Some customers have reported that update package for KB917013 was being deployed to WSUS clients without having approved the update for installation on their WSUS servers. The original update release, released February 2007 as an optional update, was only applicable on systems which had a version of Windows Desktop Search installed. The recent update Revision 105, had the applicability logic expanded to be applicable to all systems regardless if a prior version of Windows Desktop Search was installed, IF of course, approved in the WSUS Administrative UI or via Administrator-set auto-approval rules.
The initial update would have only been installed if the update had been either auto, or manually approved, and if the applicability criteria was met on the client (that WDS was installed). For some customers, because the original update was approved for install, but because of the previous applicability rules to apply only to clients which had WDS installed, the update was not actually installed.
So what happened with this revision and why did it seemingly deploy itself to all systems in my environment? WSUS by default is set to auto-approve update revisions to minimize administrative overhead and make sure distribution “just works”. Keeping in mind, revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries. Revisions are also of course only auto-approved via this setting, if the original update is approved.
With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions, it may have appeared as if this update was deployed without approval. The initial version of the update would have had to have been approved, and the “auto-approve revisions” option on (by default) in order for this revision to have also been approved and deployed.
To Recap:
That said, We will be tightening the criterea for Revisions so that auto-approval of revision behaivors are more predictable and of similar scope as the originial approved update, as we appreciate the confusion this behaivor caused.
Thanks as always for your feedback to make our product s and processes work for our customers.
Bobbie Harder
PM, WSUS
Find out what Social News Sites are discussing this post over at metagg.com
"If you have identified the problem, the next logical step would be to help people fix the problem. So far you've only discussed how to prevent it from happening in the future."
No. the customers identified the problem. This article simply explains to the stupid customers that it's not a bug, it's a feature.
If I managed to catch KB917013 before my WSUS server downloaded it, and I mark it "not approved", am I safe? Or do I need to disable auto-approval of "updates".
Our updates are managed by an IT company. Needless to say you must have done this on all thier clients. Thank you we will have to pay them now to remove it from all our systems, They claim its not their fault. Thank you very much.
you people at MS should be shot and strung up to dry....
I checked the status of the Feb '07 release and it is (was) set to 'Not approved'. So if what Bobbie Harder said above is true, than how did this get approved on my systems?
Seven hours into clean-up. Passed the word to management: MS changed the rules, we should have known they changed the rules, so sorry, good luck.
I love being hourly!
This is rediculous. As if anyone is under any illusions that this is anything other than simply MS realising that no one's installing this rubbish product because it's so bad, so they're just forcing it on as many people as possible.
I was out wed for my birthday.... Imagine my happiness at the gift of a phone burning up this morning when I arrived!
I did NOT approve any ANY variation of WDS and I should have had the ability to approve this before my users saw a 'mystery box' appear in their taskbar.
You smart IT guys at M$ do know that some of us that work in financial or data security oriented jobs would prefer that users not search their freakin PCS????
Thanks for the meeting I have tomorrow....
IMHO, MS shouldn't be blamed for all of this.
After some detective work I found this:
A restored backup of our WSUS server had the Feb 2007 WDS 3.01 was approved for install for all computers but needed by none.
Automatically Approve previously approved updates was on.
It was never an issue because no computers needed it but it still should not have been approved for install!!!
It was patiently waiting for months to get a new detection algorithm.
My bad...
I do agree that we should have been told ahead of time that the detection behavior was changing.
It is in there under the revision notes:
"The applicability rules or prerequisites have changed. This type of change means that the set of machines on which the new revision is offered may be different from the set of machines on which the old revision is offered."
By the time I got to read it, it was too late. :-{
I do think they should have classified it differently (under Tools?).
Just my two cents...
Tom S
"revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries"
If that was true, then how is it that an ENTIRELY NEW VERSION of Windows Desktop Search was sent as a revision?
I hope this clears everything clear. For those still confused I will summarize it this way:
We own your system, if you do not want us to update it when we feel it is necessary you should disconnect from any networks or the internet!
http://fakesteveballmer.blogspot.com
Okay class let's review.... http://blogs.technet.com/wsus/archive/2007/10/25/wds-update-revision
I have over 130 servers this has been "Dumped on". Reading the Comments made by the WSUS team is a joke.
The fact it has been approved/not approved by us poor administrator, thinking we had done the right thing and what does MS do. It drops the application on to the servers and brings them to the knees. Cheers guys! So smart !