Access Denied: Using Group Policy to Install Service Packs

Our Microsoft Software Update Services (SUS) server's administration Web site shows security updates for each version of Windows and Windows components, such as Microsoft Internet Explorer (IE), but the site doesn't show service packs. Can we use SUS to install service packs?

SUS doesn't support service pack installation. However, you can use Group Policy to automate service pack deployments. Group Policy includes a software installation feature that lets you roll out software that contains an .msi file or a .zap text file to member computers.

All Windows 2000 and later service packs include an .msi file. On those OSs, rolling out a service pack to multiple computers is as simple as copying the service pack's files to a shared folder on your server and creating a software installation entry in a Group Policy Object (GPO) in your Active Directory (AD) domain. For example, to install Service Pack 3 (SP3), the current service pack for Win2K, download the service pack to a shared folder on your network and name the shared folder sp3. Next, open a command prompt window and navigate to the sp3 folder. Extract the service pack by typing

w2ksp3.exe -x

From the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, open a GPO that applies to all the computers on which you want to install the service pack. If you want to update every computer in the domain, use a GPO that's linked to the root of your domain; otherwise, select a GPO in an appropriate organizational unit (OU). In Group Policy Editor (GPE), navigate to Computer ConfigurationSoftware Settings. Right-click the Software Installation folder and select New, Package. In the Open dialog box, type the Universal Naming Convention (UNC) name of the sp3 folder, then click Open to display the subfolders that were created when you extracted the service pack. Double-click the i386 folder, then open the update folder. You'll see the update.msi file, which contains all the information Win2K needs to install the service pack. Select update.msi and click Open. When Win2K asks whether you want to Assign the service pack or use Advanced options, select Assign and click OK.

When a computer applies the GPO, Windows takes note of the new software package but, because it's a service pack, delays installing it until the next reboot. When the system reboots, it applies the service pack and reboots again before letting users log on.