Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


December 28, 2004

My Favorite Tips for Windows XP SP2

Techniques to help you deploy XP SP2, manage Windows Firewall, and more
A Web Exclusive from Windows IT Pro
Jeremy Moskowitz
Feature
InstantDoc #44714
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Windows XP Service Pack 2 (SP2) is a big deal. It provides immediate benefits, but it also comes with some potential pitfalls. Before you do a mass rollout of XP SP2, arm yourself with my favorite tips and tricks for deploying SP2 and dealing with some difficulties you'll likely run into after you deploy it.

Use Group Policy to Deploy SP2
Rolling out XP SP2 in the enterprise is no small task. Whether you have 5, 50, or 500 machines, you could spend a lot of time just running the setup program. To speed the job, use the power of Group Policy to deploy SP2 to your users.

It might seem like the easiest thing to do would be to create a Group Policy Object (GPO) that's linked to various organizational units (OUs) in Active Directory (AD), as Figure 1 shows. However, this approach is chancy because, if something goes awry with the upgrade, all XP computers in a department could risk failure. Randy Smith describes some steps to mitigate this risk in "Windows XP SP2: Centralized Deployment and Defense," August 2004, InstantDoc ID 43199. Specifically, he explains how to

  1. extract the service pack to a share or Dfs mount
  2. create a new GPO to deploy SP2, link the GPO to the domain level, and have the GPO apply SP2 to a security group that contains all your XP machines

However, if you move all your XP machines into one security group and apply the GPO to that group, you'll still be upgrading all XP machines in every department at one time. To avoid exposing all of a department's XP systems at once, I suggest you instead create multiple AD security groups. Into each group, put selected XP computers from several departments. Then, link the GPO to the domain and use security group filtering to apply the GPO.

Figure 2 illustrates this approach in a network that uses a typical domain and OU structure. As you can see, I create three security groups, each containing XP computers from various departments. For example, XPGROUP1 contains one computer from the Sales OU, one from the Facilities OU, and one from the Accounting OU. Figure 3 shows how I put this approach into practice. First, I create the GPO to deploy SP2 and link the GPO to the domain. In the Security Filtering section, I remove the Authenticated Users group and add XPGROUP1. Because the new group contains a cross-section of Windows XP machines, no department is upgraded wholesale. Then, I simply repeat the steps by creating additional security groups, populating them with the computers I want to update, and adding those new groups in the Security Filtering section.

Delaying SP2 Deployment
If your clients use Microsoft Software Update Services (SUS) or Automatic Updates to contact Microsoft and automatically download patches, they'll find SP2 flagged as a critical update. Indeed, SP2 has been listed as a critical update since mid-August 2004. However, to prevent SP2 from installing on clients before administrators have thoroughly tested it, some administrators have resorted to disabling SUS or blocking access to the Windows Update site. This approach has a serious downside, however, in that it also prevents clients from obtaining other critical updates.

Instead of blocking all access to the Windows Update site, administrators who want to wait to install SP2 should read the documentation and follow the procedures spelled out in the TechNet article "Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates," http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx. The associated download provides an .adm template for Group Policy that blocks pre-XP SP2 machines from automatically installing the service pack. Thus, your XP clients can receive the other critical updates they need while preventing only the deployment of XP SP2. You can read more about this strategy in the FAQ "FAQ—Temporarily Blocking Windows XP SP2 Delivery Through Windows Update and Automatic Updates," http://www.microsoft.com/technet/prodtechnol/winxpro/maintain/sp2aumngfaq.mspx. After April 12, 2005, the registry changes that the .adm template makes are ignored and SP2 is installed whether you're ready or not.

Living with SP2
After deploying XP SP2 to your clients, you can enjoy the fruits of your labor. SP2 adds more than 600 new policy settings, which you can tweak to your heart's content. The new settings are visible when you create a GPO (or edit an existing one) from an XP SP2 machine. For a listing of all the .adm template and Microsoft Internet Explorer (IE) policy settings, including the policy path and default setting for each, download the "Group Policy Settings Reference for .adm Files Included with Windows XP Professional Service Pack 2" Excel spreadsheet at http://go.microsoft.com/fwlink/?linkid=15165. To see only the new XP SP2 settings, click the spreadsheet's Update History worksheet.

One difficulty that's sure to come up as soon as you deploy SP2 is that Windows Firewall is automatically enabled. For many companies, Windows Firewall is both a blessing and a curse. It's a blessing because, in its default configuration, the firewall allows no outside communication to the client. Of course, it's a curse for the same reason. If you try to use Group Policy Management Console's (GPMC's) Group Policy Results Wizard to determine the effect of policies on a specific SP2 machine on which the firewall is enabled, you get the error message that Figure 4 shows.

To correct this problem, you could disable the firewall, but that isn't a good idea. Instead, leave it enabled and open only the port necessary to allow remote procedure call (RPC) communication (port 135). I suggest creating a GPO that opens port 135 and linking the GPO to the domain level. The Windows Firewall: Allow remote administration exception policy does this; you'll find it under Computer Configuration\Administrative Templates\Network\Network\Connections\Windows Firewall\Domain Profile. Simply enable this policy setting—you can optionally specify from which addresses the target machine should allow requests—and the Group Policy Results Wizard will continue to work as it did before you loaded SP2. Be aware that this policy also opens port 445, which allows Server Message Block (SMB) traffic so that administrators can manipulate files on remote machines.

   Previous  [1]  2  Next 


Learning Path For instructions on backing up GPOs:
"Don't Wait—Back Up Those GPOs Now!"


Download a listing of all .adm templates:
"“Group Policy Settings Reference for .adm Files Included with Windows XP Professional Service Pack 2”"


For more information about the LISTBOX ADDITIVE problem:
"Managing Windows XP Service Pack 2 Features Using Group Policy"

"Changes to Group Policy Behavior After Installing Windows XP Service Pack 2"


Obtain the hotfix for the LISTBOX ADDITIVE problem:
"'The following entry in the [strings] section is too long and has been truncated' error message when you try to modify or to view GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000"


Read Microsoft's recommendations for delaying implementation of XP SP2:
"Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates"


To learn how to use security filtering to limit the scope of GPOs:
"“FAQ—Temporarily Blocking Windows XP SP2 Delivery Through Windows Update and Automatic Updates”"

"Using Security Filtering to Apply GPOs to Selected Groups"


To prepare to implement XP SP2:
"Managing Windows XP SP2 Features Using Group Policy"

"Changes to Functionality in Microsoft Windows XP Service Pack 2"

"Download the enterprise implementation guide, planning guide, and planning template"

"Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance

Solving Desktop Management Challenges in Education
Related Events Troubleshooting Active Directory

Deep Dive into Windows Server 2008 R2 presented by John Savill

Troubleshooting Group Policy, eLearning series

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement