Microsoft has denied reports that its enterprise update service was forcing a new version of Windows Desktop Search on all Windows XP users.

The company claimed that the updates had been previously approved by administrators.

Reports from users who claimed that Windows Desktop Search (WDS) was installing without permission began hitting message forums, including Microsoft-hosted support newsgroups, yesterday.

"WDS 3.01 downloaded and 'approved itself' on WSUS, then start installing on clients," said a user identified as Rob S. "This occurred despite WSUS being set to only auto approve updates to patches. My company has not deployed any version of WDS (until today of course!) so the installation came as a complete surprise. Full versions, not updates have appeared on machines."

Another user was less politic. "What is going on?" asked someone tagged as VeryUnhappyCustomer. "The upgrade somehow got automatically approved for deployment in our WSUS server. This isn't a minor change to an existing patch, this is a major version upgrade! So far most of the PCs have installed it fine but some installations have failed silently but a few have cause profile corruption."

WDS was updated to version 3.01 at the end of August, but was offered to machines managed by Windows Server Update Services (WSUS), Microsoft's enterprise-grade update manager, only this week.

A WSUS program manager denied that the WDS 3.01 update was not authorised by users, but did admit that the situation had confused everyone. According to Bobbie Harder, who posted on a Microsoft company blog, WDS 3.01 was applied only to PCs for which administrators had approved the February 2007 install of WDS 3.0.

"The initial update [February] would have only been installed if the update had been either auto, or manually approved, and if the applicability criteria was met on the client that WDS was installed," said Harder. In cases where WDS was not installed yet the update was pre-approved, WSUS apparently "remembered" the update-approved setting.

Because the newest update, revision 105, had its applicability logic expanded, it thought it was to be installed on all machines where the February update had been auto- or manually-approved - even to PCs that had never had WDS dropped on their drives.

Harder tried to explain what happened. "WSUS by default is set to auto-approve update revisions to minimise administrative overhead and make sure distribution 'just works'," he said. "With the expanded applicability rules, and the WSUS default setting to auto-approve new revisions. it may have appeared as if this update was deployed without approval."

By Harder's explanation, PCs that had been pre-approved for the February update but had not had WDS installed would, in fact, have been instructed to add the desktop search tool to their drives. Thus, users who earlier reported that WDS had been installed on machines without it were, in fact, not seeing things.

That said, Harder acknowledged that the update had caused confusion, if not consternation, among users. "We appreciate the confusion this behaviour caused," he said, and noted that criteria for revision updates - which this month's WDS offering was - would be tightened "so that auto-approval of revision behaviours are more predictable and of similar scope as the original approved update." Harder did not spell out what that "tightening" might involve, however.