Windows Operating System Service Pack Blocker Toolkit: Frequently Asked Questions

Q. Do different versions of Windows require different blocker toolkits (and corresponding registry settings)?

A. Windows XP SP2 used a unique registry setting for the original blocker tool in 2004/2005.  Windows Server 2003 Service Pack 1 and Service Pack 2 used the current registry setting.  Microsoft will use the same registry setting for Windows Vista SP1 and Windows XP SP3 in 2007, and anticipates at this time continuing to use this same registry key for future service pack blocking tools. If you previously downloaded the XP SP2 blocking tool, you will need to download the current version for use with Vista and XP SP3.

Q. Do these Service Pack blocks expire?

A. Yes, these blocks only function for the first 12 months after release for each respective service pack. However, if you install the block for a current service pack, and later deploy the service pack using the standalone (CD/DVD or network install) installer, the registry key will remain set, and will block future service packs during the 12 month period for those respective service packs.

Q. When does the Windows Server 2003 SP2 block expire?

A. Windows Server 2003 SP2 was released to Windows Update on March, 2007.  The blocking tool will be effective for 12 months from that date, or until March, 2008.

Q. When will Windows Vista SP1 and Windows XP SP3 be released on Windows Update?

A. These service packs are currently under development and scheduled to release in 2008.  Microsoft will provide additional information on release dates at a later date.

Q. If I need to temporarily disable delivery of a Windows Operating System Service Pack, why should I use the toolkit provided by Microsoft? Why should I not just disable the automatic update setting in Windows Update entirely?

A. Microsoft strongly urges customers not to disable automatic updates in Windows Update because the automatic update setting provides the ongoing delivery of critical and security updates to all Windows Update-enabled systems, and disabling the automatic update setting can potentially leave these systems more vulnerable. Windows Software Update Services (WSUS) allows IT professionals complete control over deployment of updates to their systems. Microsoft has specifically created these tools to safely disable and re-enable delivery of Windows Service Packs to systems in organizations that cannot use SUS, SMS 2003, or another update-management solution.

Q. Why not block URL access to Windows Update (WU) or Microsoft Update (MU)?

A. This is not recommended because it would stop delivery of all critical and security updates to the organization—not only to Windows Operating systems but to all supported versions of the Windows desktop and server operating systems.

Q. What testing should customers do to validate the Windows Service Pack delivery-disabling technology Microsoft is making available before using it?

A. The detection engine in Windows Update uses the presence of this registry key to indicate to the Windows Update client software that the Service Pack does not apply to the system.  Because the delivery-disabling mechanisms being provided by Microsoft rely on a registry key that is used only for purpose of disabling and re-enabling delivery of a Windows Service Pack, there should be no additional impact or side effect on the system. No additional testing should be necessary to validate the mechanism.

Q. What registry key is being used to disable delivery of Windows Service Packs?

A. HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate

Q. What is the key value name and what are the value options?

A. The key value name is "DoNotAllowSP." If the value is '1' delivery of Windows Service Packs through Windows Update (WU)/Microsoft Update (MU) is disabled. If the value is not '1' or if the key doesn't exist, the system will be able to receive Windows Service Packs if the WU site is accessible or if AU is configured to get updates from WU.

Q. Will this Service Pack blocking mechanism also block delivery of a Windows Service Pack through Software Update Services (SUS) or Systems Management Server (SMS)?

A. No, this mechanism only blocks delivery of a Windows Service Pack from Windows Update (WU)/Microsoft Update (MU) (if customer is not using SUS). A Windows Operating System Service Pack can still be deployed using SUS, SMS, and other methods while the blocking mechanism is activated.

Q. Will this Service Pack blocking mechanism prevent installation of the service pack from CD/DVD or from the standalone (network) install package downloaded from Microsoft.com/download site?

A. No, this does not prevent the service pack from installing.  This blocking toolkit simply prevents the Windows Update service from delivering (or downloading) the service pack to individual computers. You can leave this registry setting in place and use other patch management or deployment techniques to successfully install these service packs when you are ready.

Q. How does the Microsoft-signed executable software work?

A. It is a small program that accepts one of two command line options (/B for block and /U for unblock)) and creates or removes the registry key that controls the ability to deliver a Service Pack to a Microsoft Operating system via Windows Update (WU)/Microsoft Update (MU). It is signed by Microsoft, so the operating system knows the executable is provided by Microsoft and is therefore trustworthy.

Q. What is the purpose of the sample script?

A. The sample script is a simple wrapper for the signed executable software that allows specification of the name of the system on which the executable should be run. The system name is specified as a command-line option.

Q. What is the ADM template used for?

A. The Administrative Template (.adm file) allows administrators to import the new group policy settings to block or unblock delivery of a Windows Operating System Service Pack into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.

Q. How long will the temporary disabling mechanism work?

A. The mechanism will work block a Service Pack until one year after the release of that Service Pack. After one year, Windows Update (WU) and Automatic Updates (AU) will ignore the presence of the registry setting and will deliver the Service Pack in question.

Q. What happens when the blocking mechanism is no longer available?

A. After one year, Automatic Updates (AU) and Windows Update (WU) will ignore the presence of the registry setting, and deliver the Windows Operating System Service Pack automatically to all systems configured to receive updates automatically using AU and WU/MU.

Q. Will the tool be localized?

A. The tool will work without modification on any language edition of Microsoft Windows Operating Systems.