Do you wanna block SP auto deployment..?

Endpoint Central | May 6, 2008 | 2 min read

Hi Folks

Here is the News (..actually a year old ;-) ) for the admins who don’t want the Service Packs to be rolled out to their network without their permission (especially SP3 for XP) .   Since most of us are concerned about the XP SP3 roll out, this may be of interest of many to ensure that SP3 doesn’t get through their network without their knowledge.   Microsoft has this tool (SPBlockerTools.EXE) in site for more than a year as i mentioned, which can block Service Pack installation which happens through Windows Updates.  This tool can be used to block (temporarily) the installation of SP updates.   It can block

  • Windows Server 2003 Service Pack 2 (valid through March, 2008 – time elapsed)
  • Windows XP Service Pack 3 (valid for 12 months following general availability)
  • Windows Vista Service Pack 1 (valid for 12 months following general availability)

Here is the extract which talks about ‘How it works?

This toolkit contains three components. All of them function primarily to set or clear a specific registry key that is used to detect and block download of Service Packs from Windows Update. You only need to use the component which best serves your organization’s computer management infrastructure.

  • A Microsoft-signed executable
  • A script
  • An ADM template
  1. The executable creates a registry key on the computer on which it is run that blocks or unblocks (depending on the command-line option used) the delivery of a Service Pack to that computer through Windows Update. The key used is HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate.
    1. When the ‘/B’ command line option is used, the key value name ‘DoNotAllowSP’ is created and its value set to 1. This value blocks delivery of a Service Pack to the computer through Automatic Update or Windows Update.
    2. When the ‘/U’ command line option is used, the previously created registry value that temporarily blocked the delivery of a Service Pack to the computer through Automatic Update or Windows Update is removed. If the value does not exist on the computer on which it is run, no action is taken.
  2. The script does the same thing as the executable, but allows you to specify the remote machine name on which to block or unblock delivery of Service Packs. Note that the executable and script have been tested only as a command-line tool and not in conjunction with other systems management tools or remote execution mechanisms.
  3. The ADM template allows administrators to import group policy settings to block or unblock delivery of Service Packs into their Group Policy environment. Administrators can then use Group Policy to centrally execute the action across systems in their environment.

The SPBlockerToolKit can be downloaded from Microsoft.

Folks, importantly you’ll have to keep in mind that it will not prevent SP installs from DC/DVD, or from stand-alone downloads. It can only block SP installs through Windows Updates.

Cheers

Romanus

Desktop Central Technical Support Team

romanus@zohocorp.com

  1. Reply
    bariah

    hi romanus, hope you could help me here.. do you know whether we can unblock the block on the XP SP3 update? cause after d/l this SPBlocker tool kit, it totally crashed my windows update. cant even go into windowsupdate.microsoft.com anymore.. it directs me to msn.com thx