Microsoft Forces Desktop Search On Windows Update

An anonymous reader writes "The Register is reporting that the blogosphere is alight with accusations of Microsoft forcing Windows Desktop Search on networks via the 'automatic install' feature of Windows Update — even if they had configured their systems not to use the program. Once installed, the search program began diligently indexing C drives and entire networks slowed to a crawl."

Re:Addition to TFA

[alexburke]

This only happens on Windows XP, when you have either Office 2007 or Windows Live Photo gallery installed. I don't think this is the case. I watched it go on at least one machine yesterday with neither of those installed; it *might* have had Office 2000 SR-1 Professional, but probably not.

Conspiracy theory: MS is doing this to cause older or marginal boxes to become less responsive/snappy so as to further nudge the owners towards getting a new machine... and hence Vista.

Re:WTF?

[EvilNight]

Companies that can't afford to send a fleet of tech monkeys running around to all of the desktops (in other words, most of them).

I manage the WSUS at my company. No updates are EVER to be passed through without my direct approval, even new revisions of previously approved updates. We've had far too many updates go through and break things to allow any kind of auto approval. So, imagine my surprise when I sit down to a cup of coffee and my morning log review, and the first thing I see when I log in is the Windows Update icon telling me to install Windows Desktop Search - something I never approved.

It went straight through, completely ignoring all of our security policies in the process. I was a little irritated at the Windows Update self-update passing through but I let that one slide since it was a MUCH needed bugfix and MS got a suitable backlash from it (silly me, thinking it was a one-time thing). Now we have the same behavior again months later. This is not acceptable. Luckily I'm in a bit earlier than most people so I was able to recall it with a few ninja edits to our group policy, and a company wide email apologizing for allowing it to be published, and warning people to avoid installing it if it somehow still got through to their systems.

I made a few changes. Our WSUS servers now no longer have internet access and are not scheduled to download. I must manually turn on their internet access in our firewall and activate the pull interactively. That way I will see the updates as they arrive, and not have to put up with this stealth update bullshit in the future. I clearly cannot trust them to just sit there and acquire updates on their own any longer.

I'm now developing a security policy for our corporate security software that will forcibly kill any applications on a blacklist I am creating. I will be adding Google Desktop, Windows Desktop Search, Plaxo, AIM, and any other programs I find that have a habit of sending data back home to outside companies. I'll happily find people alternatives that don't phone home - it's not the apps that bother me, it's the potential for leakage of our corporate data to third parties. I don't particularly care if the feature can be turned off, since I'm not the one installing it. If a program has potential to phone home, it's banned.

Re:No Conspiracy Theories

[jvkjvk]

Further this will also raise the pain threshold of the users, once they get used to this level of pain, they will not see anything wrong with Vista. Now, there's some forward thinking. Keep pushing out updates to XP, slowly yet continually make the user experience worse and worse. After a year, it could be worse than Vista - if they work at it. They don't need to improve Vista, they just need to hobble XP!

Re:What's worse...

[Richard+Steiner]

Name me *one* popular OS that doesn't include the ability to watch vids and listen to music, much less browse the net and *gasp* Search.

There is only ONE popular OS. Windows. That's the problem... All other OSes have less than 10% of the market, so they're niche players at best.

Re:WTF?

[EvilNight]

I'm not sure. If I had to guess, I'd guess that it has something to do with the age of our WSUS servers. We started on 1.0 early on, upgraded to 2.0, then to 3.0 recently along with SP2 for 2003. The server itself started life as a Windows 2000 system so that upgrade process was run as well. The server has also had a complete hardware change three times over the last seven years. Microsoft's products are never so buggy on a fresh build as they are when part of a lengthy upgrade tree where the potential to fall down a rabbit hole of untested codepaths is much greater. Unfortunately we can't afford to just scrub every Microsoft service when we move to a new version. I also have a script running once a week to run the recommended cleanup using wsusutil on the WSUS database (and yes I've fixed it to run with the latest version). ;)

Other than this strange auto-approval, we've had no problems whatsoever with WSUS 3.0. It's been great actually. The improved reporting and granularity is a welcome addition that we have yet to truly take advantage of. WDS3 was successfully retracted from the approved list after I revoked it, and I've backed out the GPO changes without any trouble. It's no longer showing up on the clients. Also, BDD2007 and our repository of published software (both in a DFS root) resides on the same WSUS server. I've also grafted Linux PXE and Solaris Jumpstart into RIS/BDD2007 so it's something of a custom build. I don't really think those apps should be interacting with WSUS3 in any way though. Totally different services and disk partitions. There are some user home directories there as well.

As to some of the other posters, I don't know that WDS phones home, yet. I haven't taken the time to do a thorough analysis, but I tend to err on the side of paranoia (after all, security is part of my job). I get very suspicious of any programs collecting data about a computer or user activities in the name of making the user experience better. I also don't see the use of an indexing system that kills the performance of one's operating system. I don't trust MS as far as I can shot-put the planet either.

Our GPO already disables all file indexing, NTFS short filename creation, system restore, unnecessary services like UPnP and messenger, and sets sane, non-annoying defaults for apps like MSN messenger, the language toolbar, media center, etc. It even restores the XP search to the better, more basic 2000 version (it's amazing what you can do with a .reg push in a GPO). Essentially I took my 10+ years of experience un-fucking windows default configurations and turned it into a GPO so I didn't have to keep doing it the hard way. I've got custom MSI files assigned to workstations to install apps like the entire sysinternals suite, VLC media player (beats having users install real/quicktime/divx), and so forth. It's a rather mature, customized environment aimed at getting Windows out of the user's way so they can get work done. (And play - we don't ban games.)

And yes, my users have local admin on their desktops. Windows isn't really designed to operate any other way (and I don't have a Fortune 500 budget to fix it like some others do). Our solution to the constant risk of IE was to recommend people use firefox whenever possible (with noscript, adblock, etc) and to get IE, firefox, and other internet-touching apps to run under an unprivileged, local user account that was created to share the exact same desktop/docs/favorites etc as the real user. We also took some time to educate them on safe surfing habits.

What worries me is the trend lately for, say, apps like Sun's Java to ask (default is yes) to install apps like Google Desktop during their normal upgrade cycle. Frankly most users have better things on their minds than wondering if the apps they are clicking upgrade for are about to trojan their boxes with 3rd party bundled software. That's why I'm eyeing an app-killing security policy for the more egregious offenders.