Windows Update, Automatic Updates, and Internet Communication (Windows Server 2003)
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of Windows Update and Automatic Updates
How Windows Update and Automatic Updates communicate with sites on the Internet
How to control Windows Update and Automatic Updates to limit the flow of information to and from the Internet
Important
.gif "Important") Important |
|---|
| This section describes methods for controlling the way the Automatic Updates component interacts with the Windows Update Web site. One basic way, however, of controlling whether a particular person can install software (including software updates) on a particular computer is to control the type of account that the person has. If the account does not allow the person to install software (for example, if the account is a user account) the person will not be able to use Automatic Updates to install software while logged on with that account. |
</div></td>
</tr>
</tbody>
</table>
Benefits and Purposes of Windows Update and Automatic Updates
Windows Update
Windows Update is an online catalog customized for computers running a product in the Microsoft Windows Server 2003 family that consists of items such as drivers, critical updates, Help files, and Internet products. Windows Update scans the user’s computer and provides a tailored selection of updates that apply only to the software and hardware on that specific computer. Windows Update then enables users to choose updates for their computer's operating system and hardware. New content is added to the Windows Update Web site regularly, so users can always get the most recent and secure updates and solutions.
Windows Update contains two key components:
Content update: Content updates occur when the user accesses the Windows Update Web site and selects component updates to download and install. The user is fully aware of downloads to the computer. The Windows Update Web site is located at:
Web service control update: The Windows Update Web service includes an ActiveX Web control program that downloads and installs the content updates. The Windows Update team receives feedback from their customers on how to improve their Web service and the Windows Update service control is changed to reflect that feedback. In order to access the new content and services customers need, the Web controls are updated periodically. This service automatically downloads a new version of the Web control program when the user visits the Windows Update site or when any of the other Windows features calls on the Windows Update control. Just like downloading an ActiveX control, the user may receive a security dialog box that a Web control is attempting to be installed. Users may not receive the dialog box if they have selected to always trust Microsoft as a content provider (using their security settings in Microsoft Internet Explorer). If users do not click Yes on the security dialog box, the control will not be updated and they will not be able to access the Windows Update site.
Automatic Updates
This option for updating a computer allows for updates without interrupting the user’s Web experience. Automatic Updates is not enabled by default; users are prompted to enable this option following setup. When Automatic Updates is enabled, users do not need to visit special Web pages or remember to periodically check for new updates. An icon appears in the notification area each time new updates are available. Updates can be downloaded in the background with minimal impact on the user’s network connections. Once the update is downloaded, operating systems in the Windows Server 2003 family prompt the user to install it. Users can set Automatic Updates options in one of three ways to control how and when they want the operating system to update their computers. They can:
Choose to have the operating system send a notification before downloading and installing any updates.
Choose to have the operating system download and install updates automatically on a schedule that they specify.
Choose to have the operating system send a notification whenever it finds updates available for their computers; the operating system will then download the updates in the background, enabling users to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt users that the updates are ready to be installed.
Users can choose not to install a specific update that has been downloaded; in that case, the operating system will delete those files from the computer. Users can download those deleted files again by opening System in Control Panel, clicking the Automatic Updates tab, and then clicking Declined Updates. If any of the updates users previously declined can still be applied to their computers, they will appear the next time an operating system in the Windows Server 2003 family notifies those users of available updates.
Alternatives to Windows Update and Automatic Updates
For managed environments, there are several alternatives to Windows Update:
Windows Update Catalog Web site.
Microsoft Windows Server Update Services (WSUS).
Distribution software, such as Microsoft Systems Management Server, that can be used to distribute software updates. For more information, see the documentation for your distribution software, and see Appendix A: Resources for Learning About Automated Installation and Deployment (Windows Server 2003), especially the "Related Documentation and Links" subsection in that appendix.
Windows Update Catalog Web Site
You can deploy updates to Windows in a managed environment without requiring users to connect to the Windows Update Web site by using the Windows Update Catalog site. This site provides a comprehensive catalog of updates that can be distributed over a managed network. It provides a single location for Windows Update content and drivers that display the Designed for Windows logo. Administrators can search the site using keywords or predefined search criteria to select the relevant downloads and then to download the updates to a location on their internal network.
An enhancement in products in the Windows Server 2003 family enables you to select updates that you plan to deploy later, which means you can control how and when the updates are deployed. For additional information, see information about Windows Update on the Microsoft Web site at:
https://windowsupdate.microsoft.com/
Microsoft Windows Server Update Services (WSUS)
Microsoft Windows Server Update Services (WSUS) is a version of Windows Update designed for installation inside an organization's firewall. This feature is very useful for organizations that:
Do not want their systems or users connecting to an external Web site
Want to first test these updates before deploying them throughout their organization
Microsoft Windows Server Update Services enables administrators to quickly and reliably deploy critical updates to their computers running Windows Server 2003 operating systems.
For more information about Windows Server Update Services and updated versions of Windows Server Update Services, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=29906
Overview: Using Windows Update and Automatic Updates in a Managed Environment
Users have control over whether to enable Automatic Updates following setup and they also have direct control over accepting downloaded files from Windows Update. In a managed environment, however, it is unlikely that users will be allowed unlimited access to install updated drivers and other updated files; this function would normally be controlled in some fashion by the IT department. You can use Group Policy to block users from accessing Windows Update in the user interface or to specify an internal server for Windows Update to use when searching for updates. You can also disable Automatic Updates using Control Panel or Group Policy. Details on the methods and procedures for controlling these features are described in the following subsections.
How Windows Update and Automatic Updates Communicate with Sites on the Internet
This subsection summarizes the communication process:
Specific information sent or received: Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the user’s computer. The computer is uniquely identified and is logged in the download and installation success report, but the user is not uniquely identified.
Data storage and access: Windows Update tracks the total number of unique computers that visit the Windows Update Web site. The success or failure of downloading and installing updates is also recorded but no personally identifiable information is recorded as part of this. This information is stored on servers at Microsoft with limited access that are located in controlled facilities. No other information collected during a Windows Update session is retained past the end of the session.
For more information, see "Privacy statement," later in this list.
Note
.gif "note") Note |
|---|
| If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information see "Procedures for Disabling Windows Update and Automatic Updates." |
</div></td>
</tr>
</tbody>
</table>
Default and recommended settings: By default, operating systems in the Windows Server 2003 family provide access to the Windows Update Web site. Recommended settings are described in the next subsection, "Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet."
Triggers: The user controls whether to run Windows Update. If Automatic Updates is enabled following setup, it is triggered about once per day when there is an Internet connection.
User notification:
Windows Update: Users are notified when Windows Update downloads files to their computer, and they have control over whether to install those downloads.
Automatic Updates: Administrators can specify one of two notification settings for Automatic Updates:
Notify users before downloading and installing any updates.
Download the updates automatically and notify users when they are ready to be installed.
Note
Administrators can also specify that updates be automatically downloaded and installed following a set schedule without user notification. For more information about these settings, click the Learn more about automatic updating link on the Automatic Updates dialog box.
Logging: Automatic Updates logs events to the event log.
Encryption: The data is transferred using HTTPS. The data packages downloaded to the user’s system by Microsoft are digitally signed.
Privacy statement: To view the privacy statement for Windows Update, see the Windows Update Web site, and click Microsoft Update Privacy Statement. The Windows Update Web site is located at:
https://windowsupdate.microsoft.com/
Automatic Updates is covered by the same privacy statement that covers Windows Update.
Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.
Ability to disable: You can use Group Policy to remove user access to Windows Update in the user interface. You can use Group Policy to specify an internal server to use for Windows Update and block it from searching the Windows Update Web site. You can disable Automatic Updates using Control Panel tools or Group Policy. Procedures for these methods are given at the end of this section.
Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet
The recommended methods for controlling Windows Update and Automatic Updates or both are as follows:
You can use Group Policy settings to control Windows Update and Automatic Updates by removing end user access to Windows Update.
You can block Windows Update from searching the Windows Update Web site by using Group Policy settings to specify an internal server for updates.
You can use Control Panel or Group Policy settings to selectively disable Automatic Updates.
You can control both Windows Update and Automatic Updates by blocking HTTP port 80 or HTTPS port 443 or both at the firewall.
See the following table for more information about the configuration options.
Configuration settings for Windows Update and Automatic Updates
Automatic Updates: Configuration tool |
Setting |
Result |
Control Panel (Automatic Updates tool) |
In the Automatic Updates dialog box, clear Keep my computer up to date. |
Disables Automatic Updates. |
Group Policy |
Disable the Configure Automatic Updates policy setting in the Wuau.adm Group Policy template. For more information, see "Procedures for Disabling Windows Update and Automatic Updates," later in this section. |
Disables Automatic Updates. |
Windows Update and Automatic Updates: Configuration tool |
Setting |
Result |
Firewall |
Block HTTP port 80 or HTTPS port 443 or both. |
Blocks Windows Update and Automatic Updates. |
Group Policy |
Enable the Remove access to use all Windows Update features policy setting in the Wuau.adm Group Policy template. For more information, see “Procedures for Disabling Windows Update and Automatic Updates," later in this section. |
Blocks the user from accessing Windows Update in operating systems in the Windows Server 2003 family user interface. Also blocks Automatic Updates. |
Group Policy |
Enable the Specify intranet Microsoft update service location policy setting in the Wuau.adm Group Policy template. For more information, see "Procedures for Disabling Windows Update and Automatic Updates," later in this section. |
Blocks Windows Updates from searching for updates on the https://windowsupdate.microsoft.comWeb site. Instead, Windows Update searches for updates on a specified internal server. |
How controlling Windows Update and Automatic Updates can affect users and applications
When you remove user access to Windows Update, Windows will still search for and download updates to the local computer. Users will not, however, be prompted to install downloaded updates, nor will they be able to access the Windows Update Web site from any of the following locations:
The Windows Update option on the Start menu
The Tools menu in Microsoft Internet Explorer
The Windows Update button in Add New Programs (Add New Programs is in Control Panel under Add or Remove Programs)
Removing user access to Windows Update also disables Automatic Updates; that is, the user for which this policy setting is enabled will neither be notified about nor will receive critical updates from Windows Update. Removing user access to Windows Update is a user-based, not system-based, policy; other users on the same computer will still receive critical updates unless this policy setting is also enabled for those users individually.
Removing end user access to Windows Update also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled "Device Manager."
Blocking Windows Update and Automatic Updates will not block applications from running.
The Windows Update site is located at:
https://windowsupdate.microsoft.com/
Procedures for Disabling Windows Update and Automatic Updates
This subsection provides procedures for the following configurations:
Specifying that Windows Update search an internal server, rather than the Windows Update Web site, for updates.
Removing user access to Windows Update by using Group Policy, which will also block Automatic Updates.
Disabling and configuring Automatic Updates by using Group Policy.
Disabling Automatic Updates by using Control Panel tools.
To specify an internal server for Windows Update using Group Policy
Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.
In the details pane, double-click Specify intranet Microsoft update service location, supply the name of the internal server to function as the update server, and supply the name of the server to store upload statistics.
Click Enabled.
Important
The upgrade server and the server you specify to store upload statistics can be the same server.
To remove user access to Windows Update using Group Policy
Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.
Click User Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.
In the details pane, double-click Remove access to use all Windows Update features, and then click Enabled.
Important
Removing user access to Windows Update also disables Automatic Updates.
To disable Automatic Updates using Group Policy
Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.
In the details pane, double-click Configure Automatic Updates, and then click Disabled.
To disable Automatic Updates using Control Panel tools
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Click System, and then click the Automatic Updates tab.
In the Automatic Updates dialog box, clear the Keep my computer up to date check box.