WDS revision update, expanded applicability rules, auto-approve revisions

Some customers have reported that update package for KB917013 was being deployed to WSUS clients without having approved the update for installation on their WSUS servers. The original update release, released February 2007 as an optional update, was only applicable on systems which had a version of Windows Desktop Search installed. The recent update Revision 105, had the applicability logic expanded to be applicable to all systems regardless if a prior version of Windows Desktop Search was installed, IF of course, approved in the WSUS Administrative UI or via Administrator-set auto-approval rules.

The initial update would have only been installed if the update had been either auto, or manually approved, and if the applicability criteria was met on the client (that WDS was installed). For some customers, because the original update was approved for install, but because of the previous applicability rules to apply only to clients which had WDS installed, the update was not actually installed. 

So what happened with this revision and why did it seemingly deploy itself to all systems in my environment? WSUS by default is set to auto-approve update revisions to minimize administrative overhead and make sure distribution “just works”. Keeping in mind, revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries. Revisions are also of course only auto-approved via this setting, if the original update is approved.

With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions, it may have appeared as if this update was deployed without approval. The initial version of the update would have had to have been approved, and the “auto-approve revisions” option on (by default) in order for this revision to have also been approved and deployed.

To Recap:

  • The initial February 2007 release had to be purposely checked/approved by WSUS admin s sfor distribution, because it was an Optional update.
  •  All subsequent metadata-only revisions to that WSUS admin approved February 2007 release would then also be automatically approved for distribution.
  • The initial February approval is retained throughout the life of the update, regardless of revision.

That said, We will be tightening the criterea for Revisions so that auto-approval of revision behaivors are more predictable and of similar scope as the originial approved update, as we appreciate the confusion this behaivor caused. 

Thanks as always for your feedback to make our product s and processes work for our customers.

Bobbie Harder