Microsoft forces IE7 onto business customers

Been avoiding deploying IE7 in your business environment? Well if you’re a WSUS user Microsoft is about to force you into compliance.

On October 4th 2007 Microsoft released an Internet Explorer 7 installation packaged which contained no WGA (Windows Genuine Advantage) anti-piracy checks. Known as the “Windows Internet Explorer 7 Installation and Availability Update” at the time it was only made available via Microsoft Downloads but on February 12th it will be pushed out to corporate customers via Windows Server Update Services (WSUS).

Businesses customers who have enabled automatic approvals of Update Rollup packages within WSUS will find their distribution servers pumping out IE7 to all connected clients.

This particular version of IE7 has a number of features automatically enabled such as the menu bar and the “first run” experience where users are prompted to choose a search provider phishing options and so on.

While the first run experience is relatively harmless on a home PC I can testify that it’s an absolute pain in a corporate environment. Users often don’t know which options to select and if you’re running a proxy server or firewall with user restrictions or users have restricted rights to the machine it’s a whole world of pain. Additionally the IE7 installer requires user interaction makes any Windows XP machine run like an absolute dog (for a short period) takes up quite a lot of local bandwidth – especially when it’s distributing to multiple users and also requires even more security patches post installation.

If you want to update your users to IE7 either use a scripted installation package or build into an SOE – don’t use WSUS.

So what are the options for opting out of this update? Not much as it happens. WSUS admins who don’t want the update to be automatically approved simply have to disable automatic approvals (as detailed here). You can disable automatica approvals temporarily pick up and unapprove the update and then turn automatic approvals back on. However if there’s a future update to the package then there’s a good chance it will slip through the cracks.

Although it’s slightly time-consuming I make sure that automatic approval is disabled on my WSUS systems. Apart from having the luxury of checking what’s coming through you can also reject updates not appropriate for your environment such as those for Itanium platforms. This has the advantage of avoiding downloading unnecessary files and chewing up expensive bandwidth.

On a slightly friendlier note on January 22nd Microsoft will push out Silverlight – again via WSUS. This is presumably the 1.0 version of Silverlight and again WSUS admins will have to disabled automatic approvals to avoid picking up the update. At present it isn’t clear which WSUS product classification Silverlight will appear in although it’s probably not Update Rollup.