Windows Operating System Service Pack Blocker Toolkit: Frequently Asked Questions
Published: March 4, 2009
A. Windows XP SP2 used a unique registry setting for the original blocker tool in 2004/2005. All other Windows Service Packs use the current registry setting. We intend to use this same registry key for future service pack blocking tools.
A. Yes, these blocks only function for the first 12 months after release for each respective service pack. However, if you install the block for a current service pack, and later deploy the service pack using the standalone (CD/DVD or network install) installer, the registry key will remain set, and will block future service packs during the 12 month period for those respective service packs.
A. Service Pack block expiration dates are available at Service Pack Blocker Tool Kit within Microsoft Download Center.
A. Microsoft strongly urges customers not to disable automatic updates in Windows Update because the automatic update setting provides the ongoing delivery of critical and security updates to all Windows Update-enabled systems, and disabling the automatic update setting can potentially leave these systems more vulnerable. Windows Software Update Services (WSUS) allows IT professionals complete control over deployment of updates to their systems. Microsoft has specifically created these tools to safely disable and re-enable delivery of Windows Service Packs to systems in organizations that cannot use SUS, SMS 2003, or another update-management solution.
A. This is not recommended because it would stop delivery of all critical and security updates to the organization—not only to Windows Operating systems but to all supported versions of the Windows desktop and server operating systems.
A. The detection engine in Windows Update uses the presence of this registry key to indicate to the Windows Update client software that the Service Pack does not apply to the system. Because the delivery-disabling mechanisms being provided by Microsoft rely on a registry key that is used only for purpose of disabling and re-enabling delivery of a Windows Service Pack, there should be no additional impact or side effect on the system. No additional testing should be necessary to validate the mechanism.
A. The key value name is "DoNotAllowSP." If the value is '1' delivery of Windows Service Packs through Windows Update (WU)/Microsoft Update (MU) is disabled. If the value is not '1' or if the key doesn't exist, the system will be able to receive Windows Service Packs if the WU site is accessible or if AU is configured to get updates from WU.
A. Yes, this mechanism blocks delivery of a Windows Service Pack from Windows Update (WU), Microsoft Update (MU), or Windows Server Update Services (WSUS).
A. No, this does not prevent the service pack from installing. This blocking toolkit simply prevents the Windows Update service from delivering (or downloading) the service pack to individual computers. You can leave this registry setting in place and use other patch management or deployment techniques to successfully install these service packs when you are ready.
A. It is a small program that accepts one of two command line options (/B for block and /U for unblock)) and creates or removes the registry key that controls the ability to deliver a Service Pack to a Microsoft Operating system via Windows Update (WU)/Microsoft Update (MU). It is signed by Microsoft, so the operating system knows the executable is provided by Microsoft and is therefore trustworthy.
A. The sample script is a simple wrapper for the signed executable software that allows specification of the name of the system on which the executable should be run. The system name is specified as a command-line option.
A. The Administrative Template (.adm file) allows administrators to import the new group policy settings to block or unblock delivery of a Windows Operating System Service Pack into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.
A. The mechanism will work block a Service Pack until one year after the release of that Service Pack. After one year, Windows Update (WU) and Automatic Updates (AU) will ignore the presence of the registry setting and will deliver the Service Pack in question.
A. After one year, Automatic Updates (AU) and Windows Update (WU) will ignore the presence of the registry setting, and deliver the Windows Operating System Service Pack automatically to all systems configured to receive updates automatically using AU and WU/MU.
A. The tool will work without modification on any language edition of Microsoft Windows Operating Systems.
A. When a service pack blocker tool expires, enterprises using the service pack blocker tool will be prompted to install the service pack that was being blocked.
A. No. Service packs will not automatically install on a machine even after the Service Pack Blocker tool expires. For service packs, you must accept the offering before installation will start. If Automatic Update is turned on, WU will alert you that it has an important update to install. If you don't want to install the update (service pack), simply decline to install and/or hide the update. If you do not have AU turned on, the service pack will not be offered until you open Windows Update and "Check for Updates.