WOW! is the word that crosses my mind when thinking about the presentation on the 23rd September. This event was made special by Chris and Ryan from CMS Consulting and by the audience. The more I come to know the IT Pro community here, the more I come to believe that I have one of the best jobs around..
Here are some of questions that were posed during the presentation, and if I have missed any of them or you think of more, please post feedback and I will make sure they get answered.
Q: Is it possible to disable the Data Execution Protection features in SP2?
A: Yes, there are 2 type of DEP in XP SP2, the Hardware (NX) and software. The configuration is controlled from load option variable in the boot.ini file. This can be edited manually, by using the bootcfg.exe tool and from control panel. The options for the boot.ini /noexecute=policy_level are:
OptIn (default configuration) On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in.” With this option, only Windows system binaries are covered by DEP by default.
OptOut DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel. You can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect.
AlwaysOn This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.
AlwaysOff This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the boot entry.
You can also change the options from control panel:
1. Click Start, click Control Panel, and then double-click System.
2. Click the Advanced tab. Then, under Performance, click Settings.
3. Click the Data Execution Prevention tab.
4. Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
5. Click Turn on DEP for all programs and services except those I select to select the OptOut policy.
6. If you selected the OptOut policy, click Add and add the applications that you do not want to use DEP with.
For unattended installations of Windows XP SP2, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.
The documents detailing this and all XP SP2 features can be found at: http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6-8364-685b84158c78&DisplayLang=en
Q: Where can I find the spreadsheet detailing all of the .adm template settings?
A: The spreadsheet can be found here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en
Q: Is there a specific set of documents related to best practices and procedures for Windows XP SP2 deployment?
A: Yes, they can be found on the Technet Canada Website: http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/xpsp2dep.mspx
As more questions are posed, I will post them and their answers here on my blog.
Once again I would like to thank you all for coming and look forward to seeing you again at the next presentation on the 14th October on Microsoft Virtual Server 2005
Here are the links from the presentation:
Find additional Technet events: http://www.microsoft.ca/technet/events/
Deploying Windows Firewall settings for Microsoft Windows XP with Service Pack 2: http://go.microsoft.com/fwlink/?linkid=23277