Windows Operating System Service Pack Blocker Toolkit: Frequently Asked Questions

 

Q. Do different versions of Windows require different blocker toolkits (and corresponding registry settings)?

A. Windows XP SP2 used a unique registry setting for the original blocker tool in 2004/2005. All other Windows Service Packs use the current registry setting. We intend to use this same registry key for future service pack blocking tools.

Q. Do these Service Pack blocks expire?

A. Yes, these blocks only function for the first 12 months after release for each respective service pack. However, if you install the block for a current service pack, and later deploy the service pack using the standalone (CD/DVD or network install) installer, the registry key will remain set, and will block future service packs during the 12 month period for those respective service packs.

Q. Where do I find information about when a Service Pack block will expire?

A. Service Pack block expiration dates are available at Service Pack Blocker Tool Kit within Microsoft Download Center.

Q. If I need to temporarily disable delivery of a Windows Operating System Service Pack, why should I use the toolkit provided by Microsoft? Why should I not just disable the automatic update setting in Windows Update entirely?

A. Microsoft strongly urges customers not to disable automatic updates in Windows Update because the automatic update setting provides the ongoing delivery of critical and security updates to all Windows Update-enabled systems, and disabling the automatic update setting can potentially leave these systems more vulnerable. Windows Software Update Services (WSUS) allows IT professionals complete control over deployment of updates to their systems. Microsoft has specifically created these tools to safely disable and re-enable delivery of Windows Service Packs to systems in organizations that cannot use SUS, SMS 2003, or another update-management solution.

Q. Why not block URL access to Windows Update (WU) or Microsoft Update (MU)?

A. This is not recommended because it would stop delivery of all critical and security updates to the organization—not only to Windows Operating systems but to all supported versions of the Windows desktop and server operating systems.

Q. What testing should customers do to validate the Windows Service Pack delivery-disabling technology Microsoft is making available before using it?

A. The detection engine in Windows Update uses the presence of this registry key to indicate to the Windows Update client software that the Service Pack does not apply to the system.  Because the delivery-disabling mechanisms being provided by Microsoft rely on a registry key that is used only for purpose of disabling and re-enabling delivery of a Windows Service Pack, there should be no additional impact or side effect on the system. No additional testing should be necessary to validate the mechanism.

Q. What registry key is being used to disable delivery of Windows Service Packs?

A. HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Q. What is the key value name and what are the value options?

A. The key value name is "DoNotAllowSP." If the value is '1' delivery of Windows Service Packs through Windows Update (WU)/Microsoft Update (MU) is disabled. If the value is not '1' or if the key doesn't exist, the system will be able to receive Windows Service Packs if the WU site is accessible or if AU is configured to get updates from WU.

Q. Will this Service Pack blocking mechanism also block delivery of a Windows Service Pack through Windows Server Update Services (WSUS) or Systems Management Server (SMS)?

A. Yes, this mechanism blocks delivery of a Windows Service Pack from Windows Update (WU), Microsoft Update (MU), or Windows Server Update Services (WSUS).

Q. Will this Service Pack blocking mechanism prevent installation of the service pack from CD/DVD or from the standalone (network) install package downloaded from Microsoft.com/download site?

A. No, this does not prevent the service pack from installing.  This blocking toolkit simply prevents the Windows Update service from delivering (or downloading) the service pack to individual computers. You can leave this registry setting in place and use other patch management or deployment techniques to successfully install these service packs when you are ready.

Q. How does the Microsoft-signed executable software work?

A. It is a small program that accepts one of two command line options (/B for block and /U for unblock)) and creates or removes the registry key that controls the ability to deliver a Service Pack to a Microsoft Operating system via Windows Update (WU)/Microsoft Update (MU). It is signed by Microsoft, so the operating system knows the executable is provided by Microsoft and is therefore trustworthy.

Q. What is the purpose of the sample script?

A. The sample script is a simple wrapper for the signed executable software that allows specification of the name of the system on which the executable should be run. The system name is specified as a command-line option.

Q. What is the ADM template used for?

A. The Administrative Template (.adm file) allows administrators to import the new group policy settings to block or unblock delivery of a Windows Operating System Service Pack into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.

Q. How long will the temporary disabling mechanism work?

A. The mechanism will work block a Service Pack until one year after the release of that Service Pack. After one year, Windows Update (WU) and Automatic Updates (AU) will ignore the presence of the registry setting and will deliver the Service Pack in question.

Q. What happens when the blocking mechanism is no longer available?

A. After one year, Automatic Updates (AU) and Windows Update (WU) will ignore the presence of the registry setting, and deliver the Windows Operating System Service Pack automatically to all systems configured to receive updates automatically using AU and WU/MU.

Q. Will the tool be localized?

A. The tool will work without modification on any language edition of Microsoft Windows Operating Systems.

Q. What will happen if my company has the service pack blocker tool in place when it expires?

A. When a service pack blocker tool expires, enterprises using the service pack blocker tool will be prompted to install the service pack that was being blocked.

Q. Does this mean my company will have to download the service pack?

A. No. Service packs will not automatically install on a machine even after the Service Pack Blocker tool expires. For service packs, you must accept the offering before installation will start. If Automatic Update is turned on, WU will alert you that it has an important update to install. If you don't want to install the update (service pack), simply decline to install and/or hide the update. If you do not have AU turned on, the service pack will not be offered until you open Windows Update and "Check for Updates.