[453] in Kakapo Windows Team
[Kakapo] Re: FW: Temporarily Disabling Delivery of Windows XP Service
daemon@ATHENA.MIT.EDU (Jonathan McIndoe Hunt)
Wed Aug 11 10:40:41 2004
Message-Id: <6.2.0.1 alpha.2.20040811103152.0231e510@hesiod>
Date: Wed, 11 Aug 2004 10:40:14 -0400
To: "Paul B. Hill" <pbh@mit.edu>, "'Jonathan McIndoe Hunt'" <jmhunt@mit.edu>
From: Jonathan McIndoe Hunt <jmhunt@mit.edu>
In-Reply-To: <200408102203.i7AM3pOl002995@melbourne-city-street.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
cc: kakapo@mit.edu
Errors-To: kakapo-bounces@mit.edu
I think putting the information on how to not get SP2 (for 4 months)
through AU on a web page and referencing it from the announcement makes the
most sense. I will work with the web team to get a page up this morning
that we can review this afternoon.
Do you think it is sufficient to reference the following Microsoft page
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2aumng.mspx
or should we put together a much shorter page (referencing the above MS
page) and break out the different parts for AD, executable script and url?
As for timebox. I plan to send the announcement tomorrow morning, so
everyone please get your comments and feedback in today.
Thanks,
Jon
At 06:03 PM 8/10/2004, Paul B. Hill wrote:
>Hi Jon,
>
>Although I do like using the release of XP SP2 as additional incentive to
>get users to use MIT's Windows Automatic Update Service, I do think it might
>be useful to include some of the information from the message below in the
>"Microsoft releases SP2 for Windows XP" community announcement.
>
>Perhaps this information should be in a separate web page and the
>announcement could simply have a link to the AU information.
>
>It might also help to put a timebox on completing the draft announcement.
>Clearly some announcement to the community needs to be released before next
>Monday, the sooner the better.
>
>Paul
>
>-----Original Message-----
>From: Messages about MIT's Microsoft PSS agreement
>[mailto:MITPSS@MITVMA.MIT.EDU] On Behalf Of Paul B. Hill
>Sent: Tuesday, August 10, 2004 4:46 PM
>To: MITPSS@MITVMA.MIT.EDU
>Subject: Temporarily Disabling Delivery of Windows XP Service Pack 2 Through
>Windows Update and Automatic Updates
>
>On Monday, 8/16 Microsoft plans to release to Automatic Updates, Windows XP
>SP2. If you have not thoroughly tested Windows XP SP2 with all of your
>applications and servers, you should consider temporarily disabling delivery
>of Windows XP SP2 via the Windows Automatic Update service.
>
>Users of MIT Windows Automatic Update Service (WAUS) do not need to take any
>further action.
>
>The following information is provided to people that are using Microsoft's
>Automatic Update service to deploy security patches to the machines that
>they control.
>
>
>Summary of Relevant Windows XP SP2 Dates:
>
>8/6 Release to manufacturing
>
>8/9 Release to Microsoft Download Center (full network install package)
>
>8/10 Release to Automatic Updates (for machines running pre-release
>versions of Windows XP SP2 only)
>
>8/16 Release to Automatic Updates (for machines not running pre-releases
>versions of Windows XP SP2)
>
>8/16 Release to SUS via AU
>
>Later in August
> Release to Windows Update for interactive user installations
>
>
>Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows
>Update and Automatic Updates
>
>
>
>Introduction
>
>Windows XP Service Pack 2 (SP2) contains major security improvements
>designed to provide better protection against hackers, viruses, and worms.
>Windows XP SP2 also improves the manageability of the security features in
>Windows XP and provides more and better information to help users make
>decisions that may potentially affect their security and privacy. Because of
>these significant improvements, Microsoft views Windows XP SP2 as an
>essential security update and is therefore distributing it as a "critical
>update" via Windows Update (WU) and the Automatic Updates (AU) delivery
>mechanism in Windows. Microsoft strongly urges customers with Windows XP and
>Windows XP Service Pack 1-based systems to update to Windows XP SP2 as soon
>as possible.
>
>While recognizing the security benefits of Windows XP SP2, some
>organizations have requested the ability to temporarily disable delivery of
>this update via AU and WU. These organizations have populations of unmanaged
>PCs, upon which they have enabled AU. This is done to ensure that these
>unmanaged PCs receive all critical security updates. Since SP2 will start to
>be delivered to PCs running Windows XP or Windows XP with SP1 via AU
>starting on August 16, these customers would like to temporarily block the
>delivery of SP2 in order to provide additional time for validation and
>testing of the update. In response to these requests, Microsoft is providing
>the following guidance, resources, and communication vehicles to meet the
>needs of these customers.
>
>Please note that the mechanism to temporarily disable delivery of Windows XP
>SP2 will be available for a period of 120 days (4 months) from August 16. At
>the end of this period, Windows XP SP2 will be delivered to all Windows XP
>and Windows XP Service Pack 1 systems.
>
>
>Guidance
>
>As a best practice approach to implementing a managed rollout of Windows XP
>SP2, customers are encouraged to use a corporate update management solution
>such as Systems Management Server (SMS) 2003 or Software Update Services
>(SUS).
>
>Information about MIT's deployment of Software Update Services can be found
>at <http://web.mit.edu/ist/topics/windows/updates/>
>
>Key benefits of using SUS to deploy Windows XP SP2
>
>1. Allow administrators to control the deployment Windows XP SP2 (as
>well as other updates) across their Windows systems
>
>2. Allow customers to safely disable direct AU or WU access from
>individual systems, while allowing these systems to get the necessary
>critical security updates and other administrator-approved updates.
>
>3. SUS will automatically and silently install Windows XP SP2, while
>installation of Windows XP SP2 via WU or AU requires user or administrator
>interaction on each system it is installed on
>
>4. Dramatically reduces network traffic into the organization, since
>updates only need to be downloaded to one or a small number of servers
>within the organization, instead of being downloaded separately to each
>system requiring the update.
>
>Information on SUS is available at www.microsoft.com/sus but MIT users
>should see <http://web.mit.edu/ist/topics/windows/updates/>.
>
>
>Resources
>
>For customers with a population of unmanaged PCs for which the above
>solutions will not suffice, Microsoft is providing additional methods of
>managing the update process. These alternatives enable customers to
>temporarily disable delivery of Windows XP SP2 via AU and WU, while still
>allowing critical security updates to be delivered via AU and WU, thus
>providing more time to plan for deployment.
>
>Options to temporarily disable and then re-enable delivery of Windows XP SP2
>via AU and WU
>
>1. For organizations that have implemented Active Directory based Group
>Policy, we will provide an ADM template to allow these customers to
>centrally and easily disable and re-enable delivery of SP2 to targeted
>groups of Windows XP systems using Group Policy
>
>At this time Microsoft has not yet provided access to the ADM template. MIT
>expects that Microsoft will provide this information within the next 48
>hours.
>
>2. For organizations that have not implemented Group Policy, we are
>providing Microsoft signed executable software that can be run on systems to
>disable and re-enable Windows XP SP2 delivery. The disable and re-enable
>actions are specified as command-line parameters when running the
>executable.
>
>At this time Microsoft has not yet provided access to the executable. MIT
>expects that Microsoft will provide this information within the next 48
>hours.
>
>Microsoft is also providing a sample script that will accept a machine name
>as a command-line parameter to enable execution of the executable software
>on a specific machine. The script can be used to run the executable on a
>remote machine or on a group of remote systems, using a mechanism that works
>best for the customer (run as logon script, via a remote script execution
>mechanism such as SMS, etc.).
>
>At this time Microsoft has not yet provided access to the sample script. MIT
>expects that Microsoft will provide this information within the next 48
>hours.
>
>3. For organizations that have machines that are not easily managed via
>scripting or Group Policy, but are accessible via e-mail, we are providing
>sample e-mail text that includes a URL link that users can click on to
>disable delivery of Windows XP SP2. This URL will point to an executable
>script hosted on www.microsoft.com/technet/winxpsp2. This option requires
>users to have administrator rights on their machines.
>
>We are also providing sample e-mail text with a similar included URL link
>that can be clicked on to re-enable delivery of Windows XP SP2. IT
>administrators can send this e-mail to their users when they are ready to
>deploy Windows XP SP2 to these users' systems
>
>Note 1: All of the above options rely on the presence of a registry key to
>disable delivery of SP2. This is a new registry key that is used only for
>the purpose of disabling and re-enabling delivery of SP2. Consequently,
>there is no additional impact or side effect on the system, and customers
>will be able to use these options immediately without need for any testing.
>
>Note 2: Running the executable software requires administrative privileges.
>Users who are not administrators on their systems will not be able to run
>the executable. This is not an issue, since these users would not be able to
>install XP2 anyway, and disabling delivery of XP2 would not be a concern for
>these users.
>
>Delivery
>
>Customers will, but do not yet, have access to these tools via the Windows
>XP SP2 section of Microsoft TechNet (www.microsoft.com/technet/winxpsp2)
>that provides
>
>1. Information on options for temporarily disabling delivery of Windows
>XP SP2 via AU and Windows Update
>
>2. Content to disable and re-enable delivery of Windows XP SP2
>
>a. URL link to download a self-extracting zip file containing the ADM
>template, signed executable, and sample script
>
>b. Sample email text with included link that can be clicked on to
>disable delivery of Windows XP SP2
>
>c. Sample email text with included link that can be clicked on to
>re-enable delivery of Windows XP SP2
>
>3. Link to a frequently asked questions (FAQ) page
>
>Note: The main Windows XP SP2 page on TechNet will, but does not yet, have
>an announcement about the availability of the Windows XP SP2
>delivery-disabling options and will provide a link to the above Web page.
_______________________________________________
Kakapo@mit.edu
http://mailman.mit.edu/mailman/listinfo/kakapo
