Some customers have reported that update package for KB917013 was being deployed to WSUS clients without having approved the update for installation on their WSUS servers.   The original update release, released February 2007 as an optional update, was only applicable on systems which had a version of Windows Desktop Search installed. The recent update Revision 105, had the applicability logic expanded to be applicable to all systems regardless if a prior version of Windows Desktop Search was installed,  IF of course, approved in the WSUS Administrative UI or via Administrator-set auto-approval rules.

The initial update would have only been installed  if the update had been either auto, or manually approved, and if the applicability criteria was met on the client (that WDS was installed).  For some customers,  because the original update was approved for install,  but because of the previous applicability rules to apply only to clients which had WDS installed, the update was not actually installed. 

So what happened with this revision and why did it seemingly deploy itself to all systems in my environment?  WSUS by default is set to auto-approve update revisions to minimize administrative overhead and make sure distribution “just works”.  Keeping  in mind,  revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries.  Revisions are also of course only auto-approved via this setting, if the original update is approved.

With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions, it may have appeared as if this update was deployed without approval.   The initial version of the update would have had to have been approved, and the “auto-approve revisions” option on (by default) in order for this revision to have also been approved and deployed.

To Recap:

• The initial February 2007 release had to be purposely checked/approved by WSUS admin s sfor distribution, because it was an Optional update. 
•  All subsequent metadata-only revisions to that WSUS admin approved February 2007 release would then also be automatically approved for distribution. 
• The initial February approval is retained throughout the life of the update, regardless of revision.

That said,  We will be tightening the criterea for Revisions so that auto-approval  of revision behaivors are more predictable and of similar scope as the originial approved update, as we appreciate the confusion this behaivor caused. 

Thanks as always for your feedback to make our product s and processes work for our customers.

Bobbie Harder

PM, WSUS

Starting today, the WSUS administrator will notice that the IMF Filters now supersede each other instead of direct expiration of every update. A review of the process over the last couple of months allowed us to identify that the expiration release model just wasn't working. The new model allows a better control of ensuring that an IMF update will always be available even if the release window for the new update is missed.

The new release model will be as follows:

1. The new update (N) will supersede the previous update (N-1) when viewed by the WSUS administrator
2. N-3 updates and older will be expired.

Scott Roberts (Exchange SE)

Hi WSUS Admins - Just a reminder, the DST update made available to your WSUS servers today (KB931836) is classified as an update rollup so AU and SMS/ITMU pick it up too.  For WSUS that means, you'll want to make sure either to modify your auto approval rules (if you use them), or remember to approve this update manually. 

 Also, for any of you laggerts out there still using (let's see if i still remember how to spell it), ...... SUS, the update will be available since we were able for SUS, to classify it appropriately for pickup (critical).   

As I posted Friday, remember the 931836 update plays nicely with any previous DST updates released earlier you may have installed. 

Cheers-

thnks - Bobbie

WSUS Admins: 

I wanted to let you know about a new product category you will be able to see in your synch options product dialog.  The product is called Microsoft Codename Max  which is a new consumer beta offering from Microsoft.  While this product category will be added to the WSUS synch options product dialog, there will be no "Codename Max" software or updates synched from Microsoft Update to WSUS servers.  Codename Max is not applicable to the WSUS infrastructure.  The actual appearance of the product category in the WSUS UI is a glitch in our publishing logic which will be addressed in SP1.  We wanted you to be notified before you saw this new category and had any questions.  Again, this product category is not applicable to the WSUS infrastructure and no updates or software will be synched from MU for it.   For more information about Microsoft Codename Max see:  http://www.microsoft.com/max/.

- Bobbie

Bobbie Harder

Program Manager, WSUS

Microsoft