Deploying Windows XP SP2

WOW! is the word that crosses my mind when thinking about the presentation on the 23rd September. This event was made special by Chris and Ryan from CMS Consulting and by the audience. The more I come to know the IT Pro community here, the more I come to believe that I have one of the best jobs around..

Here are some of questions that were posed during the presentation, and if I have missed any of them or you think of more, please post feedback and I will make sure they get answered.

Q: Is it possible to disable the Data Execution Protection features in SP2?

A: Yes, there are 2 type of DEP in XP SP2, the Hardware (NX) and software. The configuration is controlled from load option variable in the boot.ini file. This can be edited manually, by using the bootcfg.exe tool and from control panel. The options for the boot.ini /noexecute=policy_level are:

OptIn (default configuration) On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that "opt-in." With this option, only Windows system binaries are covered by DEP by default.
OptOut DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel. You can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes ("shims") for DEP do take effect.
AlwaysOn This provides full DEP coverage for the entire system.  All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes ("shims") for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.
AlwaysOff This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the boot entry.

You can also change the options from control panel:

1. Click Start, click Control Panel, and then double-click System.
2. Click the Advanced tab. Then, under Performance, click Settings.
3. Click the Data Execution Prevention tab.
4. Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
5. Click Turn on DEP for all programs and services except those I select to select the OptOut policy.
6. If you selected the OptOut policy, click Add and add the applications that you do not want to use DEP with.

For unattended installations of Windows XP SP2, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.

The documents detailing this and all XP SP2 features can be found at:

Q: Where can I find the spreadsheet detailing all of the .adm template settings?

A: The spreadsheet can be found here:

Q: Is there a specific set of documents related to best practices and procedures for Windows XP SP2 deployment?

A: Yes, they can be found on the Technet Canada Website:

As more questions are posed, I will post them and their answers here on my blog.

Once again I would like to thank you all for coming and look forward to seeing you again at the next presentation on the 14th October on Microsoft Virtual Server 2005

Here are the links from the presentation:

Microsoft Canada Technet:

Find additional Technet events:

Software Update Services:

Deploying Windows Firewall settings for Microsoft Windows XP with Service Pack 2:

Comments (6)

  1. Smeghead says:

    Any dates set for Win2000 SP5?

  2. Smeghead says:

    Do you know if Win2000 SP5 will include NX for NX capable platforms?

  3. S.Vidyaraman says:

    Where do I get the Win XP Resource Kit (download) ? I see only the documentation link here.


  4. S.Vidyaraman says:

    Sorry …… the link of "here" in the above post ….


  5. Bruce Cowper says:

    At this point in time there are no plans to back port the new functionality in Windows XP SP2, such as the network and memory protection. Most of the new features in XP SP2 require fairly substantial changes in the operating system and so cannot easily be achieved.

    The is no release data set for SP5 for Windows 2000. There will however be ‘update rollup’ releases in the mean time.

    Many Thanks


    Technet Canada

    This is provided "AS IS" with no warranties and confers no rights.

  6. Bruce Cowper says:

    After much searching it seems that there is no resource kit bar the documentation at present:

    I have however been informed that when it is available it will be in the above link.

    Many Thanks


    Technet Canada

    This is provided "AS IS" with no warranties and confers no rights.

Skip to main content