It's common knowledge that you can integrate a service pack with the installation bits of Windows (a technique called splistreaming). However, the security update that prevents the Blaster worm is post SP1. Recently I've been asked to figure out a way to prevent 10.000 new XP workstations of infection. We were installing Windows XP SP1 in a network where the Blaster worm was running loose. Because the installation was made through the network using unnatended setup, we wanted to avoid all these machines to get infected during the installation itself.
Well this didn't seem like an easy problem to solve. Tests were being made at the customer and the results were overwhelming. All workstations installed through this process were getting infected.
The first thing that we tried was enabling ICF during the unnatended install. You can accomplish this by specifying the following keys in the unnatended.txt file:
[Homenet]
InternetConnectionFirewall=Adapter1, [adapter2]
where Adapter1, adapter2 are known references inserted in the [NetAdapters] section of the same file. Please look at ref.chm in the deploy.cab package included in the Windows XP CD.
However, this approach did not work. ICF only gets enabled in the final boot so we would still get some infected machines. I assume they were getting infected soon after the network settings configuration.
So, I started to worry and began working on a script to run on the first logon that would clean the workstation from the Blaster worm. However this approach was not the best either.
Fortunately, I found out that in XP (and 2003) it is possible to integrate hotfixes during an unattended setup. This is documented in a KB article but I found out that it wasn't really common knowledge. Here you can find a link to the section of the article that covers this procedure:
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/hfdeploy.asp#the_combination_installation_gxsi
Oh, and in case you're wondering...we tried it and it worked ;)
