Some customers have reported that update package for KB917013 was being deployed to WSUS clients without having approved the update for installation on their WSUS servers. The original update release, released February 2007 as an optional update, was only applicable on systems which had a version of Windows Desktop Search installed. The recent update Revision 105, had the applicability logic expanded to be applicable to all systems regardless if a prior version of Windows Desktop Search was installed, IF of course, approved in the WSUS Administrative UI or via Administrator-set auto-approval rules.
The initial update would have only been installed if the update had been either auto, or manually approved, and if the applicability criteria was met on the client (that WDS was installed). For some customers, because the original update was approved for install, but because of the previous applicability rules to apply only to clients which had WDS installed, the update was not actually installed.
So what happened with this revision and why did it seemingly deploy itself to all systems in my environment? WSUS by default is set to auto-approve update revisions to minimize administrative overhead and make sure distribution “just works”. Keeping in mind, revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries. Revisions are also of course only auto-approved via this setting, if the original update is approved.
With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions, it may have appeared as if this update was deployed without approval. The initial version of the update would have had to have been approved, and the “auto-approve revisions” option on (by default) in order for this revision to have also been approved and deployed.
That said, We will be tightening the criterea for Revisions so that auto-approval of revision behaivors are more predictable and of similar scope as the originial approved update, as we appreciate the confusion this behaivor caused.
Thanks as always for your feedback to make our product s and processes work for our customers.
Is there any response for the mob of people who have had this latest WDS auto-installed even though their WSUS is explicitly set to *NOT* auto-approve anything?
If you have identified the problem, the next logical step would be to help people fix the problem. So far you've only discussed how to prevent it from happening in the future.
Can you please post some information about how to easily remove the software?
This is not the result of an auto-approval rule. This is the result of the server setting automatically approve new revisions for updates that have already been approved.
I blogged about this happening to me here:
Now i I understand the above correctly...
There is a good chance I approved for installation, the update to Windows Desktop Search back in february.
I would have done that in the understanding that it would apply -only- to systems that already had the Windows Desktop Search tool installed.
That understanding has come from the behavior of Microsoft updates in general: -Updates- to components of Windows and other applications, only apply to systems that have that component or application installed.
Makes sense. After all: You cannot update software that isn't installed in the first place... cause its not there yet.
Now what I understand from the post above, is that the update revision 105, released a few days ago, is not simply an update.
It is in fact the entire Windows Desktop Search installer, with the ability to also replace/update previous installations.
And because of the WSUS feature to always aprove new revisions is also turned on on my WSUS server, 105 was also, automaticly approved. Cause its a -revision- of the feb update.
However.. you changed the scope of applicability of 105.
In my opinon, this is a very dangerous sequence of events, because the logic is not apparent to most admins I am guessing (based on what I have read so far).
The combination of both a revision, -and- a scope change at the same time, seems an inherently bad choice.
For all intense and purpose, the effect of the scope change for clients that did not have the WDS previously installed, does not constitute an -update-, and it should not be presented as such.
That means it should have been presented as a completely seperate item in WSUS, and should not have included the wording "update" anywhere in the discription.
I have read on the thread here: http://episteme.arstechnica.com/eve/forums?a=tpc&s=50009562&f=12009443&m=796005818831&r=845007818831
that exactly the same thing happened with "Client Update for Microsoft Forefront Client Security (1.0.1703.0)", which similarly was extended in scope.
The term "update" should mean just that. You should not be using the term so generically, and wrapping up "new" installation functionality into one and the same package.
Keep it separate. Keep the language clear to us admins who have probably very little time to devote to patch management already.
Following are the ways to check if your WSUS server has been configured to auto-approve new revisions for already approved updates.
1. If you have WSUS 2 server
Launch the WSUS 2 web Administration tool
Click Automatic Approvals options
See the section "Revisions to updates"
If the button "Automatically approve the latest revision of the update" is selected, then the server will auto-approve new revisions of already approved updates.
2. If you have WSUS 3 server
Open WSUS 3 Administration tool
Go to Update Services -> Options
Select Automatic Approvals
In the window that pops up, select "Advanced" tab
See the state of checkbox
"Automatically approve new revisions of updates that are already approved".
If that is selected, then the server will auto-approve new revisions of already approved updates.
In both WSUS 2 and WSUS 3, the above options are selected by default.
Hope this helps
Cross post from my comment on the WU Blog:
I believe the way this update was packaged and presented, undermines the logic we have come to expect from WSUS updates.
The problem is that the package is presented internally as a revision -update-, which are by default -always- automatically approved (your other approval settings don't override this), but it was combined with a scope change, that allowed the package to also install WDS on systems that did not have it previously.
It is the second behavior that causes the problem. Installation on systems that did not have it previously, is NOT an -update-, they should not behave as such.
Revision 105 was called "Windows Desktop Search 3.01 for Windows XP (KB917013)". Classification: Update
Now from the name alone, it looks like its not an update, but a complete installation (which it was). I never got to see the name before the fact of course, because it auto-approved and installed itself.
The classification is "Update", and this is what troubles me. Surely, if this "update" can install itself on systems without previous revisions, it does not belong in the "update" classification?
This should have been split into 2 packages.
1. An -update- with new revision number 105, possibly with a slighty differnet name including the word "update". This would have been automatically approved if the default option for revisions auto-approving was not altered by the admin. The scope would be only install on systems with previous revisions of WDS
2. A new package, called "Windows Desktop Search 3.01 for Windows XP (KB917013)", possibly a new revision number, but certainly a different classification. I don't have a list of all the WSUS classifications here, but I am sure there is one that is suitable, wasn't their something for new Windows features?
Also, I am wondering, how you you determine the "scope of applicability" for updates in WSUS? I don't see anything clearly different in the update that indicates it will install itself onto computers that don't have it, instead of just updating the previous version.
So, what can be done for those of us who have WDS now installed on machines that we never wanted it to be.
The update is convienantly non-removalable via WSUS...
microsoft might "appreciate the confusion this behaivor [sic] caused" but the rest of us certainly do not.
Kudos to Phil @ Princeton.edu for this one (hopefully he doesn't mind us reposting this)
1. Used a GPO to disable and stop the "Wsearch" (aka Windows Search) service on our managed machines. This stopped the "bleeding"
2. Since stopping the service just stops the client from indexing (doesn't remove the WDS GUI from machine), we plan on sending out the following command to machines (with SMS) early next week. This will completely uninstall WDS 3.0.1 silently :
%windir%\$NtUninstallKB917013$\spuninst\spuninst.exe /q /norestart
Nice spin, but the fact remains that a so-called 'update' was released that installed on systems that did not have the product the update was targeted to. This so called 'update' was really a completely new version of a product. As a Microsoft customer, I don't really care which product team is at fault for screwing up the applicability rules or labeling a full product as an update. I want help dealing with the immediate issues this has caused and ensuring that this can't happen again.
After this fiacso, you may as well leave auto approval out of the next version of WSUS because nobody should ever trust it again.
Explaining to your managers that you know how it happened does not matter a whole lot, I would much rather explain what my plan is for fixing this and removing this aweful malware.
Yes this is very lame, MS should be on its knees apologizing for this mess-up not trying to spin it. But I guess Microsoft doesn’t really care, what can us admin do? Stop using their software? Probably not at least not yet, but stuff like this won’t bode well for you in the future.
Although I have the 'automatically approval revisions of updates already *appproved*, I had previously *declined* Desktop Search 2.xx. However, I was hit with 3.01 installing on my PCs. Why should this have happened if I had declined the previous updates?
This is such weak BS! Wish I just use something as lame for my clients.
Trust Microsoft, pay the price