OverviewWhile recognizing the security benefits of Windows XP SP2, some organizations have requested the ability to temporarily disable delivery of this update via Automatic Updates (AU) and Windows Update (WU). These organizations have populations of PCs, upon which they have enabled AU. This is done to ensure that these PCs receive all critical security updates. Since SP2 will start to be delivered to PCs running Windows XP or Windows XP with SP1 via AU starting on August 16, these customers would like to temporarily block the delivery of SP2 in order to provide additional time for validation and testing of the update. In response to these requests, Microsoft is providing this set of tools.
Please note that the mechanism to temporarily disable delivery of Windows XP SP2 will be available for a period of 120 days (4 months) from August 16. At the end of this period, Windows XP SP2 will be delivered to all Windows XP and Windows XP Service Pack 1 systems.
This toolkit contains 5 components:
A Microsoft signed executable
An ADM template
Sample email text with included link to block delivery of Windows XP SP2
Sample email text with included link to unblock delivery of Windows XP SP2
The executable creates the registry key and sets the associated value on the machine upon which it is run, to block or unblock (depending on the command-line option used) the delivery of Windows XP SP2 to that system, through Automatic Updates or Windows Update. The key used is HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate.
When the /B command line option is used, the Value Name ‘DoNotAllowXPSP2’ is created and its value sets to ‘1’. This value blocks delivery of Windows XP SP2 to the machine through AU or WU.
When the /U command line option is used, the previously created registry value that temporarily blocked the delivery Windows XP SP2 to the system via Automatic Updates (AU) or Windows Update (WU) is removed. If the value does not exist on the system from which it is run, no action is taken.
The script does the same thing as the executable, but allows specification of the machine name upon which the action should be taken, so a remote system can be specified on which to block or unblock delivery of Windows XP SP2.
Please note that the executable and script have been tested only as a command-line tool and not in conjunction with other systems management tools or remote execution mechanisms.
The ADM template allows administrators to import the new group policy settings to block or unblock delivery of Windows XP SP2 into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.