Why WDS 3.01 (kb917013) install even if not approuved

The update revision setting has never been used to install a new product or
even automatically update a product in the past.

This was never the meaning or expectation of the setting. WHile I only
found the setting today because of Harry's posts, it plainly says revision to
an update. Not update to a product.

I get new updates to previously updated and previously installed products
all the time and I have to manually approve the updates. This is clearly a
re-interpretation by Microsoft in a market where they are loosing hugely to
Google - or should I say "another market where they are loosing hugely to
Google."

I am curious about what Google's take on this is.

Dale
--
Dale Preston
MCAD C#
MCSE, MCDBA


"kj [SBS MVP]" wrote:

> Jean-Pierre Paradis wrote:
> > I may have an explanation why we may think that kb917013 got
> > installed on system even if the update is not approve or even
> > declined.
> > Let me do a little explanation :
> >
> > o October 23th, 1h AM, my WSUS server synchronize with Microsoft and
> > recevied the update definition (metadata)
> > for kb917013 revision 105
> > o My server is configure to auto-approved revisions for an already
> > approved update (as many of you I'm sure).
> > So the revision for update kb917013 got approved
> > o October 24th, 9h AM, I plug my laptop in the network and boot. The
> > Windows Update Client reported to my
> > WSUS server and identified the kb917013 (revision 105) update as
> > needing to be download
> > o October 24th, 11h AM the download of update kb917013 was completed
> > on my laptop
> > o October 24th, 13h PM I read about the problem with kb917013 on the
> > Internet and declined
> > the update on my server.
> > o October 24th, 16h PM, as define by GPO the update kb917013 got
> > installed on my system
> >
> > My understanding is that once a computer identifies that a patch is
> > needed it will be installed. It doesn't matter if you declined the
> > approval afterwards, the computer never check again with WSUS to see
> > if the status of the update changed before installing it.
>
> I have the same understanding of that sequence of events, fwiw. However as I
> read it the update this time also applied to any applicaple system whether
> or not a previous version of WDS had been installed or not, unlike previous
> WDS updates that only applied to existing installations.
>
> Because many had not opted to install WDS before it then became a major
> issue, not just an update to an already installed product.
>
>
> --
> /kj
>
>
>
 >> Stay informed about: Why WDS 3.01 (kb917013) install even if not approuved 

"Jean-Pierre Paradis" wrote in message


>I may have an explanation why we may think that kb917013 got installed on
>system even if the update is not approve or even declined.
>
> Let me do a little explanation :
>
> o October 23th, 1h AM, my WSUS server synchronize with Microsoft and
> recevied the update definition (metadata)
> for kb917013 revision 105
> o My server is configure to auto-approved revisions for an already
> approved update (as many of you I'm sure).
> So the revision for update kb917013 got approved
> o October 24th, 9h AM, I plug my laptop in the network and boot. The
> Windows Update Client reported to my
> WSUS server and identified the kb917013 (revision 105) update as needing
> to be download
> o October 24th, 11h AM the download of update kb917013 was completed on my
> laptop
> o October 24th, 13h PM I read about the problem with kb917013 on the
> Internet and declined
> the update on my server.
> o October 24th, 16h PM, as define by GPO the update kb917013 got installed
> on my system
>
> My understanding is that once a computer identifies that a patch is needed
> it will be installed.

This is a somewhat incorrect understanding, Jean-Pierre.

Once an update is UNapproved/DECLINED on the WSUS server, the next time the
client system executes a detection, it will discover that the update is no
longer approved, and if the update has not yet been installed, it will be
dequeued for installation.

> t doesn't matter if you declined the approval afterwards, the computer
> never check again with WSUS to see if the status of the update changed
> before installing it.

It does, and it will -- but the client cannot possibly know that you've
changed the status of an update on the WSUS Server until the client executes
the detection to find out.

The "missing step" in most of these scenarios, I fear, is that while the
update may have been declined at the server, with the client only executing
detections every 22 hours, and the installation window likely less than 22
hours at the time of detection, unless a manual invocation of 'wuauclt
/detectnow' was executed -- or a GPO change to the detection frequency
(which would have triggered a policy update within 2 hours, immediately
followed by a detection -- thus discovering the approval change) -- merely
changing the approval status had minimal impact on those clients who had
already executed detections and discovered the approval.

--
Lawrence Garvin, M.S., MCTS, MCP
MVP - Software Distribution (2005-2007)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
 >> Stay informed about: Why WDS 3.01 (kb917013) install even if not approuved 

Dale wrote:

> The update revision setting has never been used to install a new product or
> even automatically update a product in the past.

Of course not; this isn't the intent of update revisions.

> [...] This is clearly a
> re-interpretation by Microsoft in a market where they are loosing hugely to
> Google - or should I say "another market where they are loosing hugely to
> Google."

It seems rather more likely that this was human error. At a guess, the original
update was intended to install the product rather than only update existing
installations - the name and description suggests as much. Somebody noticed
that it wasn't working the way it was supposed to, and fixed it without thinking
hard enough about the consequences.

Of course this is embarassing for Microsoft, particularly following so soon
after the fuss about the WUA client self-update. But in the absence of a
smoking gun I don't see any reason to subscribe to conspiracy theories.

Harry.
 >> Stay informed about: Why WDS 3.01 (kb917013) install even if not approuved 

"Harry Johnston [MVP]" wrote in message


> It seems rather more likely that this was human error. At a guess, the
> original update was intended to install the product rather than only
> update existing installations - the name and description suggests as much.
> Somebody noticed that it wasn't working the way it was supposed to, and
> fixed it without thinking hard enough about the consequences.

Seems like a very conveniant error. Don't Microsoft test their own products
these days?

> Of course this is embarassing for Microsoft, particularly following so
> soon after the fuss about the WUA client self-update. But in the absence
> of a smoking gun I don't see any reason to subscribe to conspiracy
> theories.
>
> Harry.
 >> Stay informed about: Why WDS 3.01 (kb917013) install even if not approuved