Using Group Policy to Deploy Windows XP Service Pack 2 (SP2)

On This Page

Obtaining Windows XP SP2
Creating a Distribution Point
Creating a GPO for SP2 Deployments
Editing a GPO for SP2 Deployments
Deploying SP2 to Specific Security Groups
Related Links


If you are managing computers in an Active Directory® directory service environment, you can use the Software Installation and Maintenance feature of Group Policy to deploy Microsoft® Windows® XP Service Pack 2 (SP2) on target computers. This article describes how to use Windows Installer and Group Policy to install SP2 on target computers in a Microsoft Windows 2000 Server or Microsoft Windows Server™ 2003 Active Directory domain.

Group Policy is the recommended method for actively managing the deployment of Windows XP SP2 for customers who are not already using a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS).

When you use Group Policy to distribute a program, you can assign the program to computers. The program is installed when the computer starts and is available to all users who log on to the computer. For more information about Group Policy, see Group Policy Infrastructure.

This article assumes you are using the Group Policy Management Console (GPMC). To download GPMC, see Group Policy Management Console with Service Pack 1.

Obtaining Windows XP SP2

To obtain Windows XP SP2, see Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers. You can download the SP2 file, named WindowsXP-KB835935-SP2-ENU.exe, from this Web page. For information about ordering a CD, see Windows XP Service Pack 2 Resources for IT Professionals.

After you have downloaded WindowsXP-KB835935-SP2-ENU.exe, extract the files from the command line:

WindowsXP-KB835935-SP2-ENU.exe  /x  <path>

where "

" is the target directory where you want to place the extracted files.

You deploy SP2 with Group Policy by using the Microsoft Windows Installer package for SP2, named Update.msi. This file is located in the following folder where you extracted the files: \i386\update.


To use Group Policy to assign the service pack

  1. Create a distribution point.

  2. Create a Group Policy object (GPO) for SP2 deployments.

  3. Deploy the SP2 Update.msi from the shared distribution folder as machine-assigned. Do not deploy it as a user deployment.

  4. If desired, deploy SP2 to specific security groups.

Target computers (that is, computers that are to receive the service pack deployment) must be joined to the same domain as the server where the Windows Installer (.msi) file resides. After you assign the package, Windows Installer automatically installs the service pack the next time users who are connected to the network start their computers. It is recommended that you check the properties of each computer to ensure that the update has completed on the target computer. You might need to restart a computer more than once to complete the update.

Only a network administrator or someone who is logged on to a local computer as an administrator can remove the assigned software (that is, SP2) from the target computer.

The procedures identified in this section are explained in detail below.

Creating a Distribution Point

To publish or assign software, you must create a distribution point on the server.


To create a distribution point

  1. Log on to the server computer as an administrator.

  2. Create a shared network folder where you are going to put the Microsoft Windows Installer package that you want to distribute. This folder is the distribution point for the software package.

  3. Set permissions on the shared network folder to permit access to the distribution package. Give access permissions to the following: administrators, authenticated users, and domain users.

  4. Configure distributed file system (DFS) for the distribution point. It is recommended that you do this because it provides you with more flexibility by ensuring uninterrupted availability of the distribution point, in case you have to replace the server. In addition, DFS makes it easier to have distribution points in multiple sites. For more information about DFS, see Designing DFS Namespaces.

Creating a GPO for SP2 Deployments

You can create a GPO and link it to any Active Directory container—such as a site, domain, or organizational unit—that contains the target computers to which you want to deploy SP2. In the following procedure, the instructions direct you to use a domain as a container. For your environment, you might want to link the GPO to a different container. You can link to any Active Directory container that you want. Also, you can edit an existing GPO rather than create a new GPO just for the purpose of deploying SP2, but it is not recommended that you edit the Default Domain Policy or the Default Domain Controllers Policy.


To create a GPO for SP2 deployments

  1. On an administrative workstation, open Group Policy Management Console (GPMC).

  2. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).

  3. Click Create and Link a GPO Here.

  4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Editing a GPO for SP2 Deployments

Now you are ready to modify the GPO through the Software Installation and Maintenance feature of Group Policy. Note that Group Policy supports deploying SP2 to computers only, not users. To deploy SP2, you must use the Computer Configuration node in the Group Policy Object Editor.


To edit a GPO for SP2 Deployments

  1. Right click the new GPO and click Edit.

  2. In the Group Policy Object Editor, click Computer Configuration, click Software Settings, and then click Software Installation.

  3. On the Action menu, point to New, and then click Package.

  4. In the Open dialog box, in File name , type the full Universal Naming Convention (UNC) path of the shared installer package that you want to distribute. Type this path in the following format: \\ServerName\SharedFolder\Update.msi or \\ServerIP\SharedFolder\Update.msi. Make sure that you use the UNC path of the shared installer package.

  5. Select the Windows Installer package, and then click Open.

  6. In the Deploy Software dialog box, click Assigned, and then click OK. The shared installer package that you selected appears in the right pane of Group Policy Object Editor.

Note Note
ServerName and ServerIP are placeholders for the server name or IP address of the computer where the shared folder is located. SharedFolder is a placeholder for the shared folder that is on the server computer.

Deploying SP2 to Specific Security Groups

For testing purposes, you might initially want to deploy SP2 only to a limited number of computers instead of every computer in a given domain or OU. If you want to deploy SP2 only to computers that are members of a specific security group. you can use security filtering in Group Policy to do this.


To target SP2 using security filtering

  1. In GPMC, double-click Group Policy Objects.

  2. Click the GPO to which you want to apply security filtering.

  3. In the results pane, on the Scope tab, click Add.

  4. In Enter the object name to select, type the name of the group, user, or computer that you want to add to the security filter, and then click OK.

  5. If Authenticated Users appears in the Security Filtering section of the Scope tab, select this group and click Remove. This will ensure that only members of the group or groups you added can receive the settings in this GPO.

Note Note
The settings in a GPO apply only to users and computers that are contained in the domain or organizational unit(s) where the GPO is linked, and that are specified in or are members of a group that are specified in Security Filtering. You can specify multiple groups, users or computers in the security filter for a single GPO.