There's been a giant flap the last week or so about PCs having updates pushed down to them through WSUS and applied, even when the local policy indicated they needed to be approved first. I didn't run into this issue on any of my machines, and I'm not aware of any problems with the machines at NetPro, but enough people had the problem that it generated a lot of noise in the press.
My good friend Austin Osuide, The Coolest Man in the World ™, pointed this post out to me on the WSUS product team blog. The outline of the problem is roughly this:
- In February MSFT released an update to Windows Desktop Search. Its scope (the systems to which it could be applied) was limited to machines that already had WDS installed.
- This week MSFT revised the update to increase its scope to include all XP SP2 and WS2003 SP1 machines that did not have WDS installed.
- By default, if you accept an update in WSUS, WSUS assumes you wish to automatically accept subsequent revisions to the update.
- WSUS then automatically pushed the revised update to the XP SP2 and WS2003 SP1 machines that were originally out of scope, but were now in the scope of the revised update.
An understandable error, but from the users' perspective one that is totally counterintuitive. How can an admin specifically indicate that he must approve updates before they get pushed out, and then have the system push them out with no approval?
I've got more to say about this from a software design perspective, but I'll get to that later.
WSUS Product Team Blog : WDS update revision follow - up