Now that we’ve had the service pack available for a couple of weeks, I wanted to post a quick note for those of you who have not yet rolled out the service pack to your environment for things you can do before installing Service Pack 1 that might alleviate some headaches during your installation/deployment.
As always, rant here if you need to .
Nothing like a good rant to express a bit of frustration. :-)
Firstly, it's a great summary Joseph. Thanks. Points following are inline with your numbers.
1. In the WU description for language packs, add a warning that unnecessary language pack installations could complicate future Windows Update package installations, and that only *required* language packs should be installed.
2. Why can't the service pack *check* that the System Reserved Partition is set active at the start of installation, and warn the user if not? If an SRP set active is a prerequisite for successful service pack installation, and this is not being checked for, then the service pack installer has a bug that should be eliminated before SP1 goes on Windows Update.
3. Third party cleanup tools would not be as necessary if Microsoft provided a good one, preferably inbox. The Sysprep Cleanup Pass is a cleanup process, but too 'agressive' for day-to-day use, however i'm sure it could be tweaked into something like a general purpose cleanup tool - one that would not corrupt the servicing stack!
4. Why doesn't the SP installer disable 3rd-party intrusion software when installation commences (informing the user via a balloon), and reenable it at the end, if it's likely to be a problem? Are there legal obstacles to this? From a users point of view, it would be great to see people being told that their expensive AV software was being temporarily *disabled* to allow an update to occur without issue. That might put a small seed of doubt into people's minds about this sort of software. The public is absolutely fixated on the idea that security is all about anti-malware programs, and have little idea about the issues these programs can cause regarding compatibility, plus the enourmous performance hit they incur. For most people, their AV package *is* their security. I try to explain to people the benefit of not running as an administrator in my best layman's language, and their eyes glaze over. Please start doing something with Windows that makes AV software look like a problem, and not just the security cure-all people believe it is.
5. If CBS ever gets an ACCESS DENIED, could this be flagged in the registry, then when a later update fails, inform the user that a previous servicing operation had a permissions error on a protected system file, folder or reg key, and that they should check their lock-down policies?
6. Does the SP installer remove previous versions of the SP, and if not, why not, and does it explain to the user how to do this?
7. Enumerate the number of network filters, and if it exceeds MaxNumFilters, halt installation and explain the problem to the user, with a pointer to a Microsoft Support article.
8. Logs like CBS.log are obviously very important when determining the state of a machine - at least as important, perhaps, as the traditional event logs. Does Windows need a Log Viewer, with appropriate highlighting and search facilities for specific logs?
I have downloaded the network installation package as I need to update many computers. My question is: can the full SP1 be installed directly on Windows 7 RTM with no updates installed or does SP1 have any prerequisite updates like Vista SP1 had? Are there any updates which MUST be installed on W7 RTM before SP1 network package will install? If so, where is this documented?
What happens if you have a dual boot between Win 7 64-bit and XP SP3. Does #2 still apply?
@Drew: Good feedback as always. Most of your feedback has good ideas here, some arent practical though for large scale. I'll address a couple here, the rest I will look into as feedback items with the product group. For #1 and #2, I'll take those as feedback items. Not much I can answer there. For #3, what kind of tool would you like? I've never really understood the use of driver cleaner utilities on installations because they have caused problems as long as I have worked here. If you can give me a true need for something like this, I'll see what I can do. #4 is easy, we'd most likely be in court if we disabled other vendors code. #5 is harder because the access denied could be coming from anywhere, holding the value in the registry might help in popping up the problem but not in solving it. #6. Answer: No, it doesnt. It supersedes the packages and leaves them there, we dont remove them in case you want to uninstall and rollback. #7 and #8 are feedback for me. I'm working on an idea for #8 but it's hard to implement on a large scale so I have to see what I can figure out for that.
@someone: No, if you have the standalone package you dont need anything else. The SSU update that ships prior to a service pack installation is already included in the standalone (thats the package you were talking about with Vista)
@Ed: No, this shouldnt be an issue but I have not specifically tested the scenario. We typically honor our own partition markers.
I have to second the request to disable IPS software during install. In particular, I know that McAfee states that their HIPS should be disabled during service pack installation. The whole issue in an enterprise deployment is timing. Since SCCM may be deploying the service pack via WU as the client machines are available, we can't easy time McAfee HIPS off/on for all of them.
I don't know how anyone in today's world can poo poo AV or IPS as just silly software. They are manadatory in an enterprise and the service packs have to figure out how to work with them.
@someone: I forgot about the two pre-reqs in Vista, that's what you were referring to before. My bad. We dont have those anymore :)
3. One example would be cleaning up non-plug and play drivers. A recent newsstand issue of APC (apcmag.com) found no less than 13 services remaining after the uninstall of a popular security suite. These monstrosities don't fully uninstall themselves, and
there are pages with lists of links to vendors complete uninstall programs:
These uninstallers should come with the *installers*, IMO, and run as part of a two-stage/reboot uninstall process, otherwise no premium logo for you. Well that is just one category of cleanup, there are others of course and yes, these are often no more
than placebos. Presumably we could trust a MSFT placebo not to have unintended consequences, but that is a fairly weak answer - let me get back to you on this.
4. So let me tell you how to win those court battles. :-) The service pack updates the OS build (e.g. from 6.1.7600 to 6.1.7601). Now during the SP install, the OS build could be said to be indeterminate. If a program install is defined relative to the OS
build it runs on, then during the SP installation, all program installations are also in an interminate state, and consequently what happens to them in this state is outside the boundaries of what is legally enforcable!
Seriously, the OS *has to* protect its own integrity, and 3rd-party vendors can't argue with this. To do so would be like arguing that the kernel can't stop if a 3rd-party driver performs an illegal operation, because that might cause me to lose important
work, for which i might go ahead and sue MSFT. Alternatively, just let the 2nd-party set a system Group Policy: DisableAntimalwareDuringOperatingSystemBuildUpdate
8. An administrative tool for viewing logs with highlighting, search, error lockup, verbosity settings etc, would be cool. Yes, no doubt easier said than done.
@someone: I believe the SSU update is KB976902.
support.microsoft.com/.../976902. I think you will see reference to this at the start of the downloadable SP install, if you watch the progress dialog closely.
@ Dave: I do think AV software has value, however it also has serious problems. The detection rate on new malware is fairly poor, and declining:
www.informationweek.com/.../showArticle.jhtml www.computer.org/.../MC.2010.187 AV software can degrade system performance enormously:
thepcspy.com/.../what_really_slows_windows_down AV software *contributes* to system vulnerabilities:
www.sans.org/.../2007 At least Microsoft's offerings are reasonable on resources, and compatible with Sysprep:
theitbros.com/sysprep-windows-7-third-party-anti-virus Maybe the detection rates are 1% below the big names - i'll take it.
For both #3 and #4 you're asking one software company for a way to make another software company write better code/uninstallers. While I 100% agree with the legal premise and the right of the OS to protect itself, the fact of the matter is, we really try and avoid touching others code if we dont have to. It's not always done for litigious reasons either, but because its up to that vendor to write better code. If you dont like their code, dont buy it. Thats the free market at work <G>. Your kernel example is exactly how we attempt to protect ourselves though, the other stuff is a lot harder.
I appreciate the feedback, keep it coming.
Joseph, aren't you sort of assuming that users understand that the reason their SP update failed was due to 3rd-party code, and not, as they often perceive it, that unreliable monolith known as Windows? Furthermore that they then go buy a Mac from a company that is doing very well in the free market, but who takes a very different approach as to what code will run on their platforms? Who doesn't want Microsoft to use its position to improve the quality of 3rd-party code (and its own), by gently raising the standards bar occasionally? Anyway, isn't that the purpose of things like WHQL, UAC prompts and logo programs?
To be fair, your refering also to the more specific case of interferring with online code. Ok, but for SP installs and antimalware that's half an hour every 18 months. Presumably these AV programs which i obviously enjoy criticizing have a reason for infiltrating systems so thoroughly that they can end up unintentionally interfering with servicing and only partially uninstall via the normal method. Surely this calls for a compromise solution, rather than just suggesting that people buy something else? You could say that about app compat and security - if your programs don't work with Standard User credentials, buy something that does! (And who hasn't thought that before?)
Yes, in a way you have to make that assumption. Obviously, we're not perfect either but I think many look at Microsoft code as being generally well tested. Sure, we hit other issues outside of our tests passes once it gets into the "wild", thats just the nature of this business. We try and address those as quickly as possible and that's one of the reason I wanted to get information out as quickly as I know about it here.
If Microsoft went the way of Apple and controlled the hardware and software platform, I dont know that it would be a better option quite honestly. I'll be the first to tell you that I think Apple hardware is amazing, I'm not a personal fan of everything they do in their OS, but I would imagine thats expected. However, going to the Apple model offers less consumer choice in the end and less competitive pricing overall. Does it potentially offer a better operating system experience? Perhaps. But less choice would not be my personal choice.
I know the numbers we've had downloaded to this point and when you consider our install base, the overall number of issues is actually pretty small.
Joseph, what i said about the public perception of Windows was badly worded. I didn't mean to suggest that people think that Windows is crap, its just that when something goes wrong there is a tendency - almost cultural in nature - to blame Microsoft, deserved or not. Either that or it's the guy who last fixed their computer. :-) Oddly enough, that's one reason i like stuff like verbose system messages, or anything that hints at the underlying complexity of the OS, be it cryptic or not. As soon as people become even slightly aware of how much is happening "under the hood", their attitude seems to change. Ask people to run a chkdsk or full AV scan and they are often astonished at the number of files on their system, and then they seem to have more respect for the whole thing.
Specifically on AV uninstalls, if a vendor wanted to integrate a second-phase into their uninstall procedure, wouldn't that require something like an auto-Admin logon after the first reboot, so that the second phase could commence before the logon screen appeared? Could they even do this if they wanted to?
Re Apple - its probably hard to determine the control/choice trade-off given the different market shares of APPL and MSFT, but no doubt the trade-off is there. Apple is probably one extreme, and i'm not suggesting you ban Flash. ;-) However, there has to be some stringency with regard to programs that want to make Kernel Mode level changes. For example, would it be going too far to suggest that any program that wants to install services has to get WHQL certification? If not, then your security model can be compromised by installing Tetris:
"One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers! Why Tetris installer should be allowed to load kernel drivers?"
No offense at all. I've been used to that attitude for a long time now. ;)
I firmly agree that permissions and freedoms need some better management. The end home user throws his hands up in despair when these problems happen. Ms should be more up front explaining legal verses technical permissions before the install. A second compromise of temp turning off the internet and fully installing the ms sp would help. This would eliminate many vulnerabilities as most home users threats are 99 percent from internet. As for av issues ms should Recommend proper best practice and give them a "grade" if their software causes sp or update issues. Every one should blow the whistle if the end user gets hurt. The pressure is needed to force better software code. this is "moral" arguments of best business practices, and who Owns rights, permissions. Hi recommendations is usually the best practice.
Slipstreaming, or lack thereof. I just don't get it! Having to reverse image a system after installing a service pack to get it to merge with the install disc? What a pain.
I've never seen a SP also rots from Microsoft!
5 attempts to install on 5 different machines and 5 failures.
1 with an OEM installation (HP).
2 with complete facilities standards.
2 with customized preinstallation.
In neither case did the service pack installed!