none
IE8 installed from Automatic Updates for NON-ADMIN user!

    Question

  • On two of our school's Windows XP SP3 computers (that we know of so far), IE8 has automatically installed from Automatic Updates even though nobody with admin rights was logged in.

    I know Microsoft changed policy so that IE8 and IE9 would be offered through Automatic Updates without requiring the manual user interaction they did in the past.  As best I could tell from the information I found, though, installation of these IE updates still required admin rights.

    I don't know if I'm misinformed about the new IE Automatic Updates policy, and it really will install automatically even without admin rights, or if something strange happened that caused this on these two PC's.

    I am concerned about what's going on because the student information system that we are stuck with until the end of this school year will not work on any IE higher than 7, so auto-install of IE8 will cause a lot of help desk calls from teachers that can no longer access the student information system.  We have not installed the IE8 Blocker Toolkit, nor hidden IE8 in Microsoft Update or Windows Update, because our understanding was that our users not having admin rights would effectively prevent the upgrade from happening.  I manage our updates with WSUS within our building, but we have MANY unmanaged PC's used outside our building/network that have Automatic Updates enabled directly from Microsoft, so if these start automatically updating to IE8 we will have to individually fix each one since we have no way to centrally manage them.

    I did pull a copy of WindowsUpdate.log from one of the 2 PC's that auto-updated.  I didn't see anything in the log that explained what happened.

    Has anyone else experienced this?  Anyone from Microsoft that can make sure I understand the IE8 automatic updates policy correctly and, if I do, explain how this update happened without admin rights?

    Tuesday, February 28, 2012 5:41 PM

Answers

  • I found a way to open a free support case with Microsoft.  The rep I spoke with a short time ago said the Automatic Updates are working as intended by Microsoft.  I pointed out that the only official Microsoft documentation I found about the new IE Automatic Updates policy at http://windowsteamblog.com/windows/b/springboard/archive/2011/12/15/ie-auto-updates-good-news-for-businesses-too.aspx specifically states in the 3rd paragraph that "Furthermore, administrator rights will be required for installation, so end users without appropriate privileges will not be able to bypass browser IT policies. "  It would seem that this statement is WRONG.

    Had Microsoft provided better documentation, we would have pre-emptively installed the IE8 Blocker Toolkit.  Unfortunately, now we find ourselves having to manually uninstall IE8 on all of the unmanaged computers our school owns that are used by staff who work in areas that are outside our network.


    Friday, March 02, 2012 8:19 PM
  • Hi HFM D Patterson

    It does appear that the text used in the blog post isn't accurate. We are reviewing with the author.

    In the scenario you're describing, High Priority (Windows XP) and Important (Windows Vista / Windows 7) will generally install without user needing to elevate privileges. If users aren't prompted for admin privilege for other High Priority/Important updates normally then it's no different for IE8/9. As an IT Pro that has business critical applications we do recommend using the blocker toolkits or PC management via WSUS as mentioned in this blog post: http://windowsteamblog.com/ie/b/ie/archive/2011/12/15/ie-to-start-automatic-upgrades-across-windows-xp-windows-vista-and-windows-7.aspx

    If you have a scenario where you offer a service/application that relies on an older version of Internet Explorer but where you do not control or manage the PC's we would recommend the following:

    1) Can your app/site be modified for a more modern browser? Check out this article on the Internet Explorer Compatibility Inspector and the associated links therein http://blogs.msdn.com/b/ie/archive/2011/04/27/ie9-compat-inspector.aspx

    2) Can you make use of Internet Explorer's Compatibility Features such as X-UA Compatibilty Meta Tag on your site or pages to assist with rendering the latest versions of IE? See the following article  http://blogs.msdn.com/b/ie/archive/2011/03/24/ie9-s-document-modes-and-javascript.aspx

    3) If the answer to the previous two is no and you have no control of the PC environment, we have released Microsoft FixIt versions of the blocker toolkits that are user friendly wizard-driven versions of the scripts from the toolkits. You can find them here for IE8 and IE9

    Regards

    Mark


    Mark Feetham Senior Program Manager Internet Explorer Product Quality


    Monday, March 05, 2012 9:40 PM

All replies

  • Hi,

    You must be in Australia or Brazil...

    http://news.softpedia.com/news/Internet-Explorer-Gets-Automatic-Upgrades-on-Windows-XP-Vista-7-240950.shtml

    If you need to access web sites with IE7, just add them to the IE8 Compatibility View list.

    A MSFT forum moderator may be able to provide you with the KB article links that explain how you can opt-out of the Update changes, but for the most part there is no reason why you cannot access legacy web sites using IE8's Compatibility View lists.

    Regards.


    Rob^_^

    Wednesday, February 29, 2012 12:31 AM
  • Related:

    Microsoft will push automatic updates to Internet Explorer, starting January 2012
    http://betanews.com/2011/12/15/microsoft-will-push-automatic-updates-to-internet-explorer-starting-january-2012/

    Internet Explorer 8 - Delivery, Updates, Blocker Tool
    http://technet.microsoft.com/en-us/ie/dd365125

    Internet Explorer 9 - Delivery, Updates, Blocker Tool
    http://technet.microsoft.com/en-us/ie/gg615599

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Long story, short version: Unless you have (a) declined to install IE8 (WinXP) or IE9 (Vista & Win7) [i.e., selected the Don't install option when the upgrade was previously offered] or (b) installed the Blocker Toolkit, Automatic Updates will offer the upgrade again.

    [Yes. it's very confusing.]


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

    Wednesday, February 29, 2012 8:47 PM
  • I am in the US.

    Unfortunately, IE8 Compatibility View does not allow our student information system to work properly in IE8.  If only it were so easy!

    David

    Thursday, March 01, 2012 5:35 PM
  • I understand that IE8 will continue to be offered on WinXP automatic updates unless I have previously declined it or installed the blocker tool.

    My issue is that I did not think I needed to take either of these actions because the IE upgrade would be blocked by virtue of our users not having administrator accounts on their computers.  I am seeing the IE8 upgrade happening automatically on computers where no administrator is logged in.

    One of 3 possibilities:

    1) Articles indicating that admin rights are still needed for the ugprade are correct, and something strange is going on on our machines.

    2) I am misunderstanding the articles that indicate admin rights are still needed under the new policy.

    3) Microsoft's own articles are incorrect and do not match the policy it has implemented.

    David

    Thursday, March 01, 2012 5:41 PM
  • I found a way to open a free support case with Microsoft.  The rep I spoke with a short time ago said the Automatic Updates are working as intended by Microsoft.  I pointed out that the only official Microsoft documentation I found about the new IE Automatic Updates policy at http://windowsteamblog.com/windows/b/springboard/archive/2011/12/15/ie-auto-updates-good-news-for-businesses-too.aspx specifically states in the 3rd paragraph that "Furthermore, administrator rights will be required for installation, so end users without appropriate privileges will not be able to bypass browser IT policies. "  It would seem that this statement is WRONG.

    Had Microsoft provided better documentation, we would have pre-emptively installed the IE8 Blocker Toolkit.  Unfortunately, now we find ourselves having to manually uninstall IE8 on all of the unmanaged computers our school owns that are used by staff who work in areas that are outside our network.


    Friday, March 02, 2012 8:19 PM
  • ...One of 3 possibilities:

    1) Articles indicating that admin rights are still needed for the ugprade are correct, and something strange is going on on our machines.

    2) I am misunderstanding the articles that indicate admin rights are still needed under the new policy.

    3) Microsoft's own articles are incorrect and do not match the policy it has implemented.
    Did you mention possibility #1 to the MS Support tech?

    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

    Saturday, March 03, 2012 3:34 AM
  • Communicating with the support rep in English seemed a little difficult.  He didn't quite seem to grasp my statement that information on Microsoft's web site is what led me to believe that without users having admin rights this update would effectively be blocked.  In fact, he actually suggested just turning off Automatic Updates altogether!  I didn't want to debate with him why I thought that was a bad idea.

    Since he provided me with his email address, I did send him a message with the URL I referenced in my post above.  I had an email back from him as of this morning indicating that he had "informed about it to the higher level as the site was hosted by Telligent Systems, Inc.(one of the company how works for Microsoft)."  He also sent me the link to the IE8 Blocker Toolkit, which I already have and which it's already a little late to use.

    Monday, March 05, 2012 4:57 PM
  • ...the support rep...actually suggested just turning off Automatic Updates altogether!
    So much for the efficacy of obviously-outsourced support. <sigh>
    Monday, March 05, 2012 6:24 PM
  • Hi HFM D Patterson

    It does appear that the text used in the blog post isn't accurate. We are reviewing with the author.

    In the scenario you're describing, High Priority (Windows XP) and Important (Windows Vista / Windows 7) will generally install without user needing to elevate privileges. If users aren't prompted for admin privilege for other High Priority/Important updates normally then it's no different for IE8/9. As an IT Pro that has business critical applications we do recommend using the blocker toolkits or PC management via WSUS as mentioned in this blog post: http://windowsteamblog.com/ie/b/ie/archive/2011/12/15/ie-to-start-automatic-upgrades-across-windows-xp-windows-vista-and-windows-7.aspx

    If you have a scenario where you offer a service/application that relies on an older version of Internet Explorer but where you do not control or manage the PC's we would recommend the following:

    1) Can your app/site be modified for a more modern browser? Check out this article on the Internet Explorer Compatibility Inspector and the associated links therein http://blogs.msdn.com/b/ie/archive/2011/04/27/ie9-compat-inspector.aspx

    2) Can you make use of Internet Explorer's Compatibility Features such as X-UA Compatibilty Meta Tag on your site or pages to assist with rendering the latest versions of IE? See the following article  http://blogs.msdn.com/b/ie/archive/2011/03/24/ie9-s-document-modes-and-javascript.aspx

    3) If the answer to the previous two is no and you have no control of the PC environment, we have released Microsoft FixIt versions of the blocker toolkits that are user friendly wizard-driven versions of the scripts from the toolkits. You can find them here for IE8 and IE9

    Regards

    Mark


    Mark Feetham Senior Program Manager Internet Explorer Product Quality


    Monday, March 05, 2012 9:40 PM
  • " he had "informed about it to the higher level as the site was hosted by Telligent Systems, Inc"

    Telligent only writes the software for the blog site.  That is an official communication landing site for Windows team/Springboard content - which is deemed the more ITpro side of the Windows team blogs.  Telligent does not write on there at all and has nothing to do with their content.  If you follow up with the support engineer, inform him or her that this site is an official communication site.

    Monday, March 05, 2012 10:53 PM
  • It does appear that the text used in the blog post isn't accurate. We are reviewing with the author.

    Thank you for acknowledging this!

    In the scenario you're describing, High Priority (Windows XP) and Important (Windows Vista / Windows 7) will generally install without user needing to elevate privileges. If users aren't prompted for admin privilege for other High Priority/Important updates normally then it's no different for IE8/9. As an IT Pro that has business critical applications we do recommend using the blocker toolkits or PC management via WSUS as mentioned in this blog post: http://windowsteamblog.com/ie/b/ie/archive/2011/12/15/ie-to-start-automatic-upgrades-across-windows-xp-windows-vista-and-windows-7.aspx

    I do recall finding this blog post, too, after some searching. This does imply that the update will be automatic, but it would have been nice if this were made very explicit. It would also be nice if information about this change in policy was not so hard to find. I would have like to find something in the IE support pages rather than just blog posts.

    If you have a scenario where you offer a service/application that relies on an older version of Internet Explorer but where you do not control or manage the PC's we would recommend the following:

    1) Can your app/site be modified for a more modern browser? Check out this article on the Internet Explorer Compatibility Inspector and the associated links therein http://blogs.msdn.com/b/ie/archive/2011/04/27/ie9-compat-inspector.aspx

    2) Can you make use of Internet Explorer's Compatibility Features such as X-UA Compatibilty Meta Tag on your site or pages to assist with rendering the latest versions of IE? See the following article  http://blogs.msdn.com/b/ie/archive/2011/03/24/ie9-s-document-modes-and-javascript.aspx

    As you anticipate in #3 below, the answer to the above 2 is no. The Star_Base student information system is not a product that we developed or that we host. It is written by Century Consultants, Ltd, and we purchase it as a hosted service. Why they are so far behind the times, I don't know. The application has been a thorn in our side since our school got it, but due to budget constraints we have not been able to switch away from it. We are finally working on switching to a more modern competitive product as I write this, but we have to finish the curent school year using Star_Base so need to continue to provide access to it until at least June 30.

    3) If the answer to the previous two is no and you have no control of the PC environment, we have released Microsoft FixIt versions of the blocker toolkits that are user friendly wizard-driven versions of the scripts from the toolkits.

    Not sure how the FixIt versions would be of any use to us. Since our users don't have admin rights, we in IT have to run the blocker script for them, and we just use the command-line blocker script.


    Tuesday, March 06, 2012 6:44 PM
  • I'm not planning to spend any more of my time communicating with the first-level Microsoft rep.   Per Mark Feetham's post above, it seems that somebody higher up in Microsoft that is in a position to do something about the information provided about this policy change is now aware of the issue.

    David

    • Proposed as answer by Don_Miller Tuesday, March 27, 2012 5:50 PM
    • Unproposed as answer by Don_Miller Tuesday, March 27, 2012 5:50 PM
    Tuesday, March 06, 2012 6:47 PM
  • The only solution  I have ever come up with to block unwanted updates (in this case IE8) is to run Windows Software Update Server (WSUS) internally.  

    I use a GPO to point all my users Automatic Updates at my WSUS.    On the WSUS I can individually approve updates.  Only the Updates I approve are installed on my clients.

    Advantages, I have complete control and can block things like IE8 if I need to, Less bandwidth required.  WSUS downloads the updates once from the Internet, the clients all download from WSUS over the LAN.

    Disadvantage, - I do need to monitor it.   Initially downloads of all available updates is huge.  Have to have a Windows Server available to run WSUS on.


    Don Miller Network Administrator Teton Machine Company

    Tuesday, March 27, 2012 5:54 PM