It seems like Microsoft just doesn’t learn. OK, I’ll grant you, it’s hard for a multi-billion dollar company with tens of thousands of employees to move quickly or respond nimbly to customer concerns, but I can only justify their actions so far. Here we are again, for the second time in as many months, talking about Microsoft pushing software to Windows machines when that software was unapproved or unwanted.
Last time something like this happened, Microsoft was updating their Windows Auto Update client, even when automatic updates were turned off. The explanation was something along the lines of “we needed to update the auto-update client so it would workâ€, failing to recognize that if it was turned off it didn’t really need to work, did it?
This time, we find Microsoft unexpectedly changing the applicability scope for an update delivered via Windows Server Update Services (WSUS) and delivering that update as a revision. Because most WSUS installations are set to auto-approve revisions—this helps reduce the administrative overhead of managing the update list—this update was pushed out to all systems. And because this update was a full installation, not just an update, then suddenly organizations find themselves with loads of machines running Windows Desktop Search (WDS). Oh, that includes the servers in the datacenter, too.
The WSUS team at Microsoft posted a blog entry trying to explain the behavior and, in my opinion, failing miserably. Since this was technically classified as a revision to an existing update, the WSUS team insists that this revision would only have been installed if prior WDS updates had also been approved. This is consistent with the automatic approval of revisions.
Unfortunately, it would appear that Microsoft made poor judgment calls in a number of areas:
- Listing this as a revision (which is supposed to be limited to changes in metadata or applicability rules, never changes in binaries) when in fact it appears to be an entirely new version of WDS
- Changing the applicability rules for this update to include all systems, including those that did not previously have WDS installed
- According to some customers, installing the update even when previous updates were not approved
In my opinion, this bodes poorly for Microsoft. Managing patches is already a huge task for many admins. Now administrators have to worry about “updates†getting installed that shouldn’t have been because there’s been an applicability change to the update, or it was listed as a revision when it’s really a new set of binaries.
If by chance you were hit with this, you can uninstall WDS with either of the following commands:
%windir%\$ntuninstallkb917013\spuninst\spuninst /quiet /norestart
MsiExec.exe /X{E72019B8-1287-4093-BE9B-1CFA7BA1A8D2} /quiet /norestart
Are there any readers out there who were actually affected by this issue?
8 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2007/11/06/microsoft-update-troubles-again/trackback/
Tuesday, November 6, 2007 at 5:52 am
Michel Zehnder
Hi
Yes, we were affected by this.
A User stated that WDS was installed by WSUS on his Laptop, and he asked that I unapprove the update because it keeps installing itself if he uninstalls WDS.
This got my attention and I found myself having WDS on all machines in our Organization (of course, including Servers) We’re lucky that we are only a small Organization (~35 Clients) and the damage can be controlled with little effort, but I don’t want to be the admin who controls like 1000 desktops, and I definitely don’t want to be at the helpdesk there
I hope we don’t have to be worried about on each patch day that something may go wrong, and we may end up having pushed out some Software on all Computers
Let’s hope Microsoft learns something out of this.
Regards
Michel
Tuesday, November 6, 2007 at 7:58 am
slowe
Michel,
Have you read the response by the WSUS team on their blog? I’m curious to see if you “fit” the criteria they laid out, i.e., had a previous WDS update approved and auto-approve revisions enabled. It would be interesting to see how many users really fall into the situation described by the WSUS team…or how many users just had WDS forced onto their systems.
Tuesday, November 6, 2007 at 11:19 am
Michel Zehnder
Scott,
Yes, we fit the criteria listed on the blog entry.
I’ve initially approved the update because some users have WDS installed and want to use it, so my interest is to keep it up to date (but of corse not force it to all machines).
/Michel
Tuesday, November 6, 2007 at 8:40 pm
Radar Detector
I find windows updates very annoying and it’s true that the updates are not necessary most of the time.
Thanks for the very useful tips.
Wednesday, November 7, 2007 at 12:07 am
Alex
Haven’t seen it yet, but I only automatically approve critical patches and security updates.
Wednesday, November 14, 2007 at 11:07 pm
Matt
The company I work for was affected by this issue. We have approximately 1200 desktops and it was pushed out to all of them. We fit the criteria as one of our administrators previously noticed that it didn’t affect anything, so he approved it. Combined with McAfee
Wednesday, November 14, 2007 at 11:09 pm
Matt
I apologize for two posts, I pressed the wrong button
Combined with McAfee’s resident virus protection, the search indexing was destroying performance. This was frustrating as about 95% of our users have absolutely no use for it at all. The uninstall command you have provided will come in incredibly useful. Thanks.
Monday, November 19, 2007 at 11:47 am
James
After some trouble like this we decided to get rid of wsus entirely. From some advice and good reccomendations we switched to a 3rd party solution - desktop authority. It works really good in our environment. This week we updated this solution to a new version 7.7 that has some useful enhancements including more powerful patching and updating. Now it supports multi-lingual patch distribution, different patch type filters and patch rollback. It’s pretty cool.