Export (0) Print
Expand All

Part 6: Computer Maintenance

Published: August 09, 2004 | Updated: September 15, 2004
By Starr Andersen, Technical Writer; Vincent Abella, Technical Editor

This document is Part 6 of “Changes to Functionality in Microsoft® Windows® XP Service Pack 2,” and provides detailed information about the security technologies included in Windows XP Service Pack 2 that help to inform the user about security and ensure that computers have current security updates. These technologies are either designed to help provide security or have been improved to provide more security than before. You can obtain the other parts of the paper in the Microsoft Download Center, at http://go.microsoft.com/fwlink/?LinkId=28022.

This document applies to Microsoft Windows XP Service Pack 2 (SP2) for the 32-bit versions of Windows XP Professional and Windows XP Home Edition. It does not describe all of the changes that are included in the service pack, but instead highlights those changes that will have the most impact on your use of Windows XP SP2 and provides references to additional information.

Bb457154.3squares(en-us,TechNet.10).gif
On This Page

Filter for Add or Remove Programs
Microsoft Windows Update Services and Automatic Updates
Resultant Set of Policy
Security Center
Setup
Windows Installer 3.0
Windows Update

Filter for Add or Remove Programs

What does the filter for Add or Remove Programs do?

The filter for Add or Remove Programs provides a means for the user to select whether or not updates, such as security updates downloaded from the Microsoft Web site, are displayed in the Currently installed programs list.

Who does this feature apply to?

Add or Remove Programs can be used by any user with Administrator credentials on their local computer. Although some applications can be installed or removed by non-administrators, most do require administrative credentials.

What existing functionality is changing in Windows XP Service Pack 2?

Filtering out updates from the Change or Remove Programs list

Detailed description

The Change or Remove Programs list in Add or Remove Programs displays installed programs that the user can change or remove. This list also shows updates to Windows or other programs that have been installed.

In Windows XP Service Pack 2 (SP2), the user is able to choose whether to show or hide updates for Windows and other programs in this view. A new Show updates check box appears above the list, which enables the user to toggle between showing or hiding installed updates.

Why is this change important?

Software vendors are creating more software updates and releasing them more frequently than ever before. These frequent updates help to increase the reliability and security of user’s systems. However, by showing every update in the Change or Remove Programs list in Add or Remove Programs, the list of installed programs is overwhelmed by the list of installed updates. A new option to filter out the updates from the list and only show installed programs makes this list easier for users to read.

What works differently? Are there any dependencies?

By default, Change and Remove Programs will not show installed updates to Windows. To see the updates that have been installed, you can select the Show Updates check box at the top of the list.

Any program can take advantage of this feature by marking their updates so that they are hidden when appropriate. Windows programs that were written before the release of Windows XP Service Pack 2 will be shown regardless of the filter option selection.

How do I resolve these issues?

To turn off the filter feature on a single computer, use the following procedure:

  1. Open Registry Editor.

    To do this, click Start, click Run, type regedit, and then press ENTER.

  2. Navigate to the following registry key:

    \\HKEY_LOCAL_MACHINE\Software\
    Microsoft\Windows \CurrentVersion\Policies\Uninstall

  3. Select the DontGroupPatches key.

    By default, the DWORD value is equal to 0.

  4. Change the DWORD value to 1 to disable the filter feature.

Caution   Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

In an enterprise environment, you can create a Group Policy object to modify the registry setting that controls the filter feature to make the Add or Remove Programs icon in Control Panel work as it did in Service Pack 1 for Windows XP.

What settings are added or changed in Windows XP Service Pack 2?

Setting name

 

Location

 

Previous default value (if applicable)

Default value

Possible values

DontGroupPatches

HKEY_LOCAL_MACHINE
\Software

\Microsoft\Windows
\CurrentVersion

\Policies\Uninstall

 

REG_DWORD:0

REG_DWORD:1

Do I need to change my code to work with Windows XP Service Pack 2?

Programs do not need to change in order to continue to work with Add or Remove Programs in Windows XP Service Pack 2. If a program is not changed to use the new feature, it will continue working as it did in Service Pack 1.

A program can take advantage of the new filtering option by marking its updates so that they are not shown by default. Details on how to mark programs as updates will be made available on MSDN at a later time.

Microsoft Windows Update Services and Automatic Updates

What do Windows Update Services and Automatic Updates do?

Windows Update Services (formerly known as Software Update Services) enables administrators to streamline and automate the process of deploying critical updates and security updates to client computers running Microsoft Windows XP Professional or Microsoft Windows 2000 Professional, as well as to Windows 2000 Server and Windows Server 2003 computers.

Windows Update Services includes the following components:

  • Windows Update. The Microsoft Web site that includes all available Microsoft updates by product and update type. Changes to Windows Update are described later in this document.

  • Microsoft Windows Update Services. The Windows Update Services server component for management and distribution of updates. This component will be released at a future date. For more information, see the Windows Update Services page on the Microsoft Web site at http://go.microsoft.com/fwlink/?linkid=29906.

  • Automatic Updates. The client component which enables computers to connect either directly to Windows Update or to a server running Windows Update Services to receive updates. The Automatic Updates component is included in Windows 2000 Service Pack 3 and later, Windows XP and later, and Windows Server 2003. Windows XP Service Pack 2 and the new Automatic Updates client component can run in either the Software Update Services 1.0 environment or in the new Windows Update Services environment.

Note   The rest of this section describes Automatic Updates in Windows XP Service Pack 2.

Automatic Updates connects periodically to Windows Update on the Internet, or to a Windows Update Services server on your corporate network. Once it discovers new updates that apply to the computer, Automatic Updates can be configured to install all updates automatically (which is preferred) or to notify the computer’s administrator or users whose computers have been configured to receive notification. After an administrator selects which updates should be downloaded, Automatic Updates downloads and installs those updates.

Who does this feature apply to?

All users and administrators of computers running Windows XP and Windows 2000 Server and later.

What new functionality is added to this feature in Windows XP Service Pack 2?

Support for Applications and Hardware Drivers

Detailed description

The latest version of Automatic Updates offers expanded support for Microsoft products, including Microsoft Office, Microsoft SQL Server, and Microsoft Exchange. It also provides for distribution of updated hardware drivers.

What threats does it help mitigate?

In the past, Automatic Updates could only distribute critical updates for the Windows operating system. This version allows for updating applications and drivers in addition to the operating system. Keeping these applications and drivers up-to-date with the latest security fixes can result in reducing the attack surface and exposing fewer known security vulnerabilities.

What works differently?

Administrators will have more types of updates to choose from when reviewing Automatic Updates notifications.

Support for Additional Update Categories

Detailed description

Previous versions of Automatic Updates allowed only distributing and installing critical updates. This version includes support for the following categories:

  • Security updates

  • Critical updates

  • Update roll-ups

  • Service Packs

Additional types of updates may be available for customers using an Intranet-based Windows Update Services server. For more information about update categories, including critical updates, see “About Windows Update” on the Windows Update Web site at http://go.microsoft.com/fwlink/?linkid=17289.

Why is this change important?

By adding support for a wider range of updates, particularly security updates, Automatic Updates helps to make the process of keeping computers up-to-date and secure more reliable and easier to manage.

What threats does it help mitigate?

In the past, Microsoft released a number of recommended updates that were not considered critical and thus were not automatically installed. Users had to connect to the Windows Update site and install them manually. Because the process was manual, it was possible for users to not install updates in a timely manner and thus expose their computer to possible attacks. This change allows the new categories to be automatically installed similar to critical updates.

What works differently?

Administrators will have more types of updates to choose from when reviewing Automatic Updates notifications.

Automatic Prioritization and Download of Critical Updates

Detailed description

Automatic Updates now has the ability to prioritize the download of updates when updates of different priorities are being downloaded. For example, if a large service pack is being downloaded and a smaller security update is released to address an exploit, that security update will be downloaded before the service pack.

Why is this change important?

This allows for critical updates to be installed before other updates.

What threats does it help mitigate?

Because the scope of updates that are delivered through Automatic Updates has increased, this change is important to help mitigate the chances of high priority updates being delayed behind other updates.

What works differently?

Certain updates will be downloaded before others when they are determined to be a higher priority.

Client Side Targeting

Detailed description

When Automatic Updates is used in conjunction with a Windows Update Services server, administrators can automate the assignment of a client computer to a specific target group on a Windows Update Services server.

Why is this change important?

Assigning client computers to target groups used to be a manual process. Administrators now use target groups to automatically control which updates are installed on specified groups of client computers. Before an update is deployed, it has to be authorized for a specific target group.

What works differently?

Windows Update Services administrators can now use Group Policy to assign client computers to a specific target group. A server running Windows Update Services then uses these target groups to approve and install updates to that specific client group. For example, client and server computers can be identified by separate security groups in your Active Directory environment. An update can then be deployed to client computers without affecting server computers.

Scriptable APIs

Detailed description

There is now a set of application programming interfaces (APIs) that can be used to manage Automatic Updates programmatically or from scripts.

Why is this change important?

For the first time, administrators can automate the management of Automatic Updates using scripts, and software developers can create applications that interface with or manage Automatic Updates.

What works differently?

No existing behavior or functionality is changing. New functionality is being added.

Automatic Detection, Download, and Installation

Detailed description

Automatic Updates determines if a computer does not have required or critical updates installed and then initiates download and installation of those updates automatically.

In a managed environment, the client gets updates directly from Windows Update or from a Windows Update Services server. Administrators can now configure how often the client computer checks a Windows Update Services server for new updates.

Why is this change important?

The entire process of managing and distributing updates can now be automated and, because of this, client computers can have critical updates installed in a timely manner.

No Interruption During Update Installation

Detailed description

You can configure Automatic Updates so that updates that do not require the computer to be restarted or impose any kind of service interruption, can be installed at any time and not just when they are automatically scheduled. Also, Automatic Updates can consolidate updates that require the computer to restart so that it only has to be restarted once.

Automatic Updates also eliminates the need for users to interact with end user license agreements (EULAs) while in a Windows Update Services environment. In this environment, EULAs are accepted on the Windows Update Services server by administrators on behalf of clients.

Why is this change important?

This feature helps to minimize the computer downtime that is associated with installing updates.

Install Updates at Shutdown

Detailed description

A new Install updates and shutdown option to the Shut Down Windows and Turn Off Computer dialog boxes. When updates have been downloaded and are ready to install, Windows will show the new option as the default choice and mark it with the Windows Security shield that indicates that this is a security recommendation. You can control whether this installation option is the default or is shown by configuring the appropriate registry setting.

Why is this change important?

This feature simplifies the management of many clients running Automatic Updates. This provides an alternative to installing update in response to notification messages and provides a method to install updates at a time when the computer is not being used for other activities.

Extensible Management Capabilities

Detailed description

In an Active Directory environment, administrators can configure the behavior of Automatic Updates by using Group Policy. In other cases, administrators can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism.

In addition, administrators can use scripts to manage clients through the Component Object Model (COM)–based API.

Why is this change important?

This feature simplifies the management of many clients running Automatic Updates.

What existing functionality is changing in Windows XP Service Pack 2?

Background Intelligent Transfer Service (BITS)

Detailed description

The latest version of Background Intelligent Transfer Service (BITS), BITS 2.0, includes dramatically improved bandwidth efficiency. This means that, when Automatic Updates connects to the Windows Update site or a server running Windows Update Services, it has to transfer less data, and can transfers the data faster. This minimizes the impact Automatic Updates might have on your Internet connection or corporate network. BITS improvements include the following:

  • BITS 2.0 can be configured to download updates during a specified time, such as periods of less network use.

  • BITS 2.0 can be configured to use only a specific portion of available network bandwidth.

  • BITS 2.0 is optimized to download only the portions of files that have changed. For example if only one byte changed in an updated 1 megabyte (MB) file, BITS will transfer only a few bytes instead of transferring the entire 1 MB file.

  • BITS 2.0 can recover from network failures. BITS can resume a file transfer if a network fails or a connection is lost during download. It will not restart the download, but instead will start from where it stopped.

Why is this change important?

This change is particularly important for users still using slow dial-up connections to the Internet or enterprise customers using expensive wide area network (WAN) links.

What threats does it help mitigate?

None.

What works differently?

Administrators can use Group Policy or registry keys to configure how BITS uses network connections. This allows administrators to streamline their Windows Update Services and Automatic Update network usage and help ensure that updates do not affect other business operations.

Scheduling and Notification Options

Detailed description

You can configure scheduling and notification options for users using Group Policy.

Users with administrative rights can specify whether they want to be notified before automatic download or installation and set the installation schedule. In addition, users can retrieve previously declined or hidden updates.

When computers are configured for scheduled automatic installations, there is no notification. This is to avoid potential confusion that the user may have regarding the purpose of the notification. The user will receive a notification if the update requires the computer to be restarted.

Why is this change important?

These options give administrators complete control over when and how updates are downloaded and installed.

Self-updating for Client Computers

Detailed description

In a managed environment, client computers can update their Automatic Updates components automatically to newer versions without the need for an administrator to reconfigure the computer.

Why is this change important?

It minimizes the need for human intervention and allows any changes to the Windows Update Services and Automatic Updates infrastructure to be deployed quickly and reliably.

What threats does it help mitigate?

This feature helps ensure that computers are always up-to-date and secure.

Improved Update Applicability Rules

Detailed description

Automatic Updates can download and install specific updates that are truly applicable to the computer. Automatic Updates works with the Windows Update site or Windows Update Services server to evaluate which updates should be applied to a specific system. For example, on a Windows XP computer, it helps protect against installing an update that is intended for Windows 2000.

Why is this change important?

This feature helps to minimize the number of updates being downloaded to a computer by only downloading updates that are applicable to this platform and applications. Also, this helps to protect computers from the risk of having an update installed that is targeted for a different operating system. If this happens, the computer may not have the required protection.

What settings are added or changed in Windows XP Service Pack 2?

Setting name

Location

 

Previous default value (if applicable)

Default value

Possible values

WUServer

HKEY_LOCAL_MACHINE \Software\
Policies\ Microsoft\Windows
\WindowsUpdate

n/a

(none)

URL of the Windows Update Services server that will be used by Automatic Updates and (by default) by API callers.

Note   This policy is paired with WUStatusServer; both must be set in order for them to be valid.

AU\ UseWUServer

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

(none)

Replaced by the key above.

WUStatusServer

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows
\WindowsUpdate

n/a

(none)

URL of the server to which reporting information will be sent for callers who use the Windows Update Services server configured by the WUServer key.

Note   This policy is paired with WUServer; both must be set in order for them to be valid.

ElevateNonAdmins

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows
\WindowsUpdate

n/a

0 (no elevation)

Boolean value indicating whether users in the Users security group are allowed to approve or not approve updates, and whether they can install or uninstall via the client API.

0 = false (normal users are not elevated)

1 = true (normal users are elevated)

TargetGroup

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows
\WindowsUpdate

 

(none)

Name of the target group to which the computer belongs, used to implement client-side targeting. For example, TestServers.

AUOptions

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

(none)

Policy setting for Automatic Updates configuration. If set to a value other than 5, user is not allowed to configure anything in Control Panel (except the “minor updates” setting).

When set via Group Policy, only options 2-5 are valid.

(None or invalid) – Policy does not exist

0 – Not configured (invalid for policy)

1 – AU is disabled (invalid for policy)

2 – Notify before download

3 – Notify before install

4 – Scheduled install (valid only if legal values are also specified for ScheduledInstallDay and ScheduledInstallTime).

5 – Automatic Updates is required, but end users can choose how it is configured. This option is new for Windows Update Services

If an invalid option or combination of options is specified via policy, the effect is equivalent to not setting the policy: local administrators will be able to change the setting using Control Panel.

NoAutoUpdate

HKEY_LOCAL_MACHINE
\Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

0 (Not disabled)

Boolean value indicating whether Automatic Updates should be disabled. The effect for the end-user is basically the same as setting AUOptions=1, except that users cannot change the setting, since it comes from Group Policy.

0 - False (Do not disable AutoUpdate)

1 - True (Disable AutoUpdate)

Scheduled
InstallDay

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

(none)

Which day of the week Automatic Updates will auto-install updates, when AUOptions is set to 4 (scheduled) via Group Policy. Ignored if AUOptions is not set to 4.

(None) – Policy not set

0 – Every day

1 – Every Sunday

2 - Every Monday

3 - Every Tuesday

4 - Every Wednesday

5 - Every Thursday

6 - Every Friday

7 - Every Saturday

Scheduled
InstallTime

HKEY_LOCAL_MACHINE
\Software\
Policies\Microsoft
\Windows
\WindowsUpdate\AU

 

(none)

What time of day Automatic Updates will auto-install updates, when AUOptions is set to 4 (scheduled) via policy. Ignored if AUOptions is not set to 4

(None) - Policy not set

0 - Midnight

1 - 1:00 a.m. local time

and so on...

DetectionFrequency

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

(none)

Time, in hours, between Automatic Updates detection cycles.

Min = 1 (1 hour)

Max = 22 (22 hours)

Reschedule
WaitTime

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

(none)

Time, in minutes, that Automatic Updates should wait at startup before applying updates from a missed scheduled install time. If the policy is not specified, then Automatic Updates will wait until the next scheduled install time.

Note that this policy applies only to scheduled install, not deadlines. Updates whose deadlines have expired should always be installed as soon as possible.

Disabling the policy will set this registry key to 0 (zero), so a zero value should result in not installing the updates at system startup. Rather, the update should be rescheduled to the next scheduled time.

RebootWarning
Timeout

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

5 (5 minutes)

Length, in minutes, of the reboot warning countdown after installing scheduled updates or updates with a deadline.

Min = 1 (1 minute)

Max = 30 (30 minutes)

NoAutoRebootWith
LoggedOnUsers

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

0 (Auto-reboot when needed)

Boolean value indicating whether or not to reboot after installing scheduled updates or updates with a deadline.

0 = False (Allow auto-reboot)

1 = True (Disallow auto-reboot)

AutoInstall
MinorUpdates

HKEY_LOCAL_MACHINE \Software\
Policies \Microsoft\Windows \WindowsUpdate\AU

 

0

Boolean value indicating whether minor (“zero service interruption”) updates can be silently installed without prompting any user.

0 = False (Treat minor updates like other updates)

1 = True (Silently install minor updates)

Explorer\?
NoWindowsUpdate

HKEY_CURRENT_ USER
\Software\
Microsoft \Windows \CurrentVersion
\Policies

 

(none)

Blocks a user’s access to the Windows Update Web site. When set to 1, this blocks the following :

  • Windows Update link in the Start Menu is removed. (Explorer.exe must be restarted before this takes effect.)

  • The Windows Update link under the Internet Explorer Tools menu is removed. (Internet Explorer must be restarted before this takes effect.)

If Wupdmgr.exe is launched manually, it displays an error saying Windows Update is disabled.

If the user navigates to Windows Update manually, the WU site itself displays an Access Denied error.

WindowsUpdate
\DisableWindowsUpdate
Access

HKEY_CURRENT_USER
\Software\
Microsoft\Windows
\CurrentVersion
\Policies

 

(none)

Blocks all aspects of a user’s interaction with the Windows Update service, including Automatic Updates and API calls. In Software Update Services (SUS) 1.0, this blocks the following (when set to 1):

The WU site displays an Access Denied error. (User can still get to the site via any of the usual mechanisms.)

Device Manager doesn’t check Windows Update for driver updates, if launched in the current user context.

Automatic Updates doesn’t prompt the user, even if the user is an administrator. (Automatic Updates will continue to work, though, such as. in scheduled mode.)

In Windows Update Services, the following changes have been made:

Automatic Updates UI will be blocked only when it is related to the Windows Update site, not the Windows Update Services server.

All API calls will fail for this user if they attempt to go to the Windows Update service, as opposed to the Windows Update Services server.

If Wupdmgr.exe is launched manually, it displays a Windows Update disabled error.

Internally, the agent will never talk to Windows Update during any call made by a user who has this value set.

DisablePatch

HKEY_LOCAL_MACHINE
\Software\
Policies\Microsoft
\Windows
\Installer

 

(none)

Disables Windows Installer patching functionality. The Windows Update Services client will not attempt to install any MSP packages if this policy is set, but it will still detect them so that it can report them to the Windows Update Services server and to API callers (for example, MBSA).

DisableMSI

HKEY_LOCAL_MACHINE
\Software\
Policies\Microsoft
\Windows
\Installer

 

(none)

Disables Windows Installer functionality. The Windows Update Services client will not attempt to install any MSP or MSI packages if this policy is set, but it will still detect them so that it can report them to the Windows Update Services server and to API callers, such as, MBSA.

Do I need to change my code to work with Windows XP Service Pack 2?

Neither Software Update Services (SUS) 1.0 nor previous versions of Automatic Updates offered any APIs, so there is no need to modify your code to work with Automatic Updates.

Resultant Set of Policy

What does Resultant Set of Policy do?

Group Policy Resultant Set of Policy (RSoP) reports Group Policy settings that are applied to a user or computer. Group Policy Results in Group Policy Management Console (GPMC) requests RSoP data from a target computer and presents this in a report in HTML format. Group Policy Modeling requests the same type of information, but the data reported is from a service that simulates RSoP for a combination of computer and user. This simulation is performed on a domain controller running Windows Server 2003 and is then returned to the computer running GPMC for presentation. Finally, the RSoP Microsoft Management Console (MMC) provides an alternative way to display this information, although Group Policy Results is generally the preferred method.

Who does this feature apply to?

Group Policy administrators in an Active Directory domain environment. In addition, an IT professional who needs to plan or validate the application of Group Policy may be interested in RSoP.

What existing functionality is changing in Windows XP Service Pack 2?

RSoP Use with Windows Firewall Enabled

Detailed description

In Windows XP Service Pack 2, Windows Firewall is enabled by default. Incoming requests against unopened ports—as opposed to responses to requests originated from the computer—are blocked by Windows Firewall. This impacts the use of RSoP across the network.

For more information on Windows Firewall, see “Windows Firewall,” in this document.

Why is this change important? What threats does it help mitigate?

Prior to Windows XP Service Pack 2, Windows XP shipped with Windows Firewall disabled by default. The user either needed to run a wizard or navigate through the Network Connections folder to manually enable Windows Firewall. This experience proved too difficult for many users, and resulted in many computers not having any firewall protection.

By enabling Windows Firewall by default, the computer has more protection from many network-based attacks. For example, if Windows Firewall had been enabled by default, the recent MSBlaster attack would have been greatly reduced in impact, regardless of whether users were up-to-date with patches.

What works differently? Are there any dependencies?

There are two important changes to RSoP in Windows XP Service Pack 2.

  • Once Windows Firewall is installed on a computer running Windows XP Service Pack 2, remote access to RSoP data no longer works from that target computer.

  • If Windows Firewall is enabled, when GPMC is run for the purpose of using Group Policy Results or Group Policy Modeling to retrieve RSoP data on a computer running Windows XP Service Pack 2, it will be unable to retrieve this data.

How do I resolve these issues?

The following table summarizes the changes necessary to fully support remote RSoP tasks when running Windows XP Service Pack 2. Please see the sections below for further details.

Task

Target Computer

Administrative Computer

Generate Group Policy results

Enable Windows Firewall Allow remote administration exception Group Policy setting.

This Group Policy setting is located in Computer Configuration \Administrative Templates\Network \Network Connections\Windows Firewall\[Domain | Standard] Profile\

GPMC with SP1

  • No action required

RSoP snap-in

  • Enable Windows Firewall: Define program exceptions. Configure the program exception list with the full path to Unsecapp.exe so that the WMI messages can be transmitted. In a default installation unsecapp.exe is located in the C:\Windows\System32\Wbem folder.

Enable Windows Firewall: Define port exception policy to open Port 135

Delegate access to Group Policy results

Enable Windows Firewall: Allow remote administration exception Group Policy setting

Configure the following DCOM security settings:

  • DCOM: Machine access restrictions...

  • DCOM: Machine launch restrictions...

These policy settings are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

No changes necessary

Remotely edit a Local Group Policy object

Enable Windows Firewall: Allow file and printer sharing administration exception policy setting

This policy setting is located in Computer Configuration \Administrative Templates\Network \Network Connections\Windows Firewall\[Domain | Standard] Profile\

No changes necessary

Administering Remote RSoP with GPMC SP1

The initial release of GPMC used a callback mechanism when waiting for the results of a Group Policy Results or Modeling request. The administrative computer must be “listening” for this response. Because Windows Firewall is enabled, Windows XP Service Pack 2 blocks these responses. Although opening the appropriate ports can address this issue, using the updated GPMC (Group Policy Management Console (GPMC) with Service Pack 1) completely removes the use of the callback mechanism. We recommend that you install GPMC with Service Pack 1, because this allows Group Policy Results and Modeling to continue to work without opening up ports on the administrative computer. To install GPMC with Service Pack 1, see “Group Policy Management Console with Service Pack 1” on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=23529.

In order to administer RSoP remotely, you must enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.

Administering Remote RSoP with the RSoP MMC snap-in

In order to administer RSoP remotely using the RSoP MMC snap-in, the target computer must listen on the appropriate network ports to ensure that incoming RSoP requests can be serviced. This can be managed through Group Policy using the following policy settings:

  • Enable the Windows Firewall: Define program exceptions Group Policy setting to permit Unsecapp.exe. Make sure you enter the full path to Unsecapp.exe.

  • Enable the Windows Firewall: Define port exception Group Policy setting and open Port 135. Click Show and enter 135:TCP:*:Enabled:135.

    Note   Enabling this policy setting is not necessary if the Windows Firewall: Allow remote administration exception Group Policy setting is enabled on the administrative computer.

    Caution   Enabling the Windows Firewall: Define port exception Group Policy setting may also allow unwanted data to be accepted on this port. Be sure to fully review this Group Policy setting before enabling it in your environment.

Delegating access to Group Policy Results

By default, Group Policy Results and the RSoP snap-in can only be used remotely when the person originating the request is a local administrator on the target computer. Beginning in Windows Server 2003, a delegation model is available that allows this right to be delegated to users who are not Administrators on the target computer. This is a common scenario when help desk personnel require access to computers without being made Administrators on those computers.

In Windows XP Service Pack 2, the security model around DCOM authentication (on which RSoP relies) has been strengthened. Even if RSoP delegation has been configured correctly, this strengthening prevents local non-administrators from retrieving RSoP information from a target computer. Note that this issue does not impact Group Policy Modeling, since the request for simulated RSoP data is made against a domain controller running Windows Server 2003, which, by definition, is not running Windows XP.

Windows XP Service Pack 2 provides a method to manage the users and groups associated with DCOM authentication. This list can be managed through Group Policy. To allow continued use of delegated RSoP, users to whom you want to grant this right must also have access through the DCOM authentication model. For more information on the security changes to DCOM in Windows XP Service Pack 2, see “DCOM,” earlier in this document.

In order to delegate access to Group Policy Results, you need to complete the following steps:

  1. Enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.

  2. Set the following DCOM security policy settings on target computers. (They are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)

    DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax

    1. Right-click the Group Policy object, and then click Properties.

    2. Click Edit Security, and then Access Permission opens.

    3. Click Add, and then Select Users, Computers, or Groups opens.

    4. Enter the desired delegation targets.

    DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax  

    1. Right-click the Group Policy object, and then click Properties.

    2. Click Edit Security, and then Access Permission opens.

    3. Click Add, and Select Users, Computers, or Groups opens.

    4. Enter the desired delegation targets.

Remotely editing a local Group Policy object

In order to remotely edit a local Group Policy object, you need to enable the following policy setting on target computers: Windows Firewall: Allow file and printer sharing administration.

The policy setting is located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\[Domain|Standard] Profile\.

Security Center

Security Center is a new service in Windows XP Service Pack 2 which provides a central location for changing security settings, learning more about security, and helping to ensure that the user’s computer is up to date. You can use Security Center by double-clicking the Security Center icon in Control Panel.

What does Security Center do?

The Security Center service runs as a background process and checks the state of the following components on the user’s computer:

  • Firewall

    The Security Center checks whether Windows Firewall is on or off. It also checks for the presence of some other software firewalls by querying for specific WMI providers made available by participating vendors.

  • Virus protection

    The Security Center checks for the presence of antivirus software using queries for specific WMI providers that are made available by participating vendors. If the information is available, the Security Center service also determines whether the software is up-to-date and whether real-time scanning is turned on.

  • Automatic Updates

    The Security Center checks to make sure that Automatic Updates is set to the recommended setting, which automatically downloads and installs critical updates to the user’s computer. If Automatic Updates is turned off or is not set to the recommended settings, the Security Center provides appropriate recommendations.

If a component is found to be missing or out of compliance with your Security Policy, the Security Center places a red icon in the notification area of the user’s taskbar and also provides an Alert message at logon. This message contains links to open the Security Center user interface, which displays a message about the problem and provides recommendations for fixing it.

In cases where users are running firewall or antivirus software that is not detected by Security Center, the user has the option to set the Security Center to bypass alerting for that component.

In Control Panel, Security Center also serves as a starting point for Control Panel items related to security and security-related Web links.

Who does this feature apply to?

By default, this feature applies to all computers in workgroups, that is, computers that are not joined to a Windows domain.

Using a Group Policy setting, administrators can enable this feature for computers in a Windows domain.

Why is this change important?

This change provides a simple automated alert mechanism for assisting users in enhancing their computer security and helping to decrease their risk from network-based threats.

What threats does it help mitigate?

Users are often unsure about which security technologies and settings are best for protecting their computers from network-based threats. This problem is becoming more acute as viruses proliferate and more users connect via “always on” broadband connections. The Security Center provides users an easy way to help ensure that they are behind a firewall, that they are running up-to-date antivirus software, and that their computers are being automatically updated with the latest critical updates from Microsoft.

What works differently?

There is no change in behavior caused by the Security Center itself that would affect an application or service. However, the Security Center helps enforce the use of Microsoft and third-party security-related components that might raise compatibility or other issues. For example, see the Windows Firewall section of this document for issues that might arise due to compatibility with that component.

In Windows XP Service Pack 1, the service pack could be installed using the /quiet option to make the installation of the Service Pack transparent to the user. However, if Windows XP Service Pack 2 is installed using the /quiet or /q option, Security Center in Control Panel is displayed upon the first interactive logon after installation, so that users can review their security settings.

Note  When Windows XP Service Pack 2 is installed in a domain environment, the Security Center feature is controlled by a Group Policy setting that is not enabled by default.

How do I resolve these issues?

There is no change in behavior that would affect an application or service (except as noted above).

What existing functionality is changing in Windows XP Service Pack 2?

In earlier versions of Windows XP, there was no “Security Center” category in Control Panel. Instead, individual security-related Control Panel items were distributed throughout the Control Panel components.

What settings are added or changed in Windows XP Service Pack 2?

Registry settings

There are three registry settings for the Security Center. These settings determine whether or not the user receives alerts for a given feature. If a key has a value of 0 or is nonexistent, the notification icon and alert system for that feature are enabled. If a value exists and is not 0, the notification icon and alert system for the feature is disabled.

If the Security Center is enabled, the three settings that are described in the table below are also displayed in the Security Center user interface.

Setting name

 

Location

 

Previous default value (if applicable)

Default value

Possible values

AntiVirusDisableNotify (DWORD)

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

N/A

0

0,1

FirewallDisableNotify (DWORD)

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

N/A

0

0,1

UpdatesDisableNotify (DWORD)

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

N/A

0

0,1

Group Policy settings

There is one Group Policy setting for the Security Center. This setting determines whether or not the Security Center user interface and alert system are enabled or unavailable for users whose computers are joined to a Windows domain. When this setting is not enabled, is set to OFF or is not configured, the Security Center is not available on computers that are joined to a Windows domain. When the setting is set to ON, the Security Center is enabled on all computers, whether or not they are members of a Windows domain. Note that it is not possible to disable the Security Center for users that are not members of a Windows domain with Group Policy.

If an organization decides to use the Security Center on the computers in their organization, they must change the Group Policy setting to On. The first time a user logs on to a computer that has been updated with the Security Center as part of the Windows XP Service Pack 2 installation, Security Center opens in order to allow users to discover the new feature. It is recommended that you communicate this expected behavior to your users so that the experience does not cause unwarranted concern.

Setting name

 

Location

 

Previous default value (if applicable)

Default value

Possible values

Turn on SecurityCenter (computers in Windows domain only)

Administrative Templates \System\ SecurityCenter

N/A

Not configured

On, Off

Do I need to change my code to work with Windows XP Service Pack 2?

Your code does not need to change to work with Security Center.

Setup

What does Setup do?

Setup is the program that installs and configures the operating system on your computer. When you originally install Windows XP, Setup installs and configures the operating system to work properly with the computer.

Often, any program that is used to install and configure software programs is called Setup. However, in Windows XP, there are two different programs that install and configure programs once the operating system is operational. When Windows XP Service Pack 2 or any other software update is installed on Windows XP, the Service Pack Installer updates and changes the existing installation of Windows XP. If an application, such as Microsoft Office, is installed, configured, or upgraded, then the Windows Installer is the program that is responsible for that task.

Who does this feature apply to?

All users and administrators who install or deploy Windows XP Service Pack 2 should become familiar with the changes in this feature.

What new functionality is added to this feature in Windows XP Service Pack 2?

Package Installer for Windows

Detailed description

The Package Installer for Windows (Update.exe) installs Windows XP Service Pack 2. This is different installation technology from what is used to install the complete operating system. There are some minor differences in Package Installer from the versions in Service Pack 1 for Windows XP and Service Pack 2. For a complete discussion of the Package Installer, see “Inside Update.exe - The Package Installer for Windows and Windows Components” on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=26004.

Changes in Package Installer in Windows XP Service Pack 2 include.

  • Command line switches

    Microsoft has moved to a standard for Installer switches which will be available later this year. There are no new switches to replace the /D and /S switch functions; the old switches are still valid. The following table describes the former, new, and legacy switches for use with the package installer:

    Old Switch

    New Switch

    Description

    None

    /Uninstall

    Removes the update or service pack.

    /?

    /Help

    Displays help text.

    /D:FolderName

    No change

    For service pack installations, backs up files to the specified folder.

    None

    /ER

    Enables extended return codes (For more information on extended return codes, see Appendix F in the “Inside Update.exe, The Package Installer for Windows” white paper.

    /F

    /F

    Forces other applications to close when the computer restarts after the installation.

    None

    /Forcerestart

    Forces restart after installation finishes.

    /L

    /L

    Lists installed hotfixes (Windows updates only).

    /N

    /N

    Does not back up files for removing the service pack or hotfix. In Add or Remove Programs, there is no Remove button for the hotfix, so it cannot be uninstalled.

    /O

    /O

    Overwrites OEM files without prompting.

    /Q

    /Quiet

    Uses quiet mode, which is the same as unattended mode, except that the user interface is hidden. No prompts appear during the installation.

    /S:FolderName

    No change

    Combines the operating system image with Windows XP SP2 in a shared distribution folder for an integrated installation. When using this switch, type the name of the shared distribution folder after the colon. (Service pack feature only).

    /U

    /Passive

    Uses unattended setup mode. Only critical errors and a progress bar appear during setup.

    /Z

    /Norestart

    Does not restart the computer after the installation finishes.

  • /O command line switch

    The /O command line switch was added to the installer to prevent Update.exe from performing an exhaustive search for original equipment manufacturer (OEM) supplied files, such as video drivers. Only use this switch if you want to overwrite all files supplied by the OEM on your system. By default, OEM files are not overwritten.

  • Performance considerations

    Because of the considerable amount of changes that are included in Windows XP SP2, the service pack is quite large. Along with the additional features and functionality included in Windows XP SP2, there may be an increase in installation time. We recommend that you anticipate a minimum installation time of 30 minutes for installing Windows XP SP2 on standard desktop computer configurations. Actual installation time will vary depending upon the type and performance level of the computer and whether you are installing from a CD or express network installation.

  • Do not apply updates during SP2 installation

    If you are running in an environment that uses a utility to scan and apply updates or security updates automatically, the utility may conflict with the SP2 installation, leaving your machine in an unusable state. This can occur when SP2 is in the process of installation or un-installation and has not fully completed, including rebooting and running all the post-processes. If updates to the system are installed prior to SP2 completion, the machine may be left in an unusable state.

  • Laptop installation: AC power required during service pack installation

    Laptop or portable computers must use AC power during installation of the service pack. This is a new prerequisite for the service pack so that the computer does not run out of power and shut down during installation. If the machine shuts down during installation, it is not possible to resume the Service Pack installation at the point where it left off. This could lead to a corrupted installation of the operating system.

    If you attempt to install the service pack while not running on AC power, you will get the following message: This Service Pack requires the machine to be on AC Power before setup starts. In order to proceed with the service pack installation, the computer must run on AC power.

  • Laptop installation: Hibernation during service pack installation

    In order to ensure successful completion of the service pack, laptop and portable computers cannot enter hibernation and standby mode during installation. If the computer goes into hibernation during installation, you may not be able to resume the installation. In order to ensure successful installation of the service pack, hibernation and standby modes are blocked during installation.

  • Improved recovery following installation failure

    In the event that there is a failure to complete the service pack installation, in most cases, automatic recovery will occur. For example, if power failure occurs during the latter parts of installation, when you restart the computer, the service pack uninstall procedure automatically starts and rolls back all the changes that were made during the Service Pack installation.

  • Antivirus software

    While antivirus software is a critical factor in keeping a computer secure, it can affect the overall time required to install a service pack. Disabling your antivirus software during install of the service pack could reduce the installation time by up to 20%. If you decide to disable the antivirus software, be sure you are aware of the risks involved and be sure to enable it after the service pack is installed.

Windows Installer 3.0

What does Windows Installer 3.0 do?

The Windows Installer service defines and manages a standard format for application setup, installation, and upgrades. It tracks components such as groups of files, registry entries, and shortcuts. Windows Installer is a system-resident installation service that provides consistent deployment, enabling administrators and users to manage shared resources, customize installation processes, make decisions on application usage, and resolve configuration problems.

Windows Installer 3.0 is a new version of the service that is included in Windows XP Service Pack 2.

Who does this feature apply to?

This feature applies to:

  • Application developers

  • Application setup authors

  • System administrators who are involved in software distribution

What new functionality is added to this feature in Windows XP Service Pack 2?

Patch Management Support

Detailed description

Windows Installer 3.0 provides the underlying infrastructure for software distribution systems to target and install updates to Windows Installer-based applications. Enhanced inventory functions make it possible for administrators to detect products, features, components and patches across user and installation contexts. Three new functions are provided to determine if a patch is necessary prior to downloading the complete patch payload to the target computer. These new functions are:

  • The MsiEnumProductsEx function, which enumerates through one or all the instances of products that are currently advertised or installed in the specified contexts.

  • The MsiEnumPatchesEx function, which enumerates all patches in a particular context or across all contexts. Patches already applied to products are enumerated. Patches that have been registered but not yet applied to products are enumerated.

  • The MsiDetermineApplicablePatches function, which takes a set consisting of patch files, XML files, XML BLOBs and an .msi file and determines which patches apply to the Windows Installer package and in what sequence. The function can account for superseded or obsolete patches. This function does not account for products or patches that are installed on the system that are not specified in the set.

Why is this change important?

The patch management infrastructure is used by Software Update Services (SUS) 2.0 to detect and apply patches to Windows Installer-based products. This means that products installed with Windows Installer 3.0 can be more easily updated with SUS than in earlier versions.

What threats does it help mitigate?

Windows Installer 3.0 and Software Update Services 2.0 helps to make it easier to keep computers up to date with the latest patches for Windows Installer-based applications. Ensuring that current patches are applied to services and applications helps to prevent attacks against known vulnerabilities.

Smaller & Reliable Patches

Detailed description

Setup authors can use Windows Installer 3.0 to create patch packages (which have the .msp file name extension) that use Microsoft’s delta compression technology. Delta compression uses binary file differences instead of using the full file, which significantly reduces the patch payload. In previous releases of Windows Installer, the use of delta compression sometimes caused the installer to prompt the user for the application’s original installation media (for example, the application’s original CD), which was often unavailable. Windows Installer 3.0 caches the baseline version of files that are modified by a patch and retrieves the baseline as a target for subsequent delta compression patches. Setup authors should create patches that use baseline product versions. By doing this, users should no longer be required to supply the original installation media to successfully apply patches.

Why is this change important?

Users are more likely to keep their application patches current if patch packages are small, easy to download, and don’t require the user to perform difficult procedures to install.

What threats does it help mitigate?

By ensuring that current patches are applied to services and applications, you help to prevent attacks against known vulnerabilities.

Patch removal

Detailed description

Windows Installer 3.0 supports patch removal, although some application developers may create patches that cannot be removed, such as major upgrade patches. Most patches will have supporting documentation that will inform you as to whether or not they can be removed.

Patches for Windows Installer-based applications can be removed using Control Panel, the command prompt, or by directly calling the new Windows Installer 3.0 MsiRemovePatches function. (For more information on the MsiRemovePatches function, see the previous section.)

When you remove a patch, it leaves the computer in a state as though the patch was never installed. The state of the computer, which includes files, registry keys, and so on, when a patch is installed and removed is identical to its state before the patch was installed. Patches can be removed in any order.

Windows Installer 3.0 uses a specialized re-installation mode to remove a patch. In concept, patch removal is a product reinstallation of the entities that were affected by the patch. Only files that are altered when the patch is removed are considered; all other files in the product remain untouched. Files that were affected by the patch are restored to the version that was expected by the product before the patch was installed. If a patch explicitly removes an existing patch, then removing the second patch restores the first patch. When you remove patches that supersede existing patches, you restore the superseded patch.

In addition, patches that you don’t explicitly uninstall may also be removed if they are no longer applicable. For example, a small patch that targets a minor update will be implicitly removed when the minor update is removed.

Why is this change important?

Users and administrators are more likely to deploy and install patches if they have the confidence that the changes made by a patch can be reliably reversed when necessary.

What threats does it help mitigate?

This change removes a barrier to deploying patches. It provides users and administrators with a mechanism to remove patches in order to deal with potential application compatibility issues.

Source List support

Detailed description

With Windows Installer 3.0, administrators can better manage the list of sources for products and patches. New functions enable full static management of the product sources including network, URL, and media sources and enable access to read, edit, and replace the Microsoft Installer source lists from an external process. Windows Installer 3.0 includes three new functions to manage source lists:

  • The new MsiSourceListEnumSources function is used to enumerate current sources for a product. This function, in conjunction with existing capabilities, can be used to clear the last-used source and add new sources to proactively manage source for products and patches so users that are connected to the network don’t have to track down the source paths for installed products.

  • The new MsiSourceListAddMediaDisk function enables administrators to change the volume label and Disk ID for distribution of customized media for MSI based applications.

  • The new MsiSourceListSetInfo function enables administrators to change the media package path property so that customized media (CD or DVD) with multiple applications can be created for used by mobile users to repair their installations.

Why is this change important?

In order to support application resiliency, some patching scenarios, and install-on-demand, the Windows Installer may require access to the application’s installation source media. This change enables administrators to better manage the list of sources for products.

What threats does it help mitigate?

Administrators can manage product source lists to help ensure successful patch deployment and installation. Ensuring current patches are applied to services and applications helps to prevent attacks against known vulnerabilities.

Sequencing

Detailed description

The new Windows Installer 3.0 patch sequence table enables patch authors to provide explicit instructions for the order in which updates should be applied on target computers. Updates will be applied to target applications in a consistent and predictable order regardless of the order in which they are physically provided to the computer. Authors can reliably update unversioned files by using the patch sequence table. Patches without the sequence table will be applied in the order in which they are provided to Windows Installer.

Why is this change important?

Sequencing ensures that, when patches are applied, the results are consistent and predictable. This is especially important when multiple patches affect the same file or registry setting.

What threats does it help mitigate?

Administrators can use sequencing to help ensure successful patch deployment and installation. Ensuring current patches are applied to services and applications helps to prevent attacks against known vulnerabilities.

What existing functionality is changing in Windows XP Service Pack 2?

FTP and GOPHER is no longer supported

Detailed description

Windows Installer 3.0 uses WinHTTP exclusively for handling URL downloads. Prior versions of the Windows Installer relied on WinINet to access standard Internet protocols. However, WinHTTP does not support the same protocols that WinINet does. As a result, Windows Installer 3.0 no longer supports the FTP and GOPHER protocols. The HTTP, HTTPS, and FILE protocols are still supported.

For more information about WinHTTP security, see “About WinHTTP” at http://go.microsoft.com/fwlink/?LinkId=23097.

Why is this change important?

WinINet does not support server implementations and should not be used from a service. WinHTTP is more secure and robust than WinINet.

What threats does it help mitigate?

WinHTTP is designed for use in both system services and HTTP-based client applications. WinHTTP is more secure and robust than WinINet.

What works differently?

Package downloads over FTP and GOPHER protocols fail with Windows Installer 3.0.

How do I resolve these issues?

If your applications use GOPHER or FTP to download URL patches, you must change the application to use either the HTTP, HTTPS, or FILE protocol.

Windows Installer service is no longer interactive

Detailed description

The Windows Installer service runs in the security context of the Local System account. In previous versions of Windows, the service attribute of Windows Installer was set to SERVICE_INTERACTIVE_PROCESS. This made the Windows Installer service interactive. An interactive service can display its own user interface and receive user input and may be a security vulnerability.

Because of this, the Windows Installer 3.0 service is no longer interactive.

Why is this change important?

Interactive services running under the Local System context allow users to post messages to a program running in a different security context and may allow some types of attacks to occur.

What threats does it help mitigate?

Users will not be able to interact with the Windows Installer service.

Do I need to change my code to work with Windows XP Service Pack 2?

No. Installation packages and patches that were created for Windows Installer 2.0 can be installed using Windows Installer 3.0. Windows Installer version 3.0 ignores the new database tables introduced with version 3.0 when installing a package or patch authored for Windows Installer 2.0.

Windows Update

What does Windows Update do?

Windows Update helps users keep their computers up-to-date with patches and software updates for components of Microsoft Windows. With Windows Update, users can choose updates for their computer’s operating system, software, and hardware. New content is added to the site regularly, ensuring customers can always get the most recent updates and fixes to protect their computers and keep them running smoothly.

Windows Update is based on Windows Update Services, which provides IT administrators with the ability to synchronize updates from the Windows Update servers, prioritize these updates, and then distribute them throughout their enterprise environments.

Prior to Windows XP Service Pack 2, Windows Update only provided the service for those components that shipped with the Windows operating system, such as Internet Explorer, Windows Media Player, and Windows Messenger. With Windows XP Service Pack 2, Windows Update with Windows Update Services provides two services:

  • Windows Update. This service provides security patches and updates for Windows components. This service also will continue to deliver drivers.

  • Microsoft Update. This service provides security patches and updates for Windows components and other Microsoft product applications. The first applications in addition to Windows components that will be enabled as part of Microsoft Update include SQL, Exchange, and Office. Microsoft Update is a superset of Windows Update.

Windows users can interact with both services through the Web site or Automatic Updates. As of this writing, only the Windows Update service is available to customers; Microsoft Update will be made available at a later date.

Who does this feature apply to?

The Windows Update and Microsoft Update Web site features apply to all Windows Internet users who choose not to enable Automatic Updates, and wish to keep their Windows operating system and applications secure and up-to-date. The Windows Update site feature is also necessary for those Windows users interested in non-critical updates, which are not made available through Automatic Updates.

What new functionality is added to this feature in Windows XP Service Pack 2?

Updates for Microsoft Applications

Detailed description

The new Microsoft Update service provides security patches and updates for Microsoft applications, such as Office, SQL and Exchange. When users navigate to the Microsoft Update site or enable Automatic Updates, they will now receive all relevant updates consistently. Windows and all supported applications are kept secure automatically, and a user no longer has to navigate to multiple locations searching for updates.

Why is this change important?

Previously, a user had to navigate to multiple locations to keep Windows components and applications secure. Now, when a user enables Automatic Updates, Windows and associated applications are kept secure and up-to-date. Users choosing to go to the Microsoft Update Web site receive all high priority updates in one location.

What threats does it help mitigate?

This change helps mitigate situations where users neglect to install updates for other Windows applications. Users are kept secure against attacks that target known vulnerabilities in Windows or other Microsoft applications.

What works differently?

Users now consistently receive security updates and high priority patches for Windows content and other applications by either navigating to the Microsoft Update site and clicking Express, or turning on Automatic Updates. Users receive security updates and patches for Windows content and other applications through one mechanism and destination. Users that navigate to the Microsoft Update site and click the Custom option receive security updates and high priority patches, plus other optional updates, which are of lower priority.

Express and Custom Installation Options

Detailed description

Certain users go to the Windows Update Web site to search for just the most critical updates and to get their computers updated in the shortest amount of time. The Express and Custom installation paths help users quickly find the route through the site that best meets their needs — either to quickly get all the high priority updates or to spend more time browsing and choosing from the optional updates.

Why is this change important?

Updating a computer should be a simple, quick process. This change removes steps and options to make the update process faster and less error-prone. The change also allows greater flexibility and more choices for the user.

To improve on the user experience, the Windows Update home page now has two modes:

  • Express install offers preselected critical updates. You cannot edit the list of updates in this mode.

  • Custom install gives you full control of the preselected critical items so users can hide, remove, and select updates relevant for their computers.

What threats does it help mitigate?

This design helps to mitigate user confusion in locating critical security updates. In turn, this helps users to quickly install updates that protect them against known vulnerabilities.

What works differently?

The Windows Update page has changed, and the steps for navigation and selection of updates are different. The basic functionality of Windows Update has not changed.

Windows Update and Microsoft Update Home Page

Detailed description

The following enhancements have been added to the Windows Update and Microsoft Update home page and site experience in Windows XP Service Pack 2.

  • Revised visual design

    Users will notice a new header and footer that has become a standard across all of Microsoft.com. The layout and the links are simplified, making it easier to use.

  • Automatic Updates settings

    Many customers are not aware that they can use the Automatic Updates feature to stay secure and up-to-date. The Windows Update Web site reminds the user of their current Automatic Updates settings, suggests the optimal settings to ensure they are getting the latest security updates, and provides a way to modify the settings.

  • Update news

    When a critical issue arises that Microsoft thinks users should know about, the “News from Microsoft” section on the Windows Update home page displays this information. It may also include helpful tips to help users to keep their computers current.

  • Administrator information

    Many users are not aware that Windows Update offers a searchable catalog of published updates, called the “Windows Update Catalog”. While the Windows Update Web site uses a detection process to determine which updates users should install, the Windows Update Catalog does not; therefore, the catalog is not recommended for most users. However, advanced users who need to administer updates to other computers may want to use this feature. The Windows Update site Administration Information section also provides information about Windows Update Services, as discussed earlier.

Content Organization and Navigation

Detailed description

The content organization and navigation changes that have been made to the Windows Update and Microsoft Update site are:

  • Update categorization

    The update categories in the left navigation pane have been changed to better accommodate more updates over time from different product groups and providers. The naming has been standardized to provide for consistency and better usability.

  • Single installation updates

    Some updates must be installed separately from others. Microsoft is working to require fewer of these update types. When these are required, the selection and installation process has been optimized to provide better usability. If users are offered a "single installation" update, they can choose to either select it alone or select other updates that are applicable to their computer. By making this choice in the beginning of the selection and installation process, users will not have to back up at the end of the process to change their selection, as was previously required. Single installation update notifications, which bring a user’s attention to an update that can only be installed separately, are better communicated to users throughout the new Windows Update site.

  • Superseding updates

    Some updates replace, or supersede, previous update versions. For example, a service pack that includes Security Patch A would supersede Security Patch A by itself. Windows Update automatically offers users the latest applicable update, so they don't have to choose among the latest releases and previous versions. In earlier versions of Windows Update, users would see both the superseded and superseding updates listed together, which led to confusion.

  • Update details

    Windows Update users consistently request more detailed information concerning the updates that Windows Update provides. Examples include uninstall instructions, support information, and content provider details. To address this feedback, the Windows Update details page has been revised to provide a fixed set of information to make the update details more consistent and actionable. If an update is being provided by a non-Microsoft source, such as an original equipment manufacturer or independent hardware vendor, they may use a branded icon on the details pages to clearly mark that they provided a specific update.

  • Select all

    Many customers have requested a one-click option to select all updates. Although Windows Update will continue to automatically select the high priority updates your computer needs (using the Express Install path), if users truly want all available relevant updates, they can now select them with one click, using the Custom Install feature.

  • Hide and restore updates

    Users may occasionally be offered an update they choose not to install. Users can now hide updates they don't want to see. This keeps the list of available updates from being cluttered with unwanted updates. Users can go to the Restore Hidden Updates page to retrieve the update if they change their mind later.

  • Beta software

    Windows Update may carry beta (pre-release) software and updates to beta software from time to time. Microsoft realizes that beta software is not often recommended for or wanted by all customers. If users want to be offered beta software releases when they visit Windows Update, they can go to Advanced settings and select Show beta products and related updates.

  • Smart downloading

    If users lose their Internet connection while downloading updates, the download resumes where they left off the next time they try to download the update. Also, if a user chooses to use Automatic Updates, the Windows Update Web site will not duplicate any updates that Automatic Updates has already downloaded. Previously, if Automatic Updates downloaded an update, and the user had not installed it, the update would be downloaded again when the user accessed the Windows Update Web site and chose to install it.

  • Driver details

    Customers have requested more information about the drivers that Windows Update offers. Windows Update now provides information from Device Manager so users can learn why they are being offered a particular driver, and make a more informed decision on whether to install the driver or not. Possible options include:

    • PNP Status = Device disabled: Windows Update recommends installing this update because the DriverClass device on your computer to which this driver applies appears to be disabled.

    • PNP Status = Device problem: Windows Update recommends installing this update because the DriverClass device on your computer to which this driver applies appears to not be working properly.

    • PNP Status = Device no driver: Windows Update recommends installing this update because the DriverClass device on your computer to which the driver applies does not appear to have a driver installed.

Supportability

Detailed description

To provide more effective self-service and service/content troubleshooting, as well as provide product support engineers with better information in assisted service scenarios, the following supportability enhancements have been added to the Windows Update and Microsoft Update site experience:

  • Troubleshooter search

    More relevant, detailed troubleshooting procedures are now available for issues that users have encountered while using Windows Update. These issues might include problems when using the site, or when installing content offered by Windows Update. Windows Update troubleshooter search-and-filtering capabilities have been improved to make it easier for users to find and locate the relevant help content.

  • History

    The update history feature now includes more details about the updates users install and any errors that may be encountered during installation. Previously, when an update failed, users were not given any direction on next steps regarding how to potentially resolve an issue. When available, a more helpful error message is now provided for specific pieces of content that have failed installation by clicking the Failed indicator in the Status column. More intuitive update information paging, navigation and printing options are now also available.

  • Improved messages

    Should an error occur, Windows Update will automatically search Help and Support content for more information about the error and include a possible resolution. If information exists to help solve a specific problem, users will see it when the error message appears. This saves Windows Update users from having to search for information on their own in the Windows Update Troubleshooting section.

Why is this change important?

These newly-added features and changes help users to locate and install various types of updates offered through the Windows Update site. This, in turn, helps users to protect themselves against known vulnerabilities.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft