WSUS independently installs Windows Desktop Search on client PCs
Under certain circumstances, PCs in enterprise networks may independently install Microsoft's Desktop Search engine from a WSUS server even if the administrator has not consented. Now, Microsoft has reacted to the complaints users have been posting on online forums since Wednesday. The problem only concerns enterprise PCs that get their updates from a WSUS server.
The update with knowledge base number 917013, which Microsoft originally published on February 7, is the culprit. Back then, the update was an optional package for Windows Desktop Search, not a security-relevant patch. WSUS administrators had to activate it intentionally for local PCs to be offered it for installation.
On October 23, Microsoft put "Revision 105" of this update on its servers. The software vendor says that it did not change any binary files, but merely the related configuration files. But the changes had an undesired side effect: WSUS is preconfigured to automatically approve revisions of previous updates. In cooperation with the WSUS server, client PCs then decide independently which of the packets approved by the administrator to install.
With the latest revision, Microsoft has quietly changed its installation policy for update 917013. Originally, only PCs that had already installed the desktop search also installed the update. But after the revision, PCs running XP and Server 2003 suddenly also installed desktop search automatically even though they had not had it before – provided, of course, that the administrator had already approved the February update for installation.
Microsoft says that it has temporarily stopped sending out the update via WSUS. The vendor says that it will not be supplying a new package as a "revision."