Default automatic approvals (in light of KB3001652) considered harmful RRS feed

  • General discussion

  • In case you didn't know, your WSUS server adds a "default automatic approval" rule  that causes it to automatically approve critical and security updates.   If you still have that enabled, you should remove it ASAP.  It burned me.

    To remove the rule, go to Options in your WSUS console then "automatic Approvals", select the rule and Remove it.

    This month, Microsoft released the Critical update KB3001652 (to Visual Studio tools for Microsoft Office 2010, a run-time library for third-party applications) which caused many systems to hang.  

    Microsoft quickly revoked the update, but if your (i.e. my) WSUS server has the default automatic approval rule, the bad update (since it is "Critical") is automatically approved then downloaded to any workstation with an application that uses the library.

    When users go to shut their computers down when they leave work, the bad update starts and never stops, continuing all night. And leaving them frozen out when they come in in the morning.   The only recourse is to power off.

    Wednesday, February 11, 2015 1:47 PM

All replies

  • Well, the problem here is that Microsoft made a mistake. New revisions shall not contain new binaries.

    See this article:

    Managing changes from a WSUS Server

    "Auto-reapprove revisions. By default, when a new revision of an approved update is synchronized to the WSUS server we move the approval to the new revision. Normally this is what customers want, since new revisions never contain new binaries, just fixes to the metadata that describe how to automate the installation of the update."

    An even more serious  problem IMO is that MS revoked the update but they did not immediately distribute new metadata to expire the update. In fact they have not updated the metadata yet.

    Rolf Lidvall, Swedish Radio (Ltd)

    Wednesday, February 11, 2015 3:16 PM
  • But I have to wonder if I should allow WSUS to automatically approve anything ever again, regardless of what is promised.
    Wednesday, February 11, 2015 3:43 PM
  • MS has now released another new version (rev. 204), but you will not get that unless you check the lower box labeled "Visual Studio 2010 Tools for Office Runtime" (on the other hand you didn´t get the problematic rev. 202 either if you hadn't checked that box).

    I think MS really messed it up now by implementing two checkboxes for the same Product:

    Rolf Lidvall, Swedish Radio (Ltd)

    • Edited by Rolf Lidvall Thursday, February 12, 2015 2:15 PM
    Thursday, February 12, 2015 1:35 PM
  • Thanks, but...

    All this stuff about this month's Bad Patch is useful but doesn't address whether automatic approvals are ever a good idea.  I think you still have to remove the default rule.

    Friday, February 13, 2015 6:26 PM
  • automatic approvals are fine, if you apply the automatic approval to a small group of test/pilot machines.

    Using auto-approve targeted at your whole fleet, is madness, and, MSFT have never recommended that.

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, February 14, 2015 7:35 AM
  • Using auto-approve targeted at your whole fleet, is madness, and, MSFT have never recommended that.

    Which is peculiar, since that's exactly what I found set as the default auto-approval rule: Critical and Security updates were automatically approved for all machines on the server.    I agree that's madness.

    Fortunately my "fleet" has only about 60 OSEs to manage.

    Sunday, February 15, 2015 5:44 AM
  • Rolf, great, thank you, I missed that "duplicated" product...
    Tuesday, April 7, 2015 3:53 PM
  • Rolf, great, thank you, I missed that "duplicated" product...
    No problem, I wonder if they're ever going to remove it...

    Rolf Lidvall, Swedish Radio (Ltd)

    Wednesday, April 8, 2015 7:51 AM