3 Replies Latest reply on Jul 18, 2012 7:09 AM by Bill Robinson

    Windows 2008 R2 Data Execution Prevention (DEP)

    Robert Stinnett

      Is there a way, via Bladelogic, to turn off DEP automatically?  Looking through the forums, docs, etc I am not seeing anyone talk about this.  Any experience dealing with DEP?

        • 1. Windows 2008 R2 Data Execution Prevention (DEP)

          There is no inbuilt way of disabling DEP via BBSA. What i thought of is to create a script or something on those lines to disable DEP on multiple machines in one go. Take a look at the link http://support.microsoft.com/kb/875352 It doesnt talk of a script or automatic method to disable DEP. If the OS cant support it, then BBSA cant do it either.


          However, I cam across another link http://andrewmorgan.ie/2009/03/08/disabling-dep-with-a-script/ which talks about how to achieve this. If you can do this manually, you surely can do it via BBSA as well. But this is not tested or supported by MSFT. Please use it at your own risk.

          1 of 1 people found this helpful
          • 2. Windows 2008 R2 Data Execution Prevention (DEP)

            As per the Kb article:


            To configure DEP to switch to the AlwaysOn policy by using the Boot.ini file, follow these steps:

            Click Start, right-click My Computer, and then click Properties.

            Click the Advanced tab, and then click Settings under the Startup and Recovery field.

            In the System startup field, click Edit. The Boot.ini file opens in Notepad.

            In Notepad, click Find on the Edit menu.

            In the Find what box, type /noexecute, and then click Find Next.

            In the Find dialog box, click Cancel.

            Replace policy_level with AlwaysOn.



            WARNING Make sure that you enter the text accurately.           The Boot.ini file switch should now read:


            In Notepad, click Save on the File menu.

            Click OK two times.

            Restart the computer.

            For unattended installations of Windows XP SP2 or later versions, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.


            If you are going to provision machines by BBSA, the above can help too.

            1 of 1 people found this helpful
            • 3. Windows 2008 R2 Data Execution Prevention (DEP)
              Bill Robinson

              you can add the boot.ini as a config file object and then create a package out of the changes you want to make to it.