[451] in Kakapo Windows Team
[Kakapo] FW: Temporarily Disabling Delivery of Windows XP Service
daemon@ATHENA.MIT.EDU (Paul B. Hill)
Tue Aug 10 18:04:18 2004
Message-Id: <200408102203.i7AM3pOl002995@melbourne-city-street.mit.edu>
From: "Paul B. Hill" <pbh@mit.edu>
To: "'Jonathan McIndoe Hunt'" <jmhunt@mit.edu>
Date: Tue, 10 Aug 2004 18:03:51 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
cc: kakapo@mit.edu
Errors-To: kakapo-bounces@mit.edu
Hi Jon,
Although I do like using the release of XP SP2 as additional incentive to
get users to use MIT's Windows Automatic Update Service, I do think it might
be useful to include some of the information from the message below in the
"Microsoft releases SP2 for Windows XP" community announcement.
Perhaps this information should be in a separate web page and the
announcement could simply have a link to the AU information.
It might also help to put a timebox on completing the draft announcement.
Clearly some announcement to the community needs to be released before next
Monday, the sooner the better.
Paul
-----Original Message-----
From: Messages about MIT's Microsoft PSS agreement
[mailto:MITPSS@MITVMA.MIT.EDU] On Behalf Of Paul B. Hill
Sent: Tuesday, August 10, 2004 4:46 PM
To: MITPSS@MITVMA.MIT.EDU
Subject: Temporarily Disabling Delivery of Windows XP Service Pack 2 Through
Windows Update and Automatic Updates
On Monday, 8/16 Microsoft plans to release to Automatic Updates, Windows XP
SP2. If you have not thoroughly tested Windows XP SP2 with all of your
applications and servers, you should consider temporarily disabling delivery
of Windows XP SP2 via the Windows Automatic Update service.
Users of MIT Windows Automatic Update Service (WAUS) do not need to take any
further action.
The following information is provided to people that are using Microsoft's
Automatic Update service to deploy security patches to the machines that
they control.
Summary of Relevant Windows XP SP2 Dates:
8/6 Release to manufacturing
8/9 Release to Microsoft Download Center (full network install package)
8/10 Release to Automatic Updates (for machines running pre-release
versions of Windows XP SP2 only)
8/16 Release to Automatic Updates (for machines not running pre-releases
versions of Windows XP SP2)
8/16 Release to SUS via AU
Later in August
Release to Windows Update for interactive user installations
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows
Update and Automatic Updates
Introduction
Windows XP Service Pack 2 (SP2) contains major security improvements
designed to provide better protection against hackers, viruses, and worms.
Windows XP SP2 also improves the manageability of the security features in
Windows XP and provides more and better information to help users make
decisions that may potentially affect their security and privacy. Because of
these significant improvements, Microsoft views Windows XP SP2 as an
essential security update and is therefore distributing it as a "critical
update" via Windows Update (WU) and the Automatic Updates (AU) delivery
mechanism in Windows. Microsoft strongly urges customers with Windows XP and
Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon
as possible.
While recognizing the security benefits of Windows XP SP2, some
organizations have requested the ability to temporarily disable delivery of
this update via AU and WU. These organizations have populations of unmanaged
PCs, upon which they have enabled AU. This is done to ensure that these
unmanaged PCs receive all critical security updates. Since SP2 will start to
be delivered to PCs running Windows XP or Windows XP with SP1 via AU
starting on August 16, these customers would like to temporarily block the
delivery of SP2 in order to provide additional time for validation and
testing of the update. In response to these requests, Microsoft is providing
the following guidance, resources, and communication vehicles to meet the
needs of these customers.
Please note that the mechanism to temporarily disable delivery of Windows XP
SP2 will be available for a period of 120 days (4 months) from August 16. At
the end of this period, Windows XP SP2 will be delivered to all Windows XP
and Windows XP Service Pack 1 systems.
Guidance
As a best practice approach to implementing a managed rollout of Windows XP
SP2, customers are encouraged to use a corporate update management solution
such as Systems Management Server (SMS) 2003 or Software Update Services
(SUS).
Information about MIT's deployment of Software Update Services can be found
at <http://web.mit.edu/ist/topics/windows/updates/>
Key benefits of using SUS to deploy Windows XP SP2
1. Allow administrators to control the deployment Windows XP SP2 (as
well as other updates) across their Windows systems
2. Allow customers to safely disable direct AU or WU access from
individual systems, while allowing these systems to get the necessary
critical security updates and other administrator-approved updates.
3. SUS will automatically and silently install Windows XP SP2, while
installation of Windows XP SP2 via WU or AU requires user or administrator
interaction on each system it is installed on
4. Dramatically reduces network traffic into the organization, since
updates only need to be downloaded to one or a small number of servers
within the organization, instead of being downloaded separately to each
system requiring the update.
Information on SUS is available at www.microsoft.com/sus but MIT users
should see <http://web.mit.edu/ist/topics/windows/updates/>.
Resources
For customers with a population of unmanaged PCs for which the above
solutions will not suffice, Microsoft is providing additional methods of
managing the update process. These alternatives enable customers to
temporarily disable delivery of Windows XP SP2 via AU and WU, while still
allowing critical security updates to be delivered via AU and WU, thus
providing more time to plan for deployment.
Options to temporarily disable and then re-enable delivery of Windows XP SP2
via AU and WU
1. For organizations that have implemented Active Directory based Group
Policy, we will provide an ADM template to allow these customers to
centrally and easily disable and re-enable delivery of SP2 to targeted
groups of Windows XP systems using Group Policy
At this time Microsoft has not yet provided access to the ADM template. MIT
expects that Microsoft will provide this information within the next 48
hours.
2. For organizations that have not implemented Group Policy, we are
providing Microsoft signed executable software that can be run on systems to
disable and re-enable Windows XP SP2 delivery. The disable and re-enable
actions are specified as command-line parameters when running the
executable.
At this time Microsoft has not yet provided access to the executable. MIT
expects that Microsoft will provide this information within the next 48
hours.
Microsoft is also providing a sample script that will accept a machine name
as a command-line parameter to enable execution of the executable software
on a specific machine. The script can be used to run the executable on a
remote machine or on a group of remote systems, using a mechanism that works
best for the customer (run as logon script, via a remote script execution
mechanism such as SMS, etc.).
At this time Microsoft has not yet provided access to the sample script. MIT
expects that Microsoft will provide this information within the next 48
hours.
3. For organizations that have machines that are not easily managed via
scripting or Group Policy, but are accessible via e-mail, we are providing
sample e-mail text that includes a URL link that users can click on to
disable delivery of Windows XP SP2. This URL will point to an executable
script hosted on www.microsoft.com/technet/winxpsp2. This option requires
users to have administrator rights on their machines.
We are also providing sample e-mail text with a similar included URL link
that can be clicked on to re-enable delivery of Windows XP SP2. IT
administrators can send this e-mail to their users when they are ready to
deploy Windows XP SP2 to these users' systems
Note 1: All of the above options rely on the presence of a registry key to
disable delivery of SP2. This is a new registry key that is used only for
the purpose of disabling and re-enabling delivery of SP2. Consequently,
there is no additional impact or side effect on the system, and customers
will be able to use these options immediately without need for any testing.
Note 2: Running the executable software requires administrative privileges.
Users who are not administrators on their systems will not be able to run
the executable. This is not an issue, since these users would not be able to
install XP2 anyway, and disabling delivery of XP2 would not be a concern for
these users.
Delivery
Customers will, but do not yet, have access to these tools via the Windows
XP SP2 section of Microsoft TechNet (www.microsoft.com/technet/winxpsp2)
that provides
1. Information on options for temporarily disabling delivery of Windows
XP SP2 via AU and Windows Update
2. Content to disable and re-enable delivery of Windows XP SP2
a. URL link to download a self-extracting zip file containing the ADM
template, signed executable, and sample script
b. Sample email text with included link that can be clicked on to
disable delivery of Windows XP SP2
c. Sample email text with included link that can be clicked on to
re-enable delivery of Windows XP SP2
3. Link to a frequently asked questions (FAQ) page
Note: The main Windows XP SP2 page on TechNet will, but does not yet, have
an announcement about the availability of the Windows XP SP2
delivery-disabling options and will provide a link to the above Web page.
_______________________________________________
Kakapo@mit.edu
http://mailman.mit.edu/mailman/listinfo/kakapo
