vadnick

We have a group policy applied to all of our computers. In this policy, here's what we have configured under "Computer Configuration > Administrative Templates > Windows Components > Windows Update:" - Do not display 'Install Updates and Shut Down' option in Shut Down dialog box: ENABLED - Configure Automatic Updates: ENABLED (4 - Auto download and schedule the install, 0-Every day, 03:00) - Reschedule Automatic Updates scheduled installations: ENABLED (5 minutes) - No auto-restart with logged on users for scheduled automatic updates installations: ENABLED - Allow Automatic Updates immediate installation: ENABLED - Re-prompt for restart with scheduled installations: ENABLED (240 minutes) - Allow non-administrators to receive update notifications: ENABLED My understanding is that these settings should allow Automatic Updates to run and install Windows updates, regardless of whether an admin is logged in or not. However, when I, as an admin, go to someone's computer - someone who's setup as a non-admin - and I log in to their computer, most of the time, Automatic Updates will run and find new updates to install. But, Automatic Update should have run before I got there while the user was logged in. What are we doing wrong? Not sure if this will help, but I discovered something suspicious: In Group Policy, when I highlight the policy with the above settings and I click the "Settings" tab in the right pane, it reports all of the policy's settings. Included in the report are all of the settings above, EXCEPT the one for "Allow non-administrators to receive update notifications." Is that normally not reported, or could that be a clue to our problem?

Found it! The solution is another netsh command: "netsh firewall set service type = fileandprint mode = enable" It works!!

I got the ports to reopen!! Thank you for all your help. For anyone interested, here's what I did: 1. Modified C:\WINDOWS\inf\netfw.inf to include the two ports I need reopened. I added the ports to the Domain and Standard profiles. 2. Created C:\i386\$oem$\Cmdlines.txt to kick off a .cmd file. 3. Created a .cmd file called C:\i386\$oem$\Build.cmd that runs "netsh firewall reset" to enable the ports defined in netfw.inf 4. Added a pointer to the Cmdlines.txt directory in sysprep.inf in the Unattended section. 5. Added the command in sysprep to have the Administrator auto-login once. It's only after logging in that the Cmdlines.txt file is run and the ports are opened. So, now that that's out of the way, I have one other thing to do... Enable "File and Printer Sharing" in the firewall after sysprep. I'm guessing it's just going to be another command in netfw.inf or somewhere along the process I just described. But, we'll see. I may post another thread as that is someone unrelated, if I can't find a solution soon.

That command did not kick off until after I logged into the imaged computer. It would need to run before login so that we can remote into the computer before it's ever been logged into.

How do we do that?

We have a working "gold" image that works across all of our machines. Now we want to modify the image so that any time we push the image to a machine, we can immediately remote control that machine. In other words, we want to do the whole reimaging process without ever having anyone touch the machine. I'm not sure what details would be most helpful, but here are a few: We are imaging XP Pro SP3 machines. Our image was created using sysprep with mini setup, so we have the sysprep.inf file to work with. Our preference was to reopen ports 5862 and 5962 after reimaging for UltraVNC, but we'd also be fine with the ability to RDP to the machine instead. Here's the drawn out solution to opening ports 5862 and 5962 that we found that seemed to have the most promise, but of course, didn't (you can skip the rest of this if you already know exactly what we should do). First, before running sysprep and taking an image, we modified C:\WINDOWS\inf\netfw.inf by adding the necessary ports to the [iCF.AddReg.StandardProfile] section: [version] Signature = "$Windows NT$" DriverVer =07/01/2001,5.1.2600.5512 [DefaultInstall] AddReg=ICF.AddReg.DomainProfile AddReg=ICF.AddReg.StandardProfile [ICF.AddReg.DomainProfile] HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [ICF.AddReg.StandardProfile] HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","5862:TCP",0x00000000,"5862:TCP:LocalSubnet:enabled:UltraVNC_1" HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","5962:TCP",0x00000000,"5962:TCP:LocalSubnet:enabled:UltraVNC_2" We tested this change by running "netsh firewall reset" and it worked. The ports were created and opened. Next, we modified the [unattended] section of C:\sysprep\sysprep.inf to include the following line: InstallFilesPath=C:\i386 Next, we created C:\i386\$oem$\Cmdlines.txt which contains only the following code: [Commands] "C:\i386\$oem$\Build.cmd" And finally, we created C:\i386\$oem$\Build.cmd which contains only the following code: netsh firewall reset Running Build.cmd on it's own works fine. But again, in the context of sysprep, all the above changes aren't adding up to solve the issue of reopening the firewall ports. Any ideas?

Hello everyone!