I wanted to bring to your attention that on February 12, Microsoft will release the IE7 Installation and Availability update to WSUS marked as an Update Rollup package. What this means is that this update will automatically flow only to clients of WSUS severs that have been configured to auto-approve update rollups, which as you know, is not the default or commonly used WSUS configuration. But for those few that do, the IE7 team has provided an excellent guide for planning this deployment at http://support.microsoft.com/kb/946202/en-us.
Cecilia Cole | WSUS Program Manager
FYI, this has caused last week a general IT warning e-mail in my company (Fortune 500, more than 120 000 people) in order we all avoid deploying potentially unwanted browser version.
I will remain anonymous, if you don't mind.
I would agree IE6 is outdated and *has to* be updated.
But we sysadmins won't decide if a #@\! critical business application using IE the embedded way, dating 98, has to be suppressed after 10's of hours unsuccessful testing under IE7.
So rolling it out on this authoritative way is to me pretty irresponsible. How many "admins" will not see the notice?
OK... there has been a very good communication on this so I think the ones who would be surprised on 2/12 are the real irresponsible guys. But I would not want to be on their desk at this date.
PS: hope you won't rollout some XP -> Vista rollup package... 'll you? :)
a french admin, working for a big US company.
Thank you for your feedback, I think it opens up the doors to understanding what concerns are out there and to clear up any doubts lingering in people's minds.
Based on the WSUS community feedback last year around this topic, the number of WSUS admins who have update rollups on auto-approve is minimal due to the same reason you provide... "control". The vast majority of SysAdmins want the ability to determine what goes into their machines and what doesn't, auto-approvals of update rollups seems to defeat that purpose IMHO.
I would be interested to know if you do have it enabled and the reasons behind it for self edification.
This guidance was put out there in the open for the few people that do, and of course, to give them enough time to understand what is going to happen and what measures they should take when it happens before it happens.
Thanks again for your feedback.
Dear team, thanks for the answer.
I don't use this rollup auto-approve because I am lucky enough to be IT staffed in a way that matches essential needs so can give WSUS the time it deserves.
But some of my colleagues on other sites or divisions, under heavy under-staffing, actually have to find every way to find even some spare minutes per week, so are actually auto-doing everything possible. ("Why would I bug with testing an already tested patch" or something).
There's a process to centralize & setting hierarchy on WSUS servers but things take a long time...
What can you do against this meantime... probably hiring people and/or educate admins.
But the ones who will pay the guy are also the ones you should not say to "I need a guy for supporting centrally the weekly annoying yellow shield thing".
Good day WSUS Team,
I need you help. I am very new to WSUS 3 and I want to make sure that IE 7 is not deployed in our environment. We currently have applications that do not support IE 7.
To check I do the following:
Click on the sever name and expand it. Click options then Automatic Approvals.
I see Default Automatic Approval Rule but the check box is not checked.
Does this mean IE 7 will not be pushed out in our environment?
Thanks in advance for your help.
I'm an understaffed it manager who would love to use auto approve, but after last year's "mistake" involving desktop search, I can't use it b/c I have no faith in the wsus team. Thanks for giving me more work to do.
I have followed the instructions in KB946202 in the section "Deploying Windows Internet Explorer 7 Using WSUS" as we've had problems with the October 2007 release and we wanted to roll it out now.
However even on a freshly RIS'ed machine IE7 is NOT being installed. WSUS reports the client has downloaded it, but it doesn't appear. The WindowsUpdate.log shows that it queued it for downloading, but it never gets installed and I cannot find the package in the SoftwareDistribution folder. I've even confirmed that the files are in the content folder on the WSUS?
Will it not get installed UNTIL February 12th or is something else gone wrong?
Okay, so my Administrator account was not in the Administrators group, so now I can see the downloaded package.
However, why does IE7 not automatically install in the scheduled update (i.e. 3am when no-one is logged on)????
not sure what people are proposing as an alternative here.
if IE7 weren't released to WSUS at all, those of us who do want to deploy it would have no option to do so... I think the product team is doing the responsible thing by making it available and warning us all in advance...
I think putting IE7 in the same catagory as MSRT and the IMF for Exchange is a mistake.
Put it under service packs so that it's not in the same catagory of essential updates.
I think WSUS is one of the best things that Microsoft has done for the Small Business community in a long time.
I'm a consultant my company activley supports over 300 small businesses. Very few have any IT staff at all. Some we visit on a regular basis, but for many of them, we dont make any scheduled visits. We wait until we are called.
I know that Microsoft doesn't make products/solutions or issue "Best Proctices" with small businesses (i.e. no IT Staff) in mind.
Testing each patch is simply out of the question. We have determined that it is better to patch, and risk compatibility issues, than not to patch at all and risk being exploited. So I've been automatically approving updates as since SUS v1.
Early on it was next to impossible to get anyone to go to the windows update site. Thanls to SUS/WSUS, we can now automate the process. This isn't perfect, since we still have the problem of getting end users to rebootteir PCs.
A few customers allow use to force a nightly reboot using WMI based scripts, but for most, we have to rely on the end user.
Any business with an in-house IT staff should be testing all patches before deployment. And therefore, not auto approving anything. But it just isn't pratical in my situation.
We had already rolled out the IE7 Block registry hack everywhere it was needed. You would think that that would have been adequate; a manual one-time procudure that would permanently prevent IE7's installation. I guess it's the case where the left hand not telling the right hand what's it doing.
I happen to like IE7 and recommend upgrading to it for all my customers that could. No body refused to upgrade simply because they didn't want to. There was always a software compatability issue.
Obviously, Microsoft has the technical ability to make the IE7 Block registry hack universal. So why not make this security rollup check for the registy value?
The only obvious answer is that they want to force the adoption of IE7, ill-reguardless of any problems it may cause.
There's no need to get into the argument about if you didn't force them, some people will still be using Windows 95. I agree. I have customers like that. But sometimes there's lagitimate reasons for using not upgrading.
Microsoft should not say they're going to do you this big favor buy making patch deployment easy, and then use that very tool to force change on their customers.
Now this has caught us by surprise and GUESS what IE 7 was upgraded on 63 of 280 pc's in our environment. The bad part we have in house applications that CANNOT use IE 7! So now we have to go and uninstall on the 63 and now trying figure out how to get ride of the DOWNLOADED but not installed updates!
least, the capitals with which fisheries and mines are cultivated. It is the <a href= http://idisk.mac.com/dukebluedevilsfreewe/Public/0/scrapbooking-adoption-layouts-htm.html >scrapbooking adoption layouts htm</a> encouragement of tillage, therefore, by providing a market for jevbuaumpp
before. It would, after such an alteration, be payable with the same <a href= http://idisk.mac.com/dukebluedevilsfreewe/Public/0/animated-myspace-christmas-layouts.html >animated myspace christmas layouts</a> market, can be carried on without a bounty. Every such branch is pkkqjxvgcf
We are currently doing trial deployment on a testgroup after testing all our web-related apps with IE7.
The strange thing that Iam seeing is that IE7 that is installed on systems using WSUS 2.0SP1 are going to status "Not needed" instead of being on "Installed".
Is this a bug somewhere in WSUS 2.0SP1 or in the IE7 distribution of february 12?
The subject of a very wonderful and distinct
I thank you for continuing excellence