Browser

Prevent IE 8 from automatically downloading on Windows servers

While keeping systems up to date is important, there are plenty of valid reasons not to upgrade IE 8 on Windows server systems. Rick Vanover shows how to protect against IE 8 from automatically showing up on your servers.

Internet Explorer (IE) version 8 will soon be a high-priority update within Automatic Updates for server systems, including Windows Server 2008 and Windows Server 2003 (SP2 or higher). Many organizations have supported browser version requirements that prohibit the rapid adoption of IE versions on server (or client) systems. This may sound uncannily familiar, as just last year IE 7 was placed as a high-priority update, and many systems woke up to a new version of the popular browser for Windows systems.

Microsoft has provided a tool to allow administrators to block the acceptance of IE; the company has also provided a path for administrators to prevent the automatic download. The Internet Explorer 8 Blocker Toolkit is a tool that will prohibit IE 8 from being a high-priority update, yet it will be listed as an optional update. The Internet Explorer 8 Blocker Toolkit also provides a group policy template (an .ADM file) for the download.

If the Internet Explorer 8 Blocker Toolkit will be rolled into Group Policy, it can only be done as a computer setting and not as a user setting. Also, keep in mind that the Internet Explorer 8 Blocker Toolkit does not prohibit a user with appropriate permissions from downloading and installing IE 8 in a standalone fashion. While this tool addresses the need for most environments, many administrators may still have some issue with the classification of the browser as a high-priority update.

Arguments can be made either way on the scope of this practice. On one hand, it is very important to keep Windows servers up to date with the standard updates to the core Windows components, but changing the version of key parts of the server can cause issues. The same argument can be made for .NET Framework versions, which generally do not generate as much conversation as browser updates.

The Internet Explorer 8 Blocker Toolkit is generally indistinguishable from the Internet Explorer 7 Blocker Toolkit. Both Toolkits are available as free downloads from Microsoft.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

24 comments
xgenx
xgenx

What about answering the question? Googling "wsus prevent IE updates" brings you to this thread. A: "Yeah you should always prevent this. Never on the server. Never. never. never." Very fruitless. Preaching to chior. I am running WSUS 2.0 (which is the best free solution as it allows more fine-grain control of installs) on our slow server so I would like to do least-touching method of applying changes. Search updates for "explorer 7" and "explorer 8" and set each to decline? Is that the fastest? Please post best method.

riveragabriel68
riveragabriel68

Interesting to read why administrator are blocking IE 8 from downloading on servers 2008,it would have been educational if you would elaborate on what issue it would have, if you did downloaded IE 8, I would like to know?

jeff
jeff

I recognize the need to keep things updated but not all of my users can be reached effectively with SMS as they are out in the field. Many of our custom Apps are very sensitive to IE changes. Really wish this was pushed as a recommended update and not a critical one. J

blarman
blarman

I've been bitten too many times by bad Windows Updates to EVER allow that to run automatically - ESPECIALLY on a server. I always test them out somewhere else and let them run for a while before I even THINK about putting them on my server. I've had too many "critical" patches blow things up for me to trust an automatic process. Hmmm.... Funny. Come to think of it. Almost ALL of my update problems have been caused by installing new versions of Internet Exploder! IE 5 came out and totally blew up several applications. I had to FORMAT/RESTORE (with IE 4) to get them to work again. 5.5 was okay. Six caused compatibility issues with my DB. Seven caused my major app to issue a BSOD along with data corruption problems. Yeah - Not going to TOUCH 8 for a LONG, LONG time. I'll stick with FireFox, thanks.

dshaneyfelt
dshaneyfelt

Never have had issues with unwanted updates using WSUS, it's free and effective when set up correctly. Gives you control over any Microsoft update.

Richard Noel
Richard Noel

Thanks VERY much for making me aware of this option. RN

J3
J3

WTF? Give it a few months if not a year before early bugs are worked out. Oh and the onslaught of new exploits. This is typical Microsoft, pushing what they want down our throats and making it an inconvenience for admins to block this ridiculous critical update.

b4real
b4real

Just last year we went through this with IE 7!

xgenx
xgenx

The very first result is "Title: Update for Windows Server 2003 (KB904942) Description: Install this update to resolve HTTP authentication issues in Windows-based systems that do not appear until Microsoft Internet Explorer 7 is installed." But I have not found the actual IE7 install. Does anyone know the KB or something else I can search on in the WSUS updates? Or am I barkig up the wrong tree?

Gh0stMaker
Gh0stMaker

A web content filtering solution along with an intrusion prevention system can greatly minimize malware on the network. 1 of the main reason IE typcially has more security risks vs Mozilla Firefox (I use personally) is due to hackers wanting a feather in their cap. Giving problems to the 800 lb gorilla is far more satisying than a much smaller browser competitor. It's the old argument of compatibility vs. security. More compatibily (java for example) means less security.

Gh0stMaker
Gh0stMaker

GPO's can be setup to handle computers that remote into the network. Allowing computers to connect to the network without being able to control the updates is a security risk. Hopefully there is a security gateway they log into that monitors malware coming to and from.

yquintana
yquintana

I have set up several computer groups in WSUS. When new patches are downloaded, I approve them for the testing group only (after reviewing the documentation)and run them for at least a few days before approving them for critical servers or workstations.

Gh0stMaker
Gh0stMaker

Any Administrator worth his weight in gold, will not allow any product to auto update without some kind of testing environment. Client update example: pick 5 power users and update their computers using WSUS weeks before the general production computers etc.

AlexChiefTech
AlexChiefTech

if your applications take it for granted that the IE version will remain the same forever?

Greg Mix
Greg Mix

At one point IE7 was flagged as a critical update in WSUS. If you have critical and security updates on auto approval, it still may be an issue. You can either change your auto approval settings or catch it as it comes in (to decline it).

Gh0stMaker
Gh0stMaker

I agree, great enteprise tool, and a must have to automate/control MS patches and updates.

just_do_it
just_do_it

Oh Wonderful and Mighty Microsoft... thanks for the job security.... when will it ever end

Gh0stMaker
Gh0stMaker

Instead of whining about updates THAT DO make the environment more secure; use the tools MS or whoever provides to control the environment. Are we not professionals, take the hand given to you and 4 aces or a flush etc.

DaBigTrain
DaBigTrain

The problem is not IE changing, it's MSFT pushing it out automatically. Of course software must be constantly improved- but MSFT wants to force auto updates instead of making the updates available for testing by the individuals who have to clean up the mess when the application breaks due to an IE "improvement."

blarman
blarman

What is WSUS? Download site? Explanation of use/benefits?

rasilon
rasilon

Add in the fact that you can have downstream servers that sync with the primary server. I have two sites connected via a T1. The remote site has its own WSUS server that syncs with the primary server (in our main site)every night. This means that users on the remote site get their updates from the local server, reducing the time it takes and restricting the bandwidth use to a minimum... Hank Arnold (MVP-DS)

sonicsteve
sonicsteve

One main benefit for using WSUS is that your network will download the updates once to the server, at a time of your choosing, instead of having all workstations pulling the same updates. Saves a lot of internet bandwidth, and gives you control over what you install instead of the systems downloading whatever they're told to from Windows Update.

jmarkovic32
jmarkovic32

It's a free download from MS that you can install on a server to control and roll-out which updates are applied in your environment. It takes a fair bit of configuration to get it set up, but once you do it, you won't know how to live without it. It's so good that when I wanted to update to IE7, I actually had to look around to find out how to do it.

Editor's Picks