Windows 2000 Installer Package for Service Pack 1

Microsoft introduced a new tool to deploy Service Pack 1 (SP1) throughout your network with little effort. Because service packs include security fixes critical to your OS and Microsoft Internet Explorer (IE), you need to use service packs to keep your servers and workstations up-to-date. In Updating Service Packs and Hofixes with Boot Scripts I showed you how to use startup scripts defined in Group Policy to automate deploying Windows 2000 service packs. However, since that article, Microsoft released a Win2K Installer package for SP1 on its Web site that lets you use Win2K Installer to deploy service packs automatically.

In this article I'll show how to use this automated installation method quickly and easily. I'll cover important planning issues and include several shortcuts and corrections to Microsoft's readme file instructions for Win2K Installer. While Win2K Installer is a great way to deploy service packs in an Active Directory (AD) domain, remember that if you are managing Win2K systems that aren't in AD, you can still use the boot scripts method I described in Updating Service Packs and Hotfixes with Boot Scripts.

Win2K Installer lets you use Group Policy to assign or publish software packages to users or computers. A Win2K Installer package is a binary .msi file containing instructions that tell the Win2K Installer service all of the files and other operations you need for installing software. (Microsoft encourages vendors to supply .msi files along with their applications so that users can easily deploy the vendors' software.) You can assign or publish applications by adding the corresponding .msi file to the Software Settings\Software Installation folder in an Active Directory Group Policy Object (GPO) under either Computer Configuration or User Configuration. When you assign a package, Win2K automatically installs the software the next time the computer boots or the user logs on, depending on whether you assigned the package under Computer Configuration or User Configuration. If you publish an application, Win2K doesn't install it immediately; instead, the OS lists the application under Control Panel\Add\Remove Programs. Publishing gives you an optional way to make applications available to users. (Because publishing is relevant only to users, this option isn't available under Computer Configuration.) Service packs update the OS, so Microsoft recommends you assign the service pack to computers, not users.

To use Win2K Installer to deploy SP1, log on to your file server, and create and share a folder you've named w2ksp1. Open the permissions for this folder, and limit access to Domain Computers Read and Administrators Full Control. If you already have the SP1 CD-ROM, copy the files from the CD-ROM to the w2ksp1 folder, using a command such as xcopy d:\ \\fs1\w2ksp1 /e, where d: is your CD-ROM drive. Otherwise, download the English version at Microsoft's Web site. On this Microsoft Web page, click the Network Installation button to download sp1network.exe to a temporary directory (such as %temp%) on your system. After downloading, execute %temp%\sp1network /x (which runs sp1network in extract mode). When sp1network asks for a location, specify the folder you've created (\\fs1\w2ksp1).

Now download Win2K Installer package (Q269732_W2K_SP1_EN.exe) from Microsoft's Web site. When the program asks you whether you want to run or save the file, choose run. After you download and execute the file, the program will ask you where to extract the file—specify \\fs1\w2ksp1\i386\update. After you extract the file, you will find several different files, including update.msi. You are ready now to assign the application. Using Active Directory Users and Computers, create a test organizational unit (OU) in your domain and give it the name InstallSP1. Create a new GPO and link it to this OU, InstallSP1. Edit the GPO by selecting Computer Configuration\Software Settings\Software Installation. Right-click Software Installation and select New\Package. At the file prompt, type \\fs1\w2ksp1\i386\update.msi and click OK. Because computers in your test OU access this folder over the network, you need to use the network path to the file instead of the local path and drive letter. To choose a deployment method, select Advanced publish or assign and click OK. Select the Deployment tab on the next window, and select the Uninstall this application when it falls out of the scope of management check box, as Figure 1 shows, and click OK. Your GPO should now look like Figure 2.

To test your changes, move a test computer into your test OU and reboot it. After the startup sequence, but before letting you log on, for several minutes the system should display Installing managed software Service Pack. This message indicates you've deployed the service pack correctly. Eventually, the system will restart and let you log on as usual. Be aware that any interruption or failure during the installation process disrupts Win2K Installer's successful installation. The next time the system reboots, it won't reattempt to install the service pack. The system will remain indefinitely without the service pack. To verify you successfully completed service pack installation, log on to the system and run winver. You can also check a system's service pack level from Active Directory Users and Computers. Simply select a computer, double-click, and select the Operating System tab. Look at the service pack field. If a system in the GPO scope that assigns SP1 doesn't have SP1 installed, you can correct the problem quickly by temporarily taking the computer out of the scope of the GPO that assigns SP1 (e.g., InstallSP1).

Microsoft recommends that you simply move the computer out of the OU where the GPO is linked. However, if you follow Microsoft's recommendation, you might cause other important GPOs not to be applied to the computer. I recommend that you deny the computer access to the relevant GPO by opening the Properties dialog box of the OU where the relevant GPO is linked. Select the Group Policy tab, then the GPO. Click Properties and select the Security tab. Next, add an access control entry that denies full control to the computer that's missing SP1. (For our example, Figure 3 shows a computer named PLATO.) Click OK, and close all the property dialog boxes. Reboot the computer. After its usual startup process, when the Win2K Installer service finds that InstallSP1 GPO no longer applies to this computer, Win2K Installer checks to see if you previously used the GPO to install any applications. When Win2K Installer encounters SP1, it checks to see whether Uninstall this application when falls out of the scope of management was enabled at the time of installation. (Remember that when we assigned SP1, we checked this box, as Figure 2 shows. Therefore, the computer will display "Removing managed software Service Pack 1" and reboot.) Now, remove the access control entry that denies the computer access to the GPO, and reboot the system another time. The computer will again attempt to install the service pack. By using GPO permissions, we can prevent just the InstallSP1 GPO from being applied without disturbing anything else. If you accidentally deploy SP1 to systems incorrectly, or if you encounter a problem on a given system after you install SP1, you can also use the method I've described in this article to uninstall SP1.

Although Win2K Installer is an exciting tool you can use to help keep your systems secure while saving time, be aware of the following issues:

  • Alerting users. Because service pack installations take several minutes, alert users that they'll experience a delay the next time they reboot and an additional reboot before they can log on. Notifying users in advance can save your Help desk from being deluged with calls. You can also prevent giving security updates a bad name.
  • Choosing a time. If most of your users shut down their workstations each night, assign the package shortly before the end of the workday so that most users experience the delay when they reboot the next day.
  • Scheduling by departments. If you've divided your workstations into departmental OUs, work with each department to decide the best time for installation. Update workstations one department at a time.
  • Scheduling server installations. Keep in mind that a service pack installation won't take effect until the next time you reboot the server. Also, you will have a longer-than-usual delay while the service pack installs and then reboots a second time. Because many servers go for long periods of time without being rebooted, to force the service pack to install sooner, you might need to schedule a special reboot after assigning the package. (You can reboot a Win2K system remotely using the Microsoft Management Console—MMC—Computer Management snap-in. See Restarting computers, starting remotely in Win2K Help Text Index.)
  • Contacting Microsoft. Now that Microsoft has provided this crucial Win2K Installer package for SP1 several months after the service pack debuted, users need to urge Microsoft to commit to including a Win2K Installer package with each service pack and hotfix in the future. Email Microsoft about adding such features to [email protected]
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.