Reports from users who claimed that WDS was installing without permission began hitting Internet message forums, including Microsoft-hosted support newsgroups, early today.
"WDS 3.01 downloaded and 'approved itself' on WSUS, then started installing on clients," said a user identified as Rob S. "This occurred despite [Windows Server Update Services] being set to only autoapprove updates to patches. My company has not deployed any version of WDS (until today, of course!) so the installation came as a complete surprise. Full versions, not updates have appeared on machines."
Another user was less politic. "What is going on?" asked someone tagged as VeryUnhappyCustomer. "The upgrade somehow got automatically approved for deployment in our WSUS server. This isn't a minor change to an existing patch, this is a major version upgrade! So far, most of the PCs have installed it fine, but some installations have failed silently [and] a few have cause profile corruption."
WDS -- desktop search functionality for Windows XP and Windows Server 2003 systems -- was updated to version 3.01 at the end of August, but was offered to machines managed by WSUS, Microsoft's enterprise-grade update manager, only this week.
Bobbie Harder, a WSUS program manager, denied that the WDS 3.01 update was unauthorized by users, but did admit that the situation had confused everyone. According to Harder, who posted on a Microsoft company blog, WDS 3.01 was applied only to PCs for which administrators had approved the February 2007 install of WDS 3.0.
"The initial update [February] would have only been installed if the update had been either [autoapprove] or manually approved, and if the applicability criteria was met on the client that WDS was installed," said Harder. In cases where WDS was not installed, however -- yet the update was preapproved earlier -- WSUS apparently "remembered" the update-approved setting.
Because the newest update, which Harder pegged as Revision 105, had its applicability logic expanded, it thought it was to be installed on all machines where the February update had been autoapproved or manually approved -- even to PCs that had never had WDS dropped onto their drives.
Harder tried to explain what happened. "WSUS by default is set to autoapprove update revisions to minimize administrative overhead and make sure distribution 'just works,'" said Harder. "With the expanded applicability rules, and the WSUS default setting to autoapprove new revisions. it may have appeared as if this update was deployed without approval."
By Harder's explanation, PCs that had been preapproved for the February update but had not had WDS installed would, in fact, have been instructed to add the desktop search tool to their drives. Thus, users who earlier reported that WDS had been installed on machines without it were, in fact, not seeing things.
That said, Harder acknowledged that the update had caused confusion, if not consternation, among users. "We appreciate the confusion this behavior caused," he said, and noted that criteria for revision updates -- which this month's WDS offering was -- would be tightened "so that autoapproval of revision behaviors are more predictable and of similar scope as the original approved update." Harder did not spell out what that "tightening" might involve, however.