This content has been marked as final. Show 14 replies
You might be able to use UpdateMachineCfg and point to an INI file that defines DisableAutoBootCheck as NO or YES depending on what you need. I haven't used the command, but it's documented in the Scripting Tool Users Guide PDF. You could use it to update a single machine or a group of machines.
Thanks I will give it a try.
Edited: Exactly what I needed, Thank You
You could also leave checking for AutoBoot checked, but uncheck the box for Allow Autoboot to be locally managed". I haven't tried this, but I understand it to mean that you would need SB credentials to run -command:disablesecurity (instead of unauthenticated). You could then hide the command and credentials in your SMS package.
yes - use the updatemachinecfg command as per the scripting guide.
SafeBoot - Is MrGUIs thoughts around it correct as well?
Also, when you point to the INI, can we just include one parameter vs listing all of them, allowing any settings not defined to remain however they are already?
When I tested I just put the one parameter I wanted to change.
If you clear the tick on "Allow Autoboot to be managed locally" then the disablesecurty/reenablesecurity commands will be blocked completely, regardless of who you are. This setting cannot be scripted (think about it - why would we allow scripting a setting which prevents you scripting the setting?).
re the updatemachinecfg command though, it follows standard INI protocols, ie, anything not set remains as is.
I must admit though, not many people seem to remember INI protocols nowadays.. wink
Thanks, that clarifies things :)
You've just gotta find the old school techs wink I wont claim that title, I've been around since just before Win 3.1, but I'm sure you all have some stories from the pre-Windows days grin I understand how it works and how it's supposed to work, but that doesn't mean the developers of the different products do silly
Here is what you can do. Set your machine properties to allow autoboot to be managed locally. Then, whenever you want to do a patch, push this script with it:
Set objShell = CreateObject("WScript.Shell")
objShell.Run "%comspec% /c c: & cd program files & cd safeboot & sbadmcl -command:forcesync"
objShell.Run "%comspec% /c c: & cd program files & cd safeboot & sbadmcl -command:disablesecurity"
We used the forcesync first because we have machines set to auto sync every 240 minutes so you never know when a machine is nearing that time limit and if it syncs before the reboot, then it wipes the autoboot user out again.