Given the size of Windows XP Service Pack 2 (about 300MB), administrators should be cautious about letting Microsoft Corp.s Automatic Updates download the package to each XP-based desktop; this could overwhelm Internet connections and cause an uptick in support calls.
Organizations that have Automatic Updates pointing to a local patch repository must approve SP2 before clients can start downloading it, but those groups that use Automatic Updates to get patches directly from Microsoft should consider downloading and applying a Group Policy template Microsoft has provided to block the SP2 download temporarily (available at www.microsoft.com/technet/prodtechnol/
At press time, SP2 wasnt available via Microsofts Software Update Services synchronization process, so we chose to distribute the package via Active Directory GPO (Group Policy Objects) to control the installation and avoid hammering our Internet connection.
We downloaded a single copy of the Network Installation version of SP2 and used an executable flag to unpack the update to a file share without installing it. We then configured a Group Policy to install the resulting Windows Installer package at the next reboot and assigned the policy to a test OU (organizational unit).
Service pack installation took about 15 minutes per system, although install time will fluctuate according to network conditions, server load and the number of clients performing the update concurrently.
Included with SP2 are .adm files that update Group Policy template files to reflect new settings that come with the service pack, including those for Windows Firewall. We used the Microsoft Management Consoles Group Policy Editor snap-in from an SP2-enabled machine to connect to our OUs GPO, which was automatically updated with the settings.
However, this update makes it difficult to manage the GPO from Windows 2000-, 2003- and XP-SP1-based machines, all of which have an older version of Group Policy Editor that has problems displaying the .adms long-winded explanations of the new features. Microsoft has released a hot fix (KB842933) for this problem.
Using the updated GPO, administrators who have already deployed a desktop firewall throughout the enterprise can automatically disable Windows Firewall. Those who choose to use Windows Firewall can create inbound policies that exempt certain ports or applications from firewall blocking for all systems in the OU. Writing the text-based exemption policies is a little complicated but allows administrators to apply the exemptions to entire networks or individual hosts.
Technical Analyst Andrew Garcia can be reached at [email protected]