Thank you Microsoft, for once again bypassing my Windows update policies. I can now go explain to my managers why 500 workstations and 12 servers have ended up with Microsoft Desktop Search, without anyones explicit approval. To illustrate how totally stupid this is, check out these screenshots out of our WSUS box:
As you can see above, our current update policy only allows Security updates, Critical Updates and Security Roleup Packs to be automaticly installed (“Approve for Installation”) on select computer groups (most of them test groups)
All other catagory of updates are set to “detect only” for all computers. Meaning that all other update catagories, including the “update” categorie are only detected, so I can see what systems are actually asking for a non-security update, and approve them when needed. Updates under these catagories are not installed automaticly.
Just to re-itterate: Updates of the “Update” categorie, are only suppose to automaticly be “Approve for Detection”. And not “Approve for Installation”
So imagine my horror, when yesterday, after several frantic phonecalls from my support teams, I found 5 particular updates as follows:
These 5 updates where pushed on the 23rd of October, together with a bunch of Internet Explorer Security Roleup pack updates not listed here.
The alarming thing about the above list, is the Appoval column.
Its set to Install.
I never approved these updates for installation.
These updates are suppose to be automaticly set to “Approve for Detection” only. What is even worse, is that, not only are they set to “Install”, they are set to “Install” for “all computers.”, which ignored any of my predefined computer groups. You can see that here:
These 5 updates, totally and utterly ignored the settings if our WSUS server, and did its own thing, installing forcefully on every single system in WSUS, inluding servers such as SQL servers, file servers, and several domain controllers.
I didnt even think it was technicly possible that these updates could override the WSUS server settings. This proves they can, and moreover, in the largest Microsoft update fuckup to date, that Microsoft has more control over what updates you recieve in your Enterprise, than your own administrators.
The question now is, how this could have happened. Was this a mistake on Microsofts part? Perhaps, because it was also the .net Framework 3.0 that was approved in this way. One can theorise about MS wanting to forcefuly push MS Desktop Search as some kind of play against Google desktop, sure, but .Net 3.0 too? And at the same time? Surely they would have known what kind of shitstorm this would cause!
So my money is on an honest-to-god mistake on Microsofts part. We can probably expect some kind of enterprise Desktop Search de-installation tool in the next week or so.. perhaps 😉
In the meantime, administators and IT managers around the world, are going to have to ask themselves weather they still trust Microsoft. Especially considdering that whatever they push can apparently override server-specific settings.
Microsoft WSUS team have responded with a post here
I responded on that post with the following:
Copy-paste of my comment on the Microsoft Update product team blog