Details From Microsoft Regarding Significant WGA Changes

Lauren (Weinstein) posted the following to the PFIR list. It is also available on his blog at

formatting link
Date: Tue, 27 Jun 2006 09:56:39 -0700 (PDT) From: snipped-for-privacy@pfir.org

Greetings. Microsoft officials contacted me yesterday to discuss changes in their Windows Genuine Advantage (WGA) program taking effect today, and to chat about a variety of other issues related to WGA now and in the future. There is a particularly significant change related to the "phone home" Internet activates of WGA that have been so controversial since my initial report on this topic.

formatting link
and multiple linked entries dated forward from that posting.

In particular, in response to the original controversy, MS has been widely quoted as saying that they'd reduce the frequency of WGA-initiated Internet connections from daily, to once every two weeks, then eventually to zero.

Officials now tell me that this schedule has been accelerated. A new update of WGA should be appearing in the Windows Update cycle starting this morning (if it's not there now it should be within a few hours). It reportedly will be tagged as an optional "high priority" (not security) update, with a new End User License Agreement (EULA) -- more on this below.

Here are some details on WGA behavior beginning with this new update, as explained to me by MS:

If a system has been previously validated (via a visit to the MS Windows Update or Download Center sites, for example), the new version (and future versions as now planned) of WGA will attempt some network activity to report to MS that the new WGA installation was successful (as per the new EULA). If this connection activity fails, MS says that for most users there will be no further connection attempts by WGA.

If a system has not been previously validated, the new version of WGA will retry as necessary in an attempt to validate, each time the user logs in (for most people, this means each time that they boot their system). Once validation has succeeded, these connection attempts would cease for most users.

There are some Windows license classes that do not have permanent validations, and that need to be revalidated at intervals. For those license classes, WGA would begin initiating connection attempts again when the current license validation period expires. Ordinary consumer licenses of the sort that most people get with their computers have permanent validations and do not fall into this category.

While recurring WGA-initiated connections will no longer be taking place for most users, WGA validation will still occur when users attempt to update at the Windows Update and Download Center sites.

Non-validated systems, or systems that have had their validations revoked, may be subject to restrictions previously noted including inability to download and/or install/execute various non-critical updates -- or some major packages (e.g. Internet Explorer 7, etc.) Officials told me that the most restrictions would be on the use of automatic updates and downloads, with fewer restrictions on actual update installation procedures, and the fewest restrictions of all related to program executions (as noted, execution restrictions would mainly be related to major program releases).

Microsoft considers WGA versions starting from today to no longer be "prerelease" -- but for now they are still optional. A new EULA is provided with a more explicit preamble where the user can decide to accept/reject or read more (a change of this sort was one of my original recommendations regarding the WGA EULA acceptance procedure). MS says that users can choose to reject installation of WGA even if it arrived through Windows Automatic Update.

For persons who wish to remove the prerelease WGA (the one with the boot/daily Internet connection activity for all users) without installing the new WGA, I'm told that a link and Knowledge Base article will be available giving the recommended step-by-step instructions for this process, and that users can call MS support for help with this procedure if necessary (without incurring a support charge).

That's the current situation as I understand it. Since it appears likely that I'll be having additional contacts with MS related to WGA issues, I'll continue to report on this topic as appropriate.

In other essays I'll discuss my specific opinions regarding the implications and other issues relating to these kinds of authentication environments.

--Lauren-- Lauren Weinstein snipped-for-privacy@vortex.com or snipped-for-privacy@pfir.org Tel: +1 (818) 225-2800

formatting link
PFIR - People For Internet Responsibility -
formatting link
IOIC - International Open Internet Coalition -
formatting link
PRIVACY Forum -
formatting link
ACM Committee on Computers and Public Policy Lauren's Blog:
formatting link
formatting link
pfir mailing list
formatting link

Reply to
Monty Solomon
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.