Editorials

Windows Update Updating Without Permission?

by Ben Taylor


Latest Weekly SQL Server Show is Live
SelectViews: Mixed database environments and their impact on DBAs, upcoming events, tips and tricks for SQL Server. We’ll also be looking at how to set up a TSQL statement as a job and our 60-second SQL Server Tip of the Day…

> Watch the show here

Featured Article(s)
Review: xSQL Software’s xSQL Object 2, xSQL Data Compare
xSQL has a bundle of products aimed at helping you synchronize, update and manage your databases, schemas, the data associated with them, etc. I take a look at their tools and see if they work to get databases in sync, *while* providing protection for your data.

Collecting performance metrics from all SQL Servers
Keeping track of server performance is not a simple task, especially if you are managing many servers. We all have our arsenal of SQL scripts to get metrics and data, but when it comes to large environments, it’s nearly impossible to get the needed data from everywhere. Well, the good news is there is a tool that does just that – with SQL Farm Combine you can take your scripts, and the tool will execute them on all servers and return a single result set for each metric. You can even collect data from remote environments and get back the results in a single file. Get more information about SQL Farm Combine here.

Windows Update Updating Files Without Permission?
The blogs were alive yesterday with reports of Windows Update going and updating files on users systems in the background, undetected, without permission. The suggestion was that while the updates appear innocent now, what else is being updated? What other sinister things are being updated by Microsoft that we don’t know about and haven’t given the OK on?

Well, not so fast. I went directly to Microsoft to get the real story here and wanted to pass along what I was told. First, the updates depend on your system settings, and on your corporate environment. Updates are redirected to your corporate update servers if you are doing centralized updates. But, moving beyond that, what’s really happening with these evil updates?

IF you have windows update enabled, but have it set to NOT install updates, what happens is that the client software for the Windows update process itself may have to go through some updates from time to time – just to keep you informed of changes and updates you can consider installing. In other words, if you want the system to notify you of updates, it has to have software that can do that. That software – the monitoring agent – is what’s being updated, and only that. According to Microsoft, a small number of files that are directly and specifically involved in that update client (built for that and supporting that) are updated IF you have the notifications turned on.

Second, if you have auto-installation of updates disabled, they are, indeed, not installed… except for updates to this notification and monitoring process. Makes sense to me. Nothing sinister there.

I talked with Rian Lawson for Microsoft about what was happening, and he outlined the process for me: "The files that are being updated are part of the Windows Update client itself. Windows Update automatically updates itself from time to time to ensure that it is running the most current technology, so that it can check for updates and notify customers that new updates are available. This is normal behavior, and it has worked this way since the service debuted several years ago.

This is not to suggest that we were as transparent as we could have been; to the contrary, we could have been clearer on how Windows Update behaves when it updates itself. We’ve received helpful and important feedback on this point, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works."

Further, Lawson had this to say about the "business" vs. "consumer" use of the services: "We also wanted to mention we’re talking about a tool that is largely used by consumers and small businesses.

In enterprises, it’s much more common to use Windows Update with WSUS where the process for updating is different:

For administrations using WSUS, the recommendation is to turn off access to WU and redirect the clients to the server. The server ships with a version of the WU client on it and the client always checks to see if there is an updated version of itself on the server. However, for the client version of the server to be updated, the administrator must approve an update to the server that updates the client software on the server. After that administrative approval, the distribution of the client software to PCs talking to the server are automatic. A PC being managed by a WSUS server will not silently self-update without administrative approval as in the case with a consumer system.

Specific [information] that illustrates this behavior can be found here: http://support.microsoft.com/kb/936301"

In a loosely managed scenario where the administrator allows a user to also go to Windows Update while being managed by a WSUS server, the user will be prompted to update the client before scanning for updates on Microsoft or Windows Update."

One final note for clarity, if you have updates disabled entirely – including the notification – no updates are done, not even to the update monitoring tool. When you visit the Microsoft update site manually, you’ll be prompted to download and/or update the software at that point so it can look for updates for your system.

Clearly, the blog sting from this has been substantial. I’m sure we’ll see additional information about this going forward in terms of clearer disclosure and documentation, but I don’t think there is anything evil going on.

Here’s the original article (or one of them, it seemed to dog pile a bit) that kicked off the firestorm if you’re interested:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036058&intsrc=hm_list

And here’s a blog by Microsoft’s team explaining the process:
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx

I hope this helps explain what’s happening and provides some solid feedback and information on what people may be seeing.

Featured White Paper(s)
Protecting Transaction Data: What Every IT Pro Should Know
Continuous data protection represents a major improvement over traditional backup, replication, and snapshot systems. This wh… (read more)

Meeting Sarbanes-Oxley Requirements with DB Audit
… (read more)

Disaster Recovery & Business Continuity for SQL Servers Through a Standby Approach
With the launch of Microsoft SQL Server 2005, Microsoft SQL Servers are becoming increasingly popular for use in mission crit… (read more)

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.