Do they not even *use* Automatic Updates?!?

by Michael S. Kaplan, published on 2005/01/31 05:50 -08:00, original URI: http://blogs.msdn.com/michkap/archive/2005/01/31/363761.aspx


I have been reading people all over the internet who hate that Microsoft is perhaps in the future going to limit Windows Update to legal copies of Windows (Automatic Update would be their only option) with the Windows Genuine Advantage program (more info in the Windows Genuine Advantage FAQ).

Many are on the bandwagon, from Greg Hughes to Mitch Wagner to a hundred of whoever your favorites are, everyone is talking about how evil Microsoft is for something that they have not even done yet.

Most think Microsoft is being irresponsible by not patching these machines. Those people do not even realize that all security patches and Service Packs are still available via Automatic Update, even for illegal copies of Windows. This acts as a convincing proof to the theory that you do not need to know how to read in order to know how to write.

The gist of the typical argument of those who are smart enough to at least recognize the "Automatic Updates" option is that people who pirate software will not choose to automatically update since they would be afraid that Microsoft would shut them down remotely for not being a legal user of Windows. They would rather use Windows Update where they have the choice for what they will or will not install.

But have these wingnutspeople even used automatic updates before? Have they even looked at dialog?

Well, lets look at it now, shall we? Here it is, both in Windows XPSP2 and Windows Server 2003:

    

Notice how I have them set -- the XPSP2 box will automatically update every day at 3:00am, and the Server 2003 box will simply let me know if there are updates and then let me know again before installing. Is that a hint as to why I think these people have not used the feature?

Notice how both of them have an option to look at the updates previous declined (currently disabled, I do not tend to refuse updates!)? Is that another hint?

Look at all of the options I have here!

People have total control over whether they install the security updates or not. Even if they are using a pirated version of Windows! The same choice they have in Windows Update for Critical Updates and Service Packs. If they are willing to use the latter, then why would the former be less appealing?

Wouldn't using Automatic Updates lead to a safer internet for all users since it does not require an explicit visit to a web site to get patches installed? The only reason I do not install automatically on my Server 2003 boxes is that I may be building something and would prefer to control when I install. It is still very cool to get the reminder that there is something to install, and I am a huge fan of that sort of feature.

So what are these people complaining about, exactly?


# Kristoffer Henriksson on Monday, January 31, 2005 6:02 AM:

Because requiring people to show identification will make even the least paranoid person think twice no matter what the reason. It makes people uneasy is all. I own more copies of XP than I have machines and I still don't want to "verify" that my license is legitimate.

# Michael Kaplan on Monday, January 31, 2005 6:20 AM:

Fair enough. But notice that Automatic Updates do not *ask* me if my Windows is valid? Even better for the paranoid, right? :-)

If I have a pirated copy of Windows then I assume the scrutiny of the explicit step on Windows Update that scans my system for updates would be at least as great a cause for unease....

# PS on Monday, January 31, 2005 6:22 AM:

It's microsoft dude, therefore it *has* to be evil. I find it quite amusing that most people neglect to mention the fact that several other OS have *paid subscriptions* in order to be able to download patches.

One other thing to consider here is how many users are actually affected by this policy? A lot of people have legit copies of Windows because they buy them with their machine.

I agree that hose that have illegal copies, should also have the ability to patch their machines, by possibly paying a subscription fee that will become their license.

# Kristoffer Henriksson on Monday, January 31, 2005 6:32 AM:

It may not ask but as we've all learned from spyware the absence of a prompt does not mean the software isn't busy doing something behind your back. A label describing in summary what is and is not transmitted would help greatly in this regard. I don't have XP here at work so I can't check if this information is already shown prominently somewhere.

The complaints aren't so much about what windows update does now but about the future plans to send license information to Microsoft for verification. Soothing people's fears about what currently happens does little to alleviate apprehensions about stated plans to (possibly) implement such checks in the future.

I still get the willies when I activate XP or Photoshop.

# Michael Kaplan on Monday, January 31, 2005 6:39 AM:

Right, but how is this helped by the Windows Update vs. Automatic Update question? Your issues would apply equally (from a perception standpoint perhaps even moreso) to Windows Update, which the pundits still want people to have access to.

# Kristoffer Henriksson on Monday, January 31, 2005 7:21 AM:

Why restrict access to one sort of update but not another? Presumably MS is testing the waters and will then restrict access to all ways of updating as it just plain doesn't make sense to lock one door when you have another one right next to it that is wide open.

If there is no explicit promise that no licensing information is sent to Microsoft when Windows is updating (either via automatic updates or Windows Update) then we have to assume the worst. In programming terms, it is undefined behavior and could change at any moment.

The larger issue is a tough question for sure. Microsoft has a definite right to get paid for the hard work they put into writing Windows but on the other hand having unpatched computers makes the internet as a whole more dangerous.

Personally I would lean towards making updates available to everyone in an unrestricted fashion.

# Steven on Monday, January 31, 2005 7:31 AM:

I can tell you why I don't use AU... because I can't figure out how to use it (that is: make it do what I want it to do).

Problem 1: When does AU check for updates? 3am? My PC isn't usually on at that time (many people outside the US are a bit more energy conscious and actually turn the thing off at the end of the day). I could set it for another time, but there's no guarantee that my PC will be on at that time either. Can I force it? It also seems to check upon startup, but that doesn't show in the dialog box.

Problem 2: There's no interface. The AU icon will appear in the system tray. Left-click... nothing. Right-click... nothing. Double-click... nothing.

Problem 3: BITS (Background Intelligent Transfer Service, IIRC) doesn't appear to be so intelligent. The "idle bandwidth" on my Gigabit LAN will quickly drown out my 8mbit DSL connection when a few XP systems will start automatically updating. Tying the system directly to the DSL modem will use so little bandwidth that it takes forever to download even the smallest patch. I ended up downloading the 260MB IT install of SP2 over a 256kbit line after AU failed to properly retrieve it over an 8 hour period of time (on an otherwise idle machine). BTW, what will it do if a machine's bandwidth is tied up with sending out copies of viruses or spam e-mail messages. No idle bandwidth in that case. My system is protected, but there are millions that aren't.

Problem 4: For the love of everything holy... stop bugging me every 5 minutes that I need to reboot. Once is (more than) enough! I really don't need those annoying balloons popping up a dozen times. I'll reboot as soon as the processing on the 70GB of video data I just captured is complete, but it'll be a few hours. Where's the "FOAD" button when you need it?

All that makes AU so annoying to me that I find it much more convenient to check the WU site once a day. Only annoying things about that are that:

a) it seems to think the .NET Framework version 1.1 is a "high priority" update when I haven't got a single .NET application on my system and didn't even have 1.0 installed.
b) it won't respect my wishes and come up in a maximised window.

To me, those are easier to live with than AU.

# Michael Kaplan on Monday, January 31, 2005 7:37 AM:

Kristoffer -- the issue is the non-security updates, which provide a value update for legitimate customers.

Why restrict access? Well, with security updates there is a reason not to. Not ture of other updates -- installing them will not help legitimate users like security updates too.

Would you feel differently if WU worked but they could not get the new updates? If so, why?

# Steve loughran on Monday, January 31, 2005 7:40 AM:

I don't feel any sympathy towards people with illegitmate whitebox installations; they should have known that for $500 that copy of Ms office and photoshop would be as illegitimate as the base OS. And I'd be quite happy for a service pack to disable TCP for the lot of them, it would only benefit us all.

But I really don't like the hoops that windows/office activation makes me go through. Point one: there is a limit (what, 10?) to the number of times I can reactivate winXP or office with my MSDN universal subscription. Per year. No way of revoking installations and saying "I want to build up a new VM". That sucks. With VMware I can run through that number in a month.

Point two: this morning MS download is telling me that I should use windows genuine advantage to download "winXP SP2 support tools". you know, things to see what handles are open and minor junk like that. And if I dont, my downloads will be at a disadvantage. Was that some kind of threat? I dont know, but I could also see that the system assumed I was running IE, as it told me to accept any request for ActiveX download. As a user of mozilla for security reasons, I worry that the genuine advantage program will actually disadvantage me.

# Michael Kaplan on Monday, January 31, 2005 7:41 AM:

Steven -- all good. But do you believe that pirated Windows users deserve the conveniences to which you refer?

More specifically:

1 -- You set the time. Its at your convenience.

2 -- I never have problems clicking on the icon and getting a dialog, with details on what is going on.

3 -- See http://weblogs.asp.net/oldnewthing/archive/2005/01/27/361595.aspx for hoe to change the BITS settings.

4 -- I guess I am not seeing this (but then I run mine at 3am when I am hopefully not processing 70gb of video data...

# Michael Kaplan on Monday, January 31, 2005 7:44 AM:

Steve -- I have easily activated Windows 3x that many times (I have to since I install new builds most days, many of which I built!) Since I am doing it with the same hardware, I never run into problems.

See the FAQ for the Genuine program, it explainsd about the ActiveX issue and FireFox (presumasbly covers other browsersm too).

# Greg Hughes on Monday, January 31, 2005 8:01 AM:

> This acts as a convincing proof to the
> theory that you do not need to know how
> to read in order to know how to write.

Wow, pulling out the big guns, eh? I won't go there. I've commented further on my weblog.

# Mike Dunn on Monday, January 31, 2005 8:04 AM:

>So what are these people complaining about, exactly?<

Microsoft. Just 'cause. Google's getting the same treatment now. They were the darling of the net for years, then they went public and started GMail, and suddenly they're an Evil Corporation.

# Michael Kaplan on Monday, January 31, 2005 8:06 AM:

Greg -- Heh heh heh -- well, technically that did not apply to you, since you took another route (though if we worry that people will not get updates due to paranoia, its probably thoughts that a plan like yours may exist that keep people from updating <grin>).

# Steven on Monday, January 31, 2005 8:30 AM:

I don't really care if illegal copies of Windows are patched or if they cause the pirate's house to burst into flame. It's their problem. My firewall and AV software keep me isolated from their stupidity. (Although I would go with Steve's suggestion: release a patch to disable TCP/IP for those saps).

My message was more of an indication as to why people might not use AU. Also, how it might be improved:

To "fix" my first problem:
a checkbox "check for updates at startup", a button "check now". Or a way to say "check when idle" (limiting to once per day, obviously). Any or all of the above would be nice.

The second: a dialog that shows "downloading ''Security update for Wheelchair [KB123456]''. ETA: 3 minutes" would be nice. It's not the actual installation that doesn't show a dialog, but I can only get information about download status from a tooltip that only says "Downloading updates: 4%" (I have a similar gripe with the "New hardware found" tray icon... it too has no actual UI).

The third: I had read Raymond's blog. GPEDIT.MSC is not available on XP Home, though. Admittedly, this not really a problem for most users, just for people with large home LANs.

Fourth: I'm not sure whether it pops up only when you've told it you need to approve updates for installation. Does a machine with fully automatic updates reboot itself? The thing that bugs me about it is that there's no way to say "I know, now don't show this to me again until the next updates are installed". The system (sans patch) works fine without rebooting, it's not an error or any other fatal condition, why interrupt my work? Every five minutes?

Sorry if this seems like a big long rant, but I've had some really bad experiences with AU yesterday (mentioned in my first post: spending an entire day just to get SP2). Perhaps the above should be sent to the AU team.

I'm guessing that the average Joe User who has XP pre-installed on his system has no problem with AU and uses it, possibly without even knowing. It's the average pirate who (thinks he) is a bit more computer savvy (after all, he used his l33t skills to copy the CD, install Windows and bypass the activation), believes AU is doing a phone home and reporting him. He's gonna disable AU. As a "power user", he craves more control over his system (I know I do) and goes to the WU site, which also explicitly states that no info is being sent to Redmond.

From that, I'd say that closing off WU will do a lot of good for my wallet. Pirates won't start buying Windows, unless it costs less than the blank CD they use to pirate it. They won't use AU because they don't trust it (I don't trust it and I'm a legitimate user). Their systems get infected. Spyware/Malware/Viruses spread faster than automatic updates or patches. People call me to have their system fixed. I download the patches of the WU Catalog and bring them over on CD. I get rich. Funny how people are willing to pay me for tech support, but won't pay for Windows, isn't it?

# Arta on Monday, January 31, 2005 9:04 AM:

Steven:

Raymond Chen recently posted about configuring BITS to prevent exactly the behaviour you describe: http://weblogs.asp.net/oldnewthing/archive/2005/01/27/361595.aspx

# Mike Dimmick on Monday, January 31, 2005 12:39 PM:

Steven: to get feedback on what Automatic Updates is doing, click the bubble (or possibly the shield icon, I don't remember which). That gives you a full window showing download and update progress.

XP SP2 virtually forces you to turn on automatic updates: you're prompted as soon as the system reboots after installing the service pack, or as part of the setup process if you're installing from slipstreamed media or have an OEM version. You can select 'no' but the UI strongly discourages it.

Basically people are paranoid. They think they know better than MS which patches will work. Some are stuck in the mid-90s mindset of 'I won't use it till Service Pack 3'. It wasn't really true then and certainly isn't now. There have been rare patches which didn't work correctly on all systems, but in all cases the systems had previously had MS-supplied hotfixes. The scares around MS04-011 were way out of proportion to the actual problems.

Get SP2. Turn on Automatic Updates. Use Microsoft Baseline Security Analyzer to check that everything else is up-to-date - Office, SQL Server, etc.

# Jen on Monday, January 31, 2005 3:41 PM:

Steve Loughran -

With an MSDN install, you can activate as many times as you want, on *10 different machines*.

With a normal XP or Server 2003 install, you can activate as many times as you want on one machine only.

# Mike Williams on Monday, January 31, 2005 4:22 PM:

1. Steve wrote: "I don't feel any sympathy towards people with illegitmate whitebox installations; they should have known that for $500 that copy of Ms office and photoshop would be as illegitimate as the base OS."

Sorry but most of the regular folks I know (or respond to on newsgroups) can barely discriminate between Office and Windows. They have no idea of cost or the subtle differences between bundled and retail software.

2. The check for genuine copies of Windows just doesn't work properly. I (and other MVPs) have found that our legitimate installs are suddenly no longer recognized as "genuine", and so we can't get access to patches on microsoft.com

# Larry Osterman on Monday, January 31, 2005 4:49 PM:

Wanted to post this earlier, and forgot.

Steven: "Problem 4: For the love of everything holy... stop bugging me every 5 minutes that I need to reboot. Once is (more than) enough! I really don't need those annoying balloons popping up a dozen times. I'll reboot as soon as the processing on the 70GB of video data I just captured is complete, but it'll be a few hours."

The reason why it's so indescribably annoying is simply that people were ignoring the reboot after patch instruction. So they'd think they had all the patches and they were wrong.

To fix this issue, we decided to make the "you need to reboot" message as annoying as humanly possible - if you're doing something, you can dismiss it, but it's going to come back and annoy you until you get the patches installed. One key thing to keep in mind is that the patcher doesn't ask for a reboot until it's tried really hard to install the patch without a reboot.

And if you think about it, it's VASTLY better to annoy the user until they reboot than to let their computer be vulnerable.

# jon1nim on Monday, January 31, 2005 4:50 PM:

If Microsoft some how managed to make it where you have to a have a legit copy of windows to get updates it's just a matter of time before some one puts all of the patches in a executable program that installs all patches or individual patches. If Microsoft can put all of the patches on a cd and send it out to people so can some body else. Microsoft needs to give up on stupid ideas like this.

# Mark Eichin on Monday, January 31, 2005 9:44 PM:

Frankly I suspect that a lot of the ranting is because noone realizes that automatic update and windows update are even different things; certainly this post is the first mention I've seen of the distinction - since I only see random blog comments about it, that's mostly a measure of the extent to which the blogosphere is a giant game of telephone, but it might explain a few things. (I'm only here for the character set hacking, after all, windows is entirely absent from my life :-)

# Barry Kelly on Tuesday, February 01, 2005 2:05 AM:

I'm not able to use the "genuine advantage" program. I tried to use it for the Dell box here in front of me, but I couldn't figure out purple from blue on the attached license sticker (I'm colorblind), so I couldn't complete the process.

It took long enough to get that far. I'm not going to do it again.

# Ben Oddo on Tuesday, February 01, 2005 8:09 AM:

The whole patch/update distribution model is wrong! It's fine for all those users who have broadband access to the internet and are able to receive a 20MB file containing patches and updates in under 3 hours. (OK, I may be exaggerating a bit). But the point is, no matter if the version of Windows installed on a user's computer is legit or not, expecting a user to spend an inordinate amount of time downloading fixes pure fantasy. In order for a dial up user to gain access to the internet he must launch the dialer app and the browser, wait for the connection (if possible). This is a conscious effort where the objectives is to either send or receive information and then disconnect. Dial up is not a casual, thoughtless function and expecting to block out a good portion of that time to receiving a patch is too much of an inconvenience and more often than not the updates do not get applied.

Perhaps Microsoft should overnight to all registered dial up Windows users critical updates on CD as they are released, and monthly updates. This will ensure that dialup users are up to date with all of the latest patches, protected, and thereby protecting the internet from viruses and worms spreading from unprotected computers.

Better yet, Microsoft should unbundle all of the software in Windows that are actually applications, lock down a core operating system and allow competition in the software market place to thwart virus authors and hackers by having a multitude of applications from various vendors with different methodologies making various combinations of software your best defense. It is analogous to locking a door with 4 identical locks. You break one lock you have broken them all.

# Adrian on Tuesday, February 01, 2005 9:50 AM:

I'm concerned about not getting updates because of a bug in the verification process. I downloaded the anti-spyware beta from Microsoft onto my mother-in-law's 100% legit XP machine.

I was curious, so I tried the verification step. It failed (perhaps because I was using Firefox which doesn't do ActiveX), and walked me through a fallback procedure which involved downloading a program onto the PC. That failed to start up.

Fortunately for me (and my m-i-l), the verification step was optional.

Automatic updates are very problematic on dial-up. They are simply way too big, especially when the user is only on a couple hours a week. I got SP2 onto my family's PCs by ordering the CD. Every few months, I have to bring my m-i-l's box to my house to get MS and Norton updates via my broadband connection.

# DarkTrancer on Tuesday, February 01, 2005 2:33 PM:

I think there is another subject here to think about.I and most people i know on the net have disabled auto update not because of illegal copies but because of the plague they call SP2.
So far everyone i speak to has some sort of problems involved with SP2,i myself have reinstalled on my machine three times in order to give the benefit of the doubt.Having gone back to SP1 i have had no more problems.The hit and miss
install with SP2 is my reason for disabling auto updates.

# Centaur on Wednesday, February 02, 2005 12:40 PM:

Does AU store the downloaded updates in a well-defined location so they could be applied after a complete reinstallation of Windows, without spending all that time and traffic again? Or does it download a patch, install it, and delete the temporary file?

# Michael Kaplan on Wednesday, February 02, 2005 12:44 PM:

Not sure, I assume they delete the files. But so doees WU.

But if you want the convenience of keeping the files around, the Catalog is your friend...

Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

go to newer or older post, or back to index or month or day