Quick Links|Home|Worldwide
Microsoft TechNet*
|TechCenters|Downloads|TechNet Program|Subscriptions|My TechNet|Security Bulletins|Archive
Search for

FAQ – Temporarily Blocking Windows XP SP2 delivery through Windows Update and Automatic Updates

Q.If I need to temporarily disable delivery of Windows XP SP2, why should I use these tools provided by Microsoft? Why should I not just disable AU entirely?

Microsoft strongly urges customers not to disable AU since this will disable ongoing delivery of critical and security updates to all these systems, leaving these systems vulnerable. The best solution is to use SUS and point AU on the client machines to the SUS server. This allows IT professionals complete control over deployment of updates to their systems. Microsoft has specifically created these tools to safely disable and re-enable delivery of Windows XP SP2 to systems in organizations that cannot use SUS, SMS 2003 or another update-management solution.

Q.Why not block URL access to the Windows Update site?

Again, this is not recommended because it would stop delivery of all critical and security updates to the organization – not only to Windows XP systems but to all supported versions of the Windows desktop and server operating systems.

Q.What testing should customers do to validate the Windows XP SP2 delivery-disabling technology Microsoft is making available before using it?

Because the delivery-disabling mechanisms being provided by Microsoft all rely on a new registry key that is used only for purpose of disabling and re-enabling delivery of Windows XP SP2, there is no additional impact or side effect on the system. Customers will be able to use these mechanisms immediately, without need for testing.

Q.What registry key is being used for this purpose?


Q.What is the key value name and what are the value options?

The key value name is “DoNotAllowXPSP2”

If the value is ‘1’ delivery of Windows XP SP2 via WU and AU is disabled. If the value is not ‘1’ or if the key doesn’t exist, the system will be able to get Windows XP SP2 if the Windows Update site is accessible or if AU is configured to get updates from Windows Update.

Q.Will this Windows XP SP2 blocking mechanism also block delivery of Windows XP SP2 via Software Update Services (SUS) or Systems Management Server (SMS)?

No, this mechanism only blocks delivery of Windows XP SP2 from WU or directly via AU (customer is not using SUS). Windows XP SP2 can still be deployed using SUS, SMS, and other methods while the blocking mechanism is activated.

Q.How does the Group Policy mechanism work?

Group Policy allows IT administrators to centrally and flexibly define and enforce settings across groups of systems and users. This ADM template will allow customers who have implemented Group Policy (a feature of Windows 2000 Server and Windows Server 2003 that is built on Active Directory) to quickly disable and re-enable delivery of Windows XP SP2 to systems across their organizations.

The IT administrator imports the provided ADM template using the ‘GP Edit’ MMC Snap-in which makes available the new Group Policy settings to disable and re-enable delivery of Windows XP SP2 via AU or WU. A Group Policy object with the appropriate setting enabled can then be targeted at the appropriate set of systems and the Group Policy mechanism will automatically configure the target systems appropriately.

Q.How does the Microsoft signed executable software work?

It is essentially a small program that accepts one of two command line options (disable and enable) and creates or removes the registry key that controls the ability to delivery Windows XP SP2 to the system via AU or WU. It is signed by Microsoft, so the operating system knows the executable is provided by Microsoft and is therefore trustworthy.

Q.What is the purpose of the sample script?

The sample script is a simple wrapper for the signed executable software that allows specification of the name of the system on which the executable should be run. The system name is specified as a command-line option.

Q.How long will this temporary disabling mechanism work?

It is scheduled to work for 240 days (8 months), starting on August 16, 2004. After April 12, 2005, WU and AU will ignore the presence of the registry setting and will deliver SP2.

Q.What happens when the mechanism is no longer available?

After 240 days, AU and WU will ignore the presence of the registry setting, and Windows XP SP2 will automatically be delivered to all systems configured to receive updates automatically via AU. Also, users will be able to go to the Windows Update site and get Windows XP SP2 regardless of the presence of the registry setting.

Q.Will the tool be localized?

No, there is not enough time to localize the tool or the documentation. However, the tool will work without modification on any language edition of Windows XP.

Q.Will the 240 day time period be based on the RTM of each individual language edition?

No. The 240 day time period is based on August 16th for all language editions. AU and WU will ignore the registry setting on April 12, 2005 for all language editions and allow installation of SP2.


For More Information


© 2006 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement