Thanks go to Cyndi Chie for posting this article to the SDSU-Cert list

• ZDNet Article: Microsoft lets companies block SP2 upgrade
• MS TechNet Article about blocking XPSP2
• Microsoft Toolkit to Temporarily Block Delivery of Windows XP SP2 to a PC Through Automatic Updates and Windows
  • Tool kit contains:
    • A Microsoft signed executable
    • A script
    • An ADM template
    • Sample email text with included link to block delivery of Windows XP SP2
    • Sample email text with included link to unblock delivery of Windows XP SP2

New AD Windows Update Policy  - there are changes to some of the default settings and some new settings.

(Click on headers to expand descriptions)

• Do not allow Delivery of XPSP2
  • This policy setting allows you to temporarily disable delivery of Windows XP SP2 from Windows Update or Automatic Updates.
    
    Windows XP SP2 includes important security improvements, so Microsoft strongly recommends that customers deploy this update as soon as possible.
    
    This policy setting allows organizations not using Systems Management Server (SMS), Software Update Services (SUS) or another update management solution and needing more time to plan the rollout of Windows XP SP2 to temporarily disable the delivery of Windows XP SP2 through Windows Update and Automatic Updates.
    
    The mechanism to temporarily disable delivery of Windows XP SP2 is available only for a limited time. After this time period, this policy setting will have no effect. Please see the Windows XP SP2 Web page on the Microsoft TechNet Web site for information about the expiration date.
    
    This policy setting does not prevent installation of Windows XP SP2 through other mechanisms such as SMS, SUS, product disk and so on.
    
    If you enable this policy setting, the Windows XP Service Pack 2 update is not available to users through Windows Update. In addition, the Automatic Update client does not download this package.
    
    If you disable or do not configure this policy setting, the Windows XP Service Pack 2 update will be available as an update through Windows Update (either manually or through a properly configured Automatic Update client).
    
    NOTE: This setting does not disable Automatic Updates or access to Windows Update. Nor does it prevent delivery of updates other than Windows XP SP2 through Windows Update or Automatic Updates.
• Configure Automatic Updates
  • Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service.
    
    This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting:
    
    2 = Notify before downloading any updates and notify again before installing them.
    
    When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
    
    3 = (Default setting) Download the updates automatically and notify when they are ready to be installed
    
    Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.
    
    4 = Automatically download updates and install them on the schedule specified below
    
    Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.)
• Specify Intranet Site for Updates
  • Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network.
    
    This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
    
    To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server.
    
    If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.
    
    If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
    
    Note: If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
• Enable Client Side Targeting (NEW)
  • Specifies the target group name that should be used to receive updates from an intranet Microsoft update service.
    
    If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
    
    If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet Microsoft update service.
    
    Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect.
• Reschedule Automatic Updates
  • Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.
    
    If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.
    
    If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation.
    
    If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started.
    
    Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
• No Auto Restart
  • Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.
    
    If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.
    
    Be aware that the computer needs to be restarted for the updates to take effect.
    
    If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.
    
    Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
• Automatic Updates Detection Frequency (NEW)
  • Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.
    
    If the status is set to Enabled, Windows will check for available updates at the specified interval.
    
    If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.
    
    Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.
    
    Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
• Allow Automatic Updates immediate installation (NEW)
  • Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.
    
    If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.
    
    If the status is set to Disabled, such updates will not be installed immediately.
    
    Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
• Delay restart for scheduled installations
  • Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.
    
    If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished.
    
    If the status is set to Disabled or Not Configured, the default wait time is 5 minutes.
    
    Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
• Re-prompt for restart with scheduled installations (NEW)
  • Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.
    
    If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed.
    
    If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
    
    Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled, this policy has no effect.