Microsoft rebuts rogue WSUS reports
- — 26 October, 2007 08:21
Microsoft Thursday denied that its enterprise update service was forcing all Windows XP systems to install a new edition of Windows Desktop Search, and instead said that the new software hitting desktops had been previously approved by administrators.
Reports from users who claimed that Windows Desktop Search (WDS) was installing without permission began hitting Internet message forums, including Microsoft-hosted support newsgroups, early today.
"WDS 3.01 downloaded and 'approved itself' on WSUS, then start installing on clients," said a user identified as Rob S. "This occurred despite WSUS being set to only auto approve updates to patches. My company has not deployed any version of WDS (until today of course!) so the installation came as a complete surprise. Full versions, not updates have appeared on machines."
Another user was less politic. "What is going on?" asked someone tagged as VeryUnhappyCustomer. "The upgrade somehow got automatically approved for deployment in our WSUS server. This isn't a minor change to an existing patch, this is a major version upgrade! So far most of the PCs have installed it fine but some installations have failed silently but a few have cause profile corruption."
WDS -- desktop search functionality for Windows XP and Windows Server 2003 systems -- was updated to version 3.01 at the end of August, but was offered to machines managed by Windows Server Update Services (WSUS), Microsoft's enterprise-grade update manager, only this week.
A WSUS program manager denied that the WDS 3.01 update was not authorized by users, but did admit that the situation had confused everyone. According to Bobbie Harder, who posted on a Microsoft company blog, WDS 3.01 was applied only to PCs for which administrators had approved the February 2007 install of WDS 3.0.
"The initial update [February] would have only been installed if the update had been either auto, or manually approved, and if the applicability criteria was met on the client that WDS was installed," said Harder. In cases where WDS was not installed, however -- yet the update was pre-approved earlier -- WSUS apparently "remembered" the update-approved setting.
Because the newest update, which Harder pegged as revision 105, had its applicability logic expanded, it thought it was to be installed on all machines where the February update had been auto- or manually-approved -- even to PCs that had never had WDS dropped on their drives.
Harder tried to explain what happened. "WSUS by default is set to auto-approve update revisions to minimize administrative overhead and make sure distribution 'just works'," said Harder. "With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions. it may have appeared as if this update was deployed without approval."
By Harder's explanation, PCs that had been pre-approved for the February update but had not had WDS installed would, in fact, have been instructed to add the desktop search tool to their drives. Thus, users who earlier reported that WDS had been installed on machines without it were, in fact, not seeing things.
That said, Harder acknowledged that the update had caused confusion, if not consternation, among users. "We appreciate the confusion this behavior caused," he said, and noted that criteria for revision updates -- which this month's WDS offering was -- would be tightened "so that auto-approval of revision behaviors are more predictable and of similar scope as the original approved update." Harder did not spell out what that "tightening" might involve, however.