How do I use AD Group policy to block Windows Updates from installing XP SP2?

Posted on 2004-08-12
Last Modified: 2008-03-17
How do I use AD Group policy to block XP SP2?  I know that this will be pushed out by Windows Update on August 16.  We have not tested this service pack completely, and we need to block it for a while.  Microsoft indicates that we can stop SP2 by group policy, but I cannot figure out how to do it.  I know where the setting is to block Windows Updates completely, but I do not want to do that.  I just need to black SP2 for XP.
Question by:lileto

Expert Comment

ID: 11789996
Currently, XP SP2 is only available through automatic updates.  In the future, I'm sure it will be available for network installs and such (EXE version)

For the time being, you can DISABLE Automatic Updates via Group Policy.  This will prevent any updates from occurring.

For the future, when the EXE is released, along with a procedure stating it is not allowed by your company, not having administrator access should be enough to stop the installation.

Pretty much use this link, but instead of enabling AU, choose to DISABLE it instead of Not Configured or Enabled.

OR -- if you have an internal SUS server, you can just NOT APPROVE the XP SP2 update and it won't be released.

SUS is probably the best solution but for the time being you can simply block Automatic Updates with GP if you need to.
LVL 10

Expert Comment

ID: 11790573
I think that whay you need is following article:
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates

Expert Comment

ID: 11790736
Hi lileto,

This site has a link to download a bunch of tools to do what your after. The tool in particular that I think you want is an ADM script included in the download....

Hope this helps.

Accepted Solution

ashishdaga earned 400 total points
ID: 11791092

Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.


Expert Comment

ID: 11791420
Just a minor correction to dgroscost's post:  

"Currently, XP SP2 is only available through automatic updates.  In the future, I'm sure it will be available for network installs and such (EXE version)"

It's the other way around.  I downloaded it 2 days ago.  The exe (for English) is at:

Just an FYI and sorry it's off topic of the original question.

Expert Comment

ID: 11795225
well just disable all windows updates ...... this will solfe your prblem ....

Expert Comment

ID: 11825692
If your using GPO anyway, I would consider not using the Automatic Update option on the cliens and isntall a SUS server.  It will manage all your updates for your clients and you can pick and choose which updates to push to your clients on your own.  We use it my company and it works like a charm.

But if you want to just block it temporarily, try this:

Author Comment

ID: 11830568
Disabling all of Windows Updates via group policy is not a good answer.  I would recommend that this not be done, since this would disable all critical updates that have nothing to do with SP2.  I ended up sending up the link for SP2 blocker that will block SP2 for 120 days.  We are going to be doing some extensive testing of the service pack before the update is going to be forced by Microsoft.  I may install an SUS server before then and reconfigure Automatic updates to point to that server.  Thanks for the recommendations.  As always, this site is generally clearer about the practical steps than Microsoft.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now