JSI Tip 4989. How do I use Group Policy to apply security patches in Windows 2000?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q314273 contains:

IN THIS TASK

• SUMMARY

How to Create a Security Patch .msi Package

How to Create a Security Patch Distribution Point

How to Create a Security Patch GPO

• REFERENCES

SUMMARY

This step-by-step article describes how to use Group Policy to apply security patches. You must be a member of the Administrators group on a computer that is running either Windows 2000 Server or Windows 2000 Advanced Server to perform all of the procedures that are described in this article.

NOTE : Download the security patches that are referred to in this article before you start the procedures that are described in this article.

back to the top

How to Create a Security Patch .msi Package

NOTE : You use Windows Installer to convert the .exe patch file to an .msi file. Windows Installer is located at the following path on the Windows 2000 installation media.

Valueadd\3rd Party\Mgm\Winstle\Swiadmle.msi

1. Click Start , point to Programs , point to Veritas Software , and then click Veritas Discover .



2. Click Next .



3. Type either the name of the patch or a general label (for example, type security patches ) in the Specify the name of the application for which you are building the installation box.



4. Type the path to the new package and the name for the new package (for example, type c:\adminpackages\securitypatch.msi ) in the Specify the Path and file name for the data file where the information on this installation will be kept box, and then click Next .



5. Click the drive on which you want to store the temporary work files for Windows Installer, and then click Next .



6. Under Available Drives , click the drive on which you want to install the .msi package, click Add , and then click Next .



7. Accept the defaults, and then click Next .



8. Wait for the program to take a snapshot of your computer (this action may take several minutes depending on the size of your computer), and then click OK when this action is completed.



9. In the Look in box, click the location of the .exe file that you want to convert, and then click Open .



10. After the .exe file completes the installation, click Reboot Later , and then run Windows Installer again.
    
    NOTE : Do not restart the computer after the .exe file completes the installation.



11. Click Start , point to Programs , point to Veritas Software , and then click Veritas Discover .



12. Click Perform the After snapshot now , and then click Next .
    
    Windows Installer takes the After snapshot, and then creates the new .msi file in the specified location.


NOTE : You receive an error message if problems occur during the conversion process. If you receive an error message, you may have to repeat this procedure to convert the .nai file to an .msi file.

back to the top

How to Create a Security Patch Distribution Point

1. Click Start , point to Programs , point to Administrative Tools , and then click Computer Management .



2. Right-click Computer Management (Local) , and then click Connect to another computer .



3. Click the computer on which the patch package is located in the Name box, and then click OK .



4. In the console tree, click to expand System Tools , click to expand Shared Folders , right-click Shares , and then click New File Share .



5. Type the path to the patch package distribution point in the Folder to share box.



6. Type the name for the distribution point in the Share name box.



7. Type a description for the distribution point in the Share description box.



8. Click Next , and then click Yes to create the shared folder.



9. Click Finish .



10. Click No when you receive the message that asks if you want to create another shared folder.

back to the top

How to Create a Security Patch GPO

To create a security patch Group Policy object (GPO):

1. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .



2. Right-click your domain name, and then click Properties .



3. Click the Group Policy tab, and then click New .



4. Type the name of the new GPO (for example, type Security Patches ) in the Group Policy Objects Links box (replace the existing name).



5. Click the newly created GPO, and then click Edit .



6. In the console tree, under the User Configuration node, click to expand Software Settings .



7. Right-click Software Installation , point to New , and then click Package .



8. In the Look in box, type the Universal Naming Convention (UNC) name for the security patch package Setup program that you created in the "How to Create a Security Patch .msi Package" section, and then click Open .
   
   NOTE : If Windows does not use the UNC name to locate the security patch .msi package, you receive the following message:




Cannot verify path is a network location message. If this package is not available on a network share, client are not able to install it. Are you sure you want to deploy this package.

9. Click Assigned in the Deployment Method box, and then click OK .



10. In the Group Policy dialog box, click Software Installation , right-click the GPO that you created in step 4 in the details pane, and then click Properties .



11. Click the Deployment tab, and then click Auto-install this application by file extension activation in the Deployment Options box.

back to the top

REFERENCES

For additional information about the procedures that are described in this article, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Q224330 Assigning a Windows Installer Package with Minimal Interaction

Q302430 How to Deploy Software to a Specific Group By Using a Group Policy

back to the top