WSUS fubar – Microsoft Desktop Search

Thank you Microsoft, for once again bypassing my Windows update policies. I can now go explain to my managers why 500 workstations and 12 servers have ended up with Microsoft Desktop Search, without anyones explicit approval. To illustrate how totally stupid this is, check out these screenshots out of our WSUS box:

As you can see above, our current update policy only allows Security updates, Critical Updates and Security Roleup Packs to be automaticly installed (“Approve for Installation”) on select computer groups (most of them test groups)

All other catagory of updates are set to “detect only” for all computers. Meaning that all other update catagories, including the “update” categorie are only detected, so I can see what systems are actually asking for a non-security update, and approve them when needed. Updates under these catagories are not installed automaticly.

Just to re-itterate: Updates of the “Update” categorie, are only suppose to automaticly be “Approve for Detection”.  And not “Approve for Installation”

So imagine my horror, when yesterday, after several frantic phonecalls from my support teams, I found 5 particular updates as follows:

These 5 updates where pushed on the 23rd of October, together with a bunch of Internet Explorer Security Roleup pack updates not listed here. 

The alarming thing about the above list, is the Appoval column.

Its set to Install.

I never approved these updates for installation.

These updates are suppose to be automaticly set to “Approve for Detection” only. What is even worse, is that, not only are they set to “Install”, they are set to “Install” for “all computers.”, which ignored any of my predefined computer groups. You can see that here:


These 5 updates, totally and utterly ignored the settings if our WSUS server, and did its own thing, installing forcefully on every single system in WSUS, inluding servers such as SQL servers, file servers, and several domain controllers.

I didnt even think it was technicly possible that these updates could override the WSUS server settings. This proves they can, and moreover, in the largest Microsoft update fuckup to date,  that Microsoft has more control over what updates you recieve in your Enterprise, than your own administrators.

The question now is, how this could have happened. Was this a mistake on Microsofts part? Perhaps, because it was also the .net Framework 3.0 that was approved in this way. One can theorise about MS wanting to forcefuly push MS Desktop Search as some kind of play against Google desktop, sure, but .Net 3.0 too?  And at the same time?  Surely they would have known what kind of shitstorm this would cause!

So my money is on an honest-to-god mistake on Microsofts part. We can probably expect some kind of enterprise Desktop Search de-installation tool in the next week or so..  perhaps 😉

In the meantime, administators and IT managers around the world, are going to have to ask themselves weather they still trust Microsoft. Especially considdering that whatever they push can apparently override server-specific settings.



Microsoft WSUS team have responded with a post here
I responded on that post with the following:

I blogged about this happening to me here:

Now i I understand the above correctly…

There is a good chance I approved for installation, the update to Windows Desktop Search back in february.

I would have done that in the understanding that it would apply -only- to systems that already had the Windows Desktop Search tool installed.

That understanding has come from the behavior of Microsoft updates in general: -Updates- to components of Windows and other applications, only apply to systems that have that component or application installed.

Makes sense. After all: You cannot update software that isn’t installed in the first place… cause its not there yet.

Now what I understand from the post above, is that the update revision 105, released a few days ago, is not simply an update.  

It is in fact the entire Windows Desktop Search installer, with the ability to also replace/update previous installations.

And because of the WSUS feature to always aprove new revisions is also turned on on my WSUS server, 105 was also, automaticly approved. Cause its a -revision- of the feb update.

However..  you changed the scope of applicability of 105.

In my opinon, this is a very dangerous sequence of events, because the logic is not apparent to most admins I am guessing (based on what I have read so far).

The combination of both a revision, -and- a scope change at the same time, seems an inherently bad choice.

For all intense and purpose, the effect of the scope change for clients that did not have the WDS previously installed, does not constitute an -update-, and it should not be presented as such.

That means it should have been presented as a completely seperate item in WSUS, and should not have included the wording “update” anywhere in the discription.

I have read on the thread here:

that exactly the same thing happened with “Client Update for Microsoft Forefront Client Security (1.0.1703.0)”, which similarly was extended in scope.

The term “update”  should mean just that. You should not be using the term so generically, and wrapping up “new” installation functionality into one and the same package.  

Keep it separate. Keep the language clear to us admins who have probably very little time to devote to patch management already.


Update 2

Copy-paste of my comment on the Microsoft Update product team blog

After reading this:

I have a better understanding of what might have happened. And it seems like the behavior is by design.

However, I believe the way this update was packaged and presented, undermines the logic we have come to expect from WSUS updates.

The problem is that the package is presented internally as a revision -update-, which are by default -always- automatically approved (your other approval settings don’t override this), but it was combined with a scope change, that allowed the package to also install WDS on systems that did not have it previously.

It is the second behavior that causes the problem. Installation on systems that did not have it previously, is NOT an -update-, they should not behave as such.

Revision 105 was called “Windows Desktop Search 3.01 for Windows XP (KB917013)”.  Classification: Update

Now from the name alone, it looks like its not an update, but a complete installation (which it was). I never got to see the name before the fact of course, because it auto-approved and installed itself.

The classification is “Update”, and this is what troubles me. Surely, if this “update” can install itself on systems without previous revisions, it does not belong in the “update” classification?

This should have been split into 2 packages.

1. An -update- with new revision number 105, possibly with a slighty differnet name including the word “update”. This would have been automatically approved if the default option for revisions auto-approving was not altered by the admin. The scope would be only install on systems with previous revisions of WDS

2. A new package, called “Windows Desktop Search 3.01 for Windows XP (KB917013)”, possibly a new revision number, but certainly a different classification. I don’t have a list of all the WSUS classifications here, but I am sure there is one that is suitable, wasn’t their something for new Windows features?


World of Warcraft: The Art of the Trading Card Game

Upper Deck and Blizzard Entertainment announced the January 2008 release of a new hardcover book titled World of Warcraft: The Art of the Trading Card Game, which will feature artwork created for the highly popular World of Warcraft Trading Card Game (TCG). Published by Chronicle Books, the 288-page, 11″x9″ book will include more than 300 full-color iconic pieces of art featured during the first year of release of the World of Warcraft TCG. Artists include Todd McFarlane (Spawn), Greg Staples (Judge Dredd), Zoltan Boros and Gabor Szikszai (InQuest Gamer magazine’s “Artists of the Year” recipients), Marcelo Vignali (Disney Animation), and Todd Lockwood (Forgotten Realms), among others.

Read the entire press release here.

— Delivered by Feed43 service

Cake: The Weighted Companion Cube Cake

cubecake.jpgEver since the release of The Orange Box, gamers have gone Companion Cube crazy. There have been wallpapers, a papercraft, myriad fan-art and even a home made plushie dedicated to the little heart adorned box. I suppose it was just a matter of time before someone made a Companion Cube cake and it looks like that time is now. Half-Life forum poster f1r3b4ll and his significant other baked this tasty treat after completing Portal n honor of the game that has spawned numerous internet memes within it’s first couple weeks of existence. Bon appetit!

[Thanks, animstar]


This is today’s comic, which represents an authentic conversation between my son and I.  There really should be some kind of licensing requirement for procreation. 

Today’s post is from Joel DeYoung, who worked on The Simpsons: Road Rage and The Simpsons: Hit and Run.  He’s on over at Hothead now, working on our shit, but this post isn’t about his contributions to the regular industry:  it’s about his incredible work on SquawkBox.  What is that?  Well, you’ll find out soon enough.  I couldn’t believe I’d never heard of it before. 

SquawkBox is a free plug-in for Microsoft Flight Simulator. It lets virtual pilots connect to a network where they can communicate with real people performing virtual air traffic control. I first came across it in 2001 while searching for add-ons to the latest version of Flight Simulator. The description I read online made it sound like a big MMO for pilots and air traffic controllers, a concept I could scarcely believe until I logged on and tried it for myself. My inexperience meant that on my first try I flew my small Cessna right into the approach path of a major international airport. The controller who called on the radio and suggested I do a quick 180 before I get smashed by an incoming 747 was ever so nice.

Some of you are probably scratching your head at this description, so let me be explicit. There are a bunch of people in their basements playing Flight Simulator, and a bunch of people in their basements pretending to be air traffic controllers, running an application that simulates a radarscope. All wearing USB headsets, they are connected to a big network called VATSIM where they talk to each other and simulate realistic air traffic procedures as accurately as possible. And some of them are drinking.

Aside from the immediate appeal of having a mini-fridge in your cockpit, adding this type of online experience to flight simulation makes it qualitatively different. Not only do you see other planes out your cockpit window, and talk to air traffic controllers while flying, but you don’t even take off without at least a half hour of preparation. Just like in real-life, you have to check the weather, prepare your flight plan, file it with the appropriate authorities and contact a controller to get the proper clearances. All of this happens before you even turn on your plane’s engines! Out of the box, Flight Simulator starts you on the end of the runway: you just push the throttle and take off. So while on the surface this may seem like a much more tedious proposition, SquawkBox users take the additional realism quite seriously.

Shortly after trying it all out, I was so hooked that I contacted the author and eventually took over the freeware project. I spent the next three years working on a new version in my spare time, and have worked on updates and patches since then. What started out as a fun side project ended up exposing me to a world where the obsession to create an authentic experience is completely unmatched by anything I had ever seen. LARPers may spend an entire weekend in the forest, but this crowd reads thick FAA manuals for fun.

The depth to which the virtual aviation enthusiast pursues this hobby depends entirely on how far down the rabbit hole they want to go. You could get a headset and fly short flights using your mouse and keyboard (a fact you should probably not tell your fellow pilots lest you be ridiculed for such unrealistic input devices). Or maybe you get a yoke and some pedals and build a little cockpit at your desk. Maybe you decide to make the leap into air traffic control and join one of VATSIM ís controller training regimens, hoping to pass the test and get certified. Perhaps you join a virtual airline flying long-hauls across the ocean, building your hours until you achieve the coveted rank of Captain. Or maybe you spend years searching for surplus Boeing parts to build a 737 cockpit in your garage, or elsewhere if the hydraulic motion platform requires a larger venue.

Safe, efficient air travel relies on a mountain of rules, procedures, international treaties and regulatory schemes. On VATSIM, they try to simulate them all. It may just look like a bunch of people flying and directing air traffic. But to make sure the whole operation runs smoothly, there are a ton of regulations, organizational hierarchy, committees, agreements and other schemes which effectively add up to a government bureaucracy sim. Maybe this sounds stale, but if you’re trying to be authentic you may as well go all the way.

The amazing thing about VATSIM is that it works at all, since it is a completely non-commercial operation. From administration of the servers, to writing the software, to running the various virtual air traffic control authorities around the world, the entire thing is operated by volunteer effort. I think the secret to its success lies in both the dedication and friendliness of the participants. The community consists of people from all ages and walks of life, brought together by a shared passion for aviation. Overall, they’re a really friendly bunch, making it easy for a complete noob to get started. In other words, it has all the ingredients for a successful online community.

If you haven’t seen this…

There’s a lot of self help stuff out there, motivating people to slough through their natural indulgences and lethargy to achieve the most out of life.  But I haven’t seen much more inspiring than this talk.   It’s by Randy Pausch, a Carnegie Mellon University computer-science professor, who has led an amazing life, and at age 47, faces terminal cancer, with 3-5 months to live.  It’s a LONG talk, almost 2 hours, but really worth it to see the whole thing if you have the time.  A Wall Street Journal article on Randy and his lecture can be read here, with a 5 minute abbreviated video of the lecture, if you don’t want to watch the whole 2 hours.

It’s surreal to watch a man who is dying be so inspiring, all with such a wonderful sense of humor.  What is so inspiring about it?  Well, it’s basically a story of his life framed around his childhood goals, and how he tried to achieve them in his life.   What really struck me while I was watching it was that I don’t think I’ve ever really written down what I want to achieve before I die.  Seems silly that I haven’t, I mean, this is my only life, but how many of us are that focused and driven?  I’ve always had a vague direction I’ve pointed myself in, but concrete, written down goals that I want to see checked off before I die?  No.  But after watching this, I definitely will be drafting something.  Because as Randy has found, life can take unexpected turns at any moment.

I also loved a few quotes from his lecture.  First, that “experience is what you get when you didn’t get what you wanted.”  And, “…brick walls are here for a reason. The brick walls are not there to keep us out. The brick walls are there to give us  chance to show how badly we want something. Because the brick walls are there to stop the people who don’t want it badly enough. They’re there to stop the other people.”

A full written transcript can be found here.

Share This