Newest Windows Update snafu puzzles Microsoft

Computerworld - For the second time in a month, Microsoft Corp. has had to defend Windows Update against charges that it upgraded machines without users' permission. So far, it has no explanation for the newest instance of unauthorized updating.

In a post published late Friday to a company blog, Nate Clinton, program manager for Microsoft Update, denied that Windows' update mechanism was to blame for reports of settings being changed without user interaction, updates downloading and installing, and systems rebooting.

"We have received some logs from customers and have so far been able to determine that their AU [Automatic Update] settings were not changed by any changes to the AU client itself and also not changed by any updates installed by AU," Clinton said.

Claims started to trickle in shortly after the rollout last Tuesday of multiple security patches that machines running Windows Vista had updated on their own, even though users had set Automatic Update to require their approval before downloading and/or installing patches. Some users also reported that machines had rebooted, which caused data loss in applications that had been left open.

The Windows enthusiast site AeroXperience was the first to notice the wildcat updates, and it collected accounts from users. "I had mine set to 'Check for updates but let me choose whether to download and install them,' it's now on 'Install Automatically'," said Jon Abbott on an AeroXperience forum last Wednesday.

Others noted that the mysteriously changed settings resulted in downloaded and installed patches with a reboot to finalize the installation. "Just now I had my computer reboot on me because Windows Update, without my permission, downloaded and installed updates for my computer and then rebooted," said a member identified as "Zeros and Ones."

According to other messages on the AeroXperience forum, users running Vista Service Pack 1 (SP1) were unaffected. Also, no reports originated from users running Windows XP or Windows Server 2003.

This incident follows the disclosure last month that, contrary to users' instructions, Automatic Update had updated itself. Microsoft tried to deflect the criticism by saying that the practice was necessary to keep Automatic Update up to date and thus keep users' computers safe. At that time, Clinton said Microsoft would consider changes to make the update process more transparent to customers. "We are now looking at the best way to clarify [Windows Update's] behavior to customers so that they can more clearly understand how WU works," he said in a post to the same company blog on Sept. 13.

Since then, neither Microsoft nor Clinton has made any additional announcements about changes being considered to Windows Update.

Even Microsoft seems unsure about what caused the Vista-powered systems to mutiny and install updates without orders. "We are still looking into this to see if another application is making this change during setup with user consent or if this issue is related to something else," Clinton said.

AeroXperience, which claimed to be working with Microsoft on tracking down the bug, hinted that it might be the fault of Windows Live OneCare, Microsoft's consumer-grade security suite. The site asked members who had experienced the forced update and who also had installed OneCare to forward the program's event logs to a designated e-mail address.