Windows Update and Automatic Updates

  • Article

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Benefits and Purposes of Windows Update and Automatic Updates
Overview: Using Windows Update and Automatic Updates in a Managed Environment
How Windows Update and Automatic Updates Communicate with Sites on the Internet
Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet
Procedures for Controlling Windows Update and Automatic Updates

Important   This section describes methods for controlling the way the Automatic Updates component interacts with the Windows Update Web site. To control the way Automatic Updates interacts with Windows Update, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the user’s computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time.

Benefits and Purposes of Windows Update and Automatic Updates

Windows Update

Windows Update is an online catalog that can be used to support computers running Microsoft Windows operating systems, including Windows XP Professional with Service Pack 2 (SP2). The catalog contains items such as drivers, critical updates, Help files, and Internet products. Windows Update scans the user’s computer and provides a tailored selection of updates that apply only to the software and hardware on that specific computer. Windows Update then enables users to choose updates for their computer's operating system and hardware. New content is added to the Windows Update Web site regularly, so users can always get the most recent and secure updates and solutions.

Windows Update contains two key components:

  • Web site control: The Windows Update Web site includes an ActiveX Web control program that downloads and installs updates. The Windows Update team receives feedback from their customers on how to improve their Web site, and responds by periodically updating the Web control. The newest version of the Web control program is downloaded automatically when the user visits the Windows Update site or when any of the other Windows features calls on the Windows Update control. Just like downloading an ActiveX control, the user may receive a security dialog box that a Web control is attempting to be installed. Users may not receive the dialog box if they have selected to always trust Microsoft as a content provider (using their security settings in Microsoft Internet Explorer). If users do not click Yes on the security dialog box, the control will not be updated and they will not be able to access the Windows Update site.

  • Updates: As needed, the user can access the Windows Update Web site and select component updates to download and install. The user is fully aware of downloads to the computer. The Windows Update Web site is located at:

    https://windowsupdate.microsoft.com/

Automatic Updates

This option for updating a computer allows for updates without interrupting the user’s Internet experience. Automatic Updates is not enabled by default. The person who installs the operating system is prompted to enable this option following setup. When Automatic Updates is configured so that updates automatically download and install, users do not need to visit special Web pages or remember to periodically check for new updates. Automatic Updates can be configured to use one of the following options:

  • Automatic download and installation of updates: Windows XP downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account the user has, or whether the user is logged on at the time.

  • Automatic download only: Windows XP automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling the user to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt a user logged on as an administrator that the updates are ready to be installed.

  • Notification only: Windows XP sends a notification after which an administrator of the computer can respond by downloading and installing any updates.

  • Turn off Automatic Updates: It is left to the user to go to the Windows Update Web site and download updates from time to time.

A user logged on as an administrator can decline a specific update that has been downloaded. The user can download those declined files again by opening the Performance and Maintenance category in Control Panel, clicking the System tool, clicking the Automatic Updates tab, and then clicking Offer updates again that I’ve previously hidden. (In Control Panel's Classic View, you can open the System tool directly from Control Panel). If any of the previously declined updates can still be applied to the computer, those updates will appear the next time that Windows XP notifies the user of available updates.

For more information about using Control Panel to configure Automatic Updates, see “Procedures for Controlling Windows Update and Automatic Updates,” later in this section.

Alternatives to Windows Update and Automatic Updates

For managed environments, there are several alternatives to Windows Update:

  • Windows Update Catalog Web site

  • Microsoft Software Update Services (SUS)

  • Distribution software, such as Microsoft Systems Management Server, that can be used to distribute software updates

    For more information, see the documentation for your distribution software, and see Appendix A, "Resources for Learning About Automated Installation and Deployment," especially the "Related Documentation and Links" subsection in that appendix.

Windows Update Catalog Web Site

By using the Windows Update Catalog site, you can use your own software distribution tools to deploy updates to Windows in a managed environment without requiring users to connect to the Windows Update Web site. The Windows Update Catalog site provides a comprehensive catalog of updates that can be distributed over a managed network. It provides a single location for Windows Update content and drivers that display the Designed for Windows logo. Administrators can search the site using keywords or predefined search criteria to select the relevant downloads and then download the updates to a location on their internal network.

An enhancement in products in the Windows Server 2003 family enables you to select updates that you plan to deploy later, which means that you can control how and when the updates are deployed. For additional information, see information about Windows Update on the Microsoft Web site at:

https://windowsupdate.microsoft.com/

Microsoft Software Update Services (SUS)

Microsoft Software Update Services (SUS) is a version of Windows Update designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that

  • Do not want their systems or users connecting to an external Web site

  • Want to first test these updates before deploying them throughout their organizations

Microsoft Software Update Services enables administrators to quickly and reliably deploy critical updates to servers running Windows Server 2003 and Windows 2000 Server as well as desktop computers running Windows XP Professional and Windows 2000 Professional.

For more information about software update services, see the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=29906

Overview: Using Windows Update and Automatic Updates in a Managed Environment

As an administrator, you can use Group Policy to block the use of Windows Update or to specify an internal server for Automatic Updates to use when searching for updates. You can also disable Automatic Updates using Control Panel or using the Group Policy Administrative template, Wuau.adm. Details on the methods and procedures for controlling these features are described in the following subsections.

How Windows Update and Automatic Updates Communicate with Sites on the Internet

This subsection summarizes the communication process.

  • Specific information sent or received: Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the user’s computer. The computer is uniquely identified and is logged in the download and installation success report, but the user is not uniquely identified.

  • Data storage and access: Windows Update tracks the total number of unique computers that visit the Windows Update Web site. The success or failure of downloading and installing updates is also recorded but no personally identifiable information is recorded as part of this. This information is stored on servers at Microsoft with limited access that are located in controlled facilities. No other information collected during a Windows Update session is retained past the end of the session.

    For more information, see "Privacy," later in this list.

    Note   If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information see "Procedures for Controlling Windows Update and Automatic Updates."

  • Default and recommended settings: By default, Windows XP allows access to the Windows Update Web site. Recommended settings are described in the next subsection, "Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet."

  • Triggers: The user controls whether to run Windows Update. If Automatic Updates is enabled following setup, it is triggered about once per day when there is an Internet connection.

  • User notification:

    • Windows Update Web site: Users control whether to go to the Windows Update Web site to download files to their computers.

    • Automatic Updates: The way that Automatic Updates notifies the user depends on how Automatic Updates is configured. For more information, see “Automatic Updates,” earlier in this section.

      Note   For information about configuring Automatic Updates, see “To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows XP SP2,” later in this section.

  • Logging: Automatic Updates logs events to the event log.

  • Encryption: Initial data is transferred using HTTPS, and updates are transferred using HTTP. The data packages downloaded to the user’s system by Microsoft are digitally signed.

  • Privacy: To view the privacy statement for Windows Update, see the Windows Update Web site, and click Read our privacy statement. The Windows Update Web site is located at:

    https://windowsupdate.microsoft.com/

    Automatic Updates is covered by the same privacy statement that covers Windows Update.

  • Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.

  • Ability to disable: You can use Group Policy to prevent the operating system from being updated through Windows Update, to prevent access to Windows Update commands, or both. You can use Group Policy to specify an internal server to use for Automatic Updates. You can disable Automatic Updates using Control Panel tools or Group Policy. Procedures for these methods are given at the end of this section.

Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet

The recommended methods for controlling Windows Update and Automatic Updates or both are as follows.

Important   When using these methods, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is to automatically download and install updates, which means that updates are installed on the user’s computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time.

  • You can use Group Policy settings to disable both Windows Update and Automatic Updates.

    • To disable Windows Update and Automatic Updates by preventing the operating system from being updated through Windows Update, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.

    • To disable Windows Update and Automatic Updates by preventing access to Windows Update commands, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar.

  • You can use Group Policy to configure Automatic Updates so that instead of searching the Windows Update Web site, Automatic Updates searches your internal server for updates.

    To do this, configure Specify intranet Microsoft update service location in Computer Configuration\Administrative Templates\Windows Components\Windows Update. The server you specify in this setting must be one on which you are running Software Update Services.

  • You can use Group Policy settings in the Administrative template Wuau.adm to selectively disable Automatic Updates.

    To do this, disable Configure Automatic Updates in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

You can also configure Automatic Updates on individual computers by using Control Panel. For a description of the options available through Control Panel, see “Automatic Updates,” earlier in this section.

How Disabling Windows Update and Automatic Updates Can Affect Users and Applications

The following list shows the effects of two Group Policy settings, both of which prevent the use of Windows Update and Automatic Updates.

  • Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.

    When you enable this setting, the operating system cannot be updated through Windows Update, and Automatic Updates is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu, and the Windows Update Web site will appear in the browser. However, it will not be possible to update the operating system through Windows Update, regardless of the type of account being used to log on.

  • Remove links and access to Windows Update This Group Policy setting is located in User Configuration\Administrative Templates\Start Menu and Taskbar. When you enable this setting, users will not be able to access the Windows Update Web site from any of the following locations:

    • The Windows Update option on the Start menu

    • The Tools menu in Microsoft Internet Explorer

    • The Windows Update button in Add New Programs (Add New Programs is in Control Panel under Add or Remove Programs)

    Enabling this setting also disables Automatic Updates notifications—that is, the user for which this policy setting is enabled will neither be notified about nor receive critical updates from Windows Update.

Removing end-user access to Windows Update also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled "Device Manager and Hardware Wizards."

Blocking Windows Update and Automatic Updates will not block applications from running.

The Windows Update site is located at:

https://windowsupdate.microsoft.com/

Procedures for Controlling Windows Update and Automatic Updates

This subsection provides procedures for the following:

  • Configuring or disabling Automatic Updates by using Group Policy.

  • Preventing the operating system from being updated through Windows Update by using Group Policy. With this policy, commands for accessing Windows Update are visible and the Windows Update site can be viewed through the browser, although Windows Update cannot be used.

  • Turning off access to Windows Update commands and to Automatic Updates by using Group Policy.

  • Specifying an internal server for Windows Update by using Group Policy.

  • Configuring or disabling Automatic Updates using Control Panel on a computer running Windows XP SP2.

To Configure or Disable Automatic Updates Using Group Policy

  1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated (specifically, Wuau.adm), and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.

  3. In the details pane, double-click Configure Automatic Updates.

  4. Select Not Configured, Enabled, or Disabled. If you choose Enabled, choose from the available settings, which are equivalent to the Control Panel settings described in “Automatic Updates,” earlier in this section.

    Note   Disabling this setting disables Automatic Updates but does not block access to Windows Update.

To Prevent the Operating System from Being Updated Through Windows Update by Using Group Policy

  1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off access to all Windows Update features.

    Important   This policy also disables Automatic Updates.
    You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."

To Turn Off Access to Windows Update Commands by Using Group Policy

  1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.

  2. Click User Configuration, click Administrative Templates, and then click Start Menu and Taskbar.

  3. In the details pane, double-click Remove links and access to Windows Update.

    Important   This policy also disables Automatic Updates.

To Specify an Internal Server for Windows Update Using Group Policy

  1. As needed, see Appendix B, "Learning About Group Policy and Updating Administrative Templates," and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.

  3. In the details pane, double-click Specify intranet Microsoft update service location and then click Enabled.

  4. Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics.

Important You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server you specify as the upgrade server must be one on which you are running Software Update Services.

To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows XP SP2

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Automatic Updates.

  3. Choose from the available options, which are described in “Automatic Updates,” earlier in this section.