other way

echo ***** Are you sure you want to add these accounts? *******
echo *** If not, press CTRL-C to terminate this batch file ***
pause
FOR %%X IN (NT1 NT2 NT3 NT4 NT5) DO NET COMPUTER \\%%X /ADD
FOR %%X IN (NT6 NT7 NT8 NT9 NT10) DO NET COMPUTER \\%%X /ADD
cls
echo ******* Machine Accounts Added ********
pause

Batch file for loop in other way

09 June 2010

It's Microsoft Patch Tuesday: June 2010

Security Patches

MS10-032/KB979559 - Important (2000, XP, 2003, Vista, 7, 2008, 2008 R2): A trio of bugs in the Windows kernel can allow the use of malformed fonts to allow escalation of privileges attacks. It would be a bit hard to sneak a font onto the system without some sort of install privileges anyways, which is why this patch can wait until your next patch cycle. 1.0MB - 4.3MB

MS10-033/KB979902 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch addresses a pair of vulnerabilities in Windows’ media subsystem which allows specially crafted media files and streaming content to execute remote code execution exploits. One of the vulnerabilities is less serious that the other, but you should patch your systems immediately all the same. Depending on your system, you may need to install up to four separate patches to address of the issues. 105KB - 4.8MB

MS10-034/KB980195 - Critical (2000, XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): This patch updates the ActiveX kill bits and fixes two bugs in ActiveX that could allow remote code execution attacks. If you allow ActiveX on your desktops (which you shouldn’t, other than for internal sites), install this immediately, otherwise, wait until your next patch cycle. 26KB - 1.0MB

MS10-035/KB982381* - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Five security holes in Internet Explorer 5, 6, 7, and 8 which can allow remote code execution attacks are fixed with this cumulative update. Some of them are rating as “Moderate” but I don’t see any specific combination of IE version and OS that does not make it “critical.” I would install this patch immediately. 3.3MB - 48.4MB

MS10-036/KB983235 - Important (Office XP, Office 2003, Office 2007): COM validation in Office has a bug which can allow remote code execution attacks. Since you should not be allowing COM to be running in Office from outside sources, this is a less risky bug than it could be. Patch your systems on the next scheduled times. 2.9 - 15.5MB

MS10-037/KB980218 - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Another font handling issue is allowing escalation of privileges attacks across all versions of Windows. Like MS10-032, this one can wait until your next regular patch period. 496KB - 1.3MB

MS10-038/KB2027452* - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007 File Formats): A whopping fourteen security bugs in the way Microsoft Office opens files are fixed with this patch. The worst can result in remote code execution attacks. Microsoft says this one is “Important” but I call it “Critical” due to the widespread use of Office, and I suggest that you patch immediately. 9.7MB - 332.8MB

MS10-039/KB980218 - Important (InfoPath 2003, InfoPath 2007, Office SharePoint Server 2007, Windows SharePoint Services 2.0): Three problems with SharePoint are fixed with this patch. The issues allow an attacker to perform a variety of attacks, including an escalation of privileges attack if a SharePoint user clicks on a malformed link in SharePoint. This is not a burning issue and the patch can wait until your usual patch time. 2.9MB - 109.3MB

desktop / server MS10-040/KB982666 - Important (Vista, 7, 2003, 2008, 2008 R2): Computers running IIS 6, 7, and 7.5 are vulnerable to a remote code execution attack that will run with full privileges when an attacker sends a malformed HTTP request. Microsoft calls this patch “Important” but I think that understates the issue for servers. I would patch servers immediately, and leave desktops for the regular path cycle. 43KB - 4.0MB

MS10-041/KB981343* - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): A problem affecting all versions of the .NET Framework’s handling of signed XML content could allow the data to be altered without being detected. This is a fairly minor issue, so this patch can wait until you do your normal patching. 123KB - 2.2MB