A Microsoft program manager found himself conducting a tricky bit of PR yesterday, providing for his team’s blog a lengthy explanation of a documented feature in Windows that independent researchers discovered only this week: the ability for the Windows Update service to update itself, even when the user’s setting for Automatic Updates is “off.” Researchers had charged the company with updating software on users’ systems without their consent.
“Windows Update is a service that primarily delivers updates to Windows,” the Update service’s program manager Nate Clinton wrote yesterday. “To ensure on-going service reliability and operation, we must also update and enhance the Windows Update service itself, including its client side software. These upgrades are important if we are to maintain the quality of the service.”
The discovery, which came as news to many, is that the Windows Update service (known internally as WSUS) updates itself through a separate channel, managed through Internet Information Services. While turning off Automatic Updates makes certain Windows doesn’t receive any general update downloads without the user’s consent or knowledge, WSUS still checks for updates, including those meant for itself. It can then – and typically will – update itself anyway.
“It’s surprising that these files can be changed without the user’s knowledge,”wrote Scott Dunn for WindowsSecrets.com earlier this week. “The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft’s latest stealth move, updates to the WU executables seem to be installed regardless of the settings – without notifying users.”
As it turns out, Dunn may have been looking in the wrong place. A brief check of the table of contents on Microsoft’s TechNet reveals a page entitled, “Automatic Updates Must Be Updated.” Though there is no explicit sentence here that says, “By the way, the IIS-marshaled update channel still functions even when the option in this dialog box is set to ‘Turn off Automatic Updates,”‘ a fairly knowledgeable person reading this page should be able to deduce that this self-update channel is separate and operative.
But should it be? Shouldn’t there be a way for the user to say, “I don’t want updates, and I mean I don’t want updates!” As it turns out, there is. Using the Services panel in Computer Management, a user can very easily switch the active state of Automatic Updates from “Automatic” to “Stopped.” A moderately skilled administrator – or certainly any administrator who legitimately received his or her certification – should also be able to disengage WSUS by stopping its service host from the command line.
An administrative guide to deploying and administering WSUS in networks appears on Microsoft TechNet. Although this may not be the most often accessed online documentation by general users, one will find there a page that existed well prior to this latest controversy. Under “Automatic Updates client self-update feature,” there is the following: “Each time Automatic Updates checks the public Web site or internal server for updates, it also checks for updates to itself.”
Microsoft, Security Update, Windows Update, Patch, Hotfix