The Windows Update client software silently updates itself, even on computers for which the user has opted out of automatic update installation. Most large companies will not be affected by this behavior, which was discovered by users during a recent round of updates. However, the incident raises doubts about the trustworthiness of Microsoft's online services and the company's stated policies for managing them.

Updating the Updater

Many consumers and small businesses rely on the free Microsoft Update online service to update Microsoft software, including Windows and Office, and on Windows Update to update the OS, rather than using the more complex Windows Server Update Services or System Center Configuration Manager products. Both free online services rely on Windows Update (also known as Automatic Update), a client that maintains the Microsoft software on their computers.

However, a number of updates distributed through Microsoft's online update services have caused problems when installed. For example, two patches released in Aug. 2006 were faulty and had to be reissued multiple times. One went through two versions, and the other three, in less than a month. Consequently, sophisticated users often take advantage of Windows Update client options to download and notify but not install updates or to only notify the user when updates are available. Users can then wait to review the updates and see if there are any reported problems before installing them.

Unbeknownst to these users, the Windows Update client software itself ignores these optional settings, which means that in spite of their precautions, their software could be updated with a bad patch. Each time the client runs, it automatically checks for and installs any updates to itself, even if the user has opted not to install updates automatically.

Microsoft says that it must silently update the Windows Update client because otherwise users would not receive notifications about future critical patches. However, the service supports a more transparent approach: In the past, updates such as Internet Explorer 7 and the GDI+ Detection Tool have been delivered with messages to users warning them of the consequences of declining. Such an approach would leave the user of the computer in control—one of Microsoft's stated but undelivered goals.

Local Update Servers Unaffected

Organizations that have internal software update servers, such as Windows Server Update Services or Configuration Manager, are not affected by the silent updates. In such organizations, Automatic Update clients do not connect directly to Microsoft but instead connect to the organization's update servers and download and install only updates that have been approved by administrators. Because Microsoft does not honor its customer's update processing choices, organizations not using internal update servers may want to consider them, to prevent unwanted updates from being installed.

Finally, the appearance of these silent updates and the lack of transparency raise questions about the overall trustworthiness of the company's online services—if Microsoft does not honor customer choices related to the Windows Update service, should customers trust them with personal data or with Windows and Office problem reports?

The Windows Update blog that covers the design of Windows Update is located at blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx.