Windows Update and Resulting Internet Communication in Windows Vista

In This Section

Benefits and Purposes of Windows Update

Overview: Using Windows Update in a Managed Environment

How Automatic Updating Communicates Through the Internet

Controlling Automatic Updating and Access to Windows Update to Limit the Flow of Information to and from the Internet

Procedures for Controlling Automatic Updating and Access to Windows Update

Note

This section describes methods for controlling the way automatic updating interacts with the Windows Update Web site. As another way of controlling this, you can control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for automatic updating will function while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the user’s computer at a regularly scheduled time, regardless of what type of account the user has or whether the user is logged on at the time.

Benefits and Purposes of Windows Update

The Windows Update Web Site

The Windows Update Web site is an online catalog that can be used to support computers running Microsoft Windows operating systems, including Windows Vista. The catalog contains items such as drivers, critical updates, Help files, Windows Defender definition files, and Internet products. The update software built into Windows Vista can scan the user’s computer and, after communicating with the Windows Update Web site, create a tailored list of updates that apply only to the software and hardware on that specific computer. A person using Windows Update can then choose from the tailored list of updates. New content is added to the Windows Update Web site regularly so users can get the most recent and secure updates and solutions.

Windows Update and the Windows Genuine Advantage Program

Before a person can obtain non-critical software downloads for Windows Vista from the Microsoft Web site, that copy of Windows Vista must be validated as genuine. This includes downloads of non-critical software updates from the Windows Update Web site. When a person logged on as an administrator requests the first software download from the Microsoft Web site (whether downloading from Windows Update or another part of the Microsoft Web site), the person will see prompts for validating that copy of Windows Vista. After Windows Vista is validated as genuine, the download can be completed. The validation process is usually very short.

For details about the information sent and received during the validation process for genuine Windows, see the Microsoft Genuine Advantage privacy statement on the Microsoft Web site:

https://go.microsoft.com/fwlink/?LinkId=74328

For more information about genuine Windows, see the Genuine Windows page on the Microsoft Web site:

https://go.microsoft.com/fwlink/?LinkId=73073

Automatic Updating

This option for updating a computer allows for updates without interrupting the user’s Internet experience. When the computer is first started after installation of Windows Vista, prompts appear recommending steps that can help protect the computer, including enabling automatic updating settings that download and install updates automatically. With this configuration, the user does not need to visit special Web pages or remember to periodically check for new updates.

Automatic updating can be configured by an administrator of the computer. The available options are:

  • Install updates automatically: Windows Vista downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account the user has or whether the user is logged on at the time.

  • Download updates but let me choose whether to install them: Windows Vista automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling the user to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt a user logged on as an administrator that the updates are ready to be installed.

  • Check for updates but let me choose whether to download and install them: Windows Vista sends a notification after which an administrator of the computer can respond by downloading and installing any updates.

  • Never check for updates: It is left to the user to go to Windows Update and download updates from time to time.

An administrator can decline a specific update that has been downloaded. The administrator can download those declined files again by opening Windows Update and then clicking Restore hidden updates. If any of the previously declined updates can still be applied to the computer, those updates will appear the next time that Windows Vista notifies the user of available updates.

For more information about configuring automatic updating on an individual computer running Windows Vista, see “Procedures for Controlling Automatic Updating and Access to Windows Update,” later in this section.

Alternatives to Automatic Updating and the Windows Update Web Site

For managed environments, there are several alternatives to using automatic updating with the Windows Update Web site:

  • Windows Update Catalog Web site

  • Windows Server Update Services (WSUS)

  • Systems management software, such as that available from Microsoft, that allows you to distribute software updates

Windows Update Catalog Web Site

By using the Windows Update Catalog site, you can learn about updates that are available and then use your own software distribution tools to deploy updates. The Windows Update Catalog site provides a single location for Windows Update software updates and drivers that display the Designed for Windows logo. The Windows Update Catalog Web site is at:

https://go.microsoft.com/fwlink/?LinkId=75160

Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) is a version of Windows Update designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that:

  • Do not want their systems or users connecting to an external Web site.

  • Want to first test software updates before deploying them throughout their organizations.

With WSUS, administrators can quickly and reliably deploy critical updates to computers running Windows Vista, Windows Server 2003, Windows XP Professional, and other Windows operating systems.

For more information about WSUS, see the following pages on the Microsoft Web site:

Systems Management Software

You can use systems management software to distribute updates and manage multiple computers in an organization. For information about the systems management software available from Microsoft, see the Microsoft Web site at:

https://go.microsoft.com/fwlink/?LinkId=70683

Overview: Using Windows Update in a Managed Environment

As an administrator, you can use Group Policy to block access to the Windows Update Web site or to specify an internal server for automatic updating to use when it searches for updates. You can also disable automatic updating through the Windows interface or by using Group Policy. Details on the methods and procedures for controlling these features are described later in this section.

How Automatic Updating Communicates Through the Internet

This subsection summarizes the communication process.

  • Specific information sent or received: Windows Update collects basic information about the computer to identify which updates the computer needs and to improve the updating service. For more details, see the privacy statement on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=72162

    Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the user’s computer.

  • Data storage and access: The Windows Update Web site tracks the total number of unique computers that visit, and records whether updates were needed and which updates were applied. The success or failure of downloading and installing updates is also recorded. This information is stored on servers at Microsoft with limited access that are located in controlled facilities. For more details, see the privacy statement on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=72162

Note

If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information, see "Procedures for Controlling Automatic Updating and Access to Windows Update," later in this section.

  • Default settings: By default, Windows Vista allows access to the Windows Update Web site. After setup of Windows Vista, prompts encourage the enabling of automatic updating.

  • Triggers: The user controls whether to download updates from the Windows Update Web site. If automatic updating is enabled following setup, it is triggered about once per day (assuming there is an Internet connection).

  • User notification:

    • Windows Update Web site: Users control whether to go to Windows Update to download files to their computers.

    • Automatic updating: The way that automatic updating notifies the user depends on how automatic updating is configured. For more information, see “Automatic Updating,” earlier in this section.

Note

For information about configuring automatic updating, see “To Disable or Configure Automatic Updating on a Computer Running Windows Vista,” later in this section.

  • Logging: Automatic updating logs events to the event log.

  • Encryption: Initial data is transferred using HTTPS, and updates are transferred using HTTP. The data packages downloaded to the user’s system by Microsoft are digitally signed.

  • Privacy: Automatic updating is covered by the same privacy statement that covers Windows Update. The privacy statement is on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=72162

  • Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.

  • Ability to disable: You can use Group Policy to prevent the operating system from being updated through the Windows Update Web site, to prevent access to Windows Update commands (on menus), or both. You can use Group Policy to specify an internal server to use for automatic updating. You can also disable automatic updating, by using the Windows interface or Group Policy. Procedures for these methods are explained at the end of this section.

Controlling Automatic Updating and Access to Windows Update to Limit the Flow of Information to and from the Internet

The recommended methods for controlling automatic updating, access to Windows Update, or both are as follows.

Important

When using these methods, you can also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for automatic updating will function while that person is logged on. That option is to automatically download and install updates, which means that updates are installed on the user’s computer at a regularly scheduled time, regardless of what type of account the user has, or whether the user is logged on at the time.

  • You can use Group Policy settings to disable automatic updating by preventing the operating system from being updated through the Windows Update Web site.

    • To disable automatic updating by preventing the operating system from being updated through the Windows Update Web site, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.

    • To prevent access to Windows Update commands (on menus), configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar.

  • You can use Group Policy to configure automatic updating so that instead of searching the Windows Update Web site, automatic updating searches your internal server for updates.

    To do this, configure Specify intranet Microsoft update service location in Computer Configuration\Administrative Templates\Windows Components\Windows Update. The server you specify in this setting must be one on which you are running Windows Server Update Services (WSUS).

  • You can use Group Policy to selectively disable automatic updating.

    To do this, disable Configure Automatic Updates in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

You can also configure automatic updating on an individual computer running Windows Vista by using the Windows interface. For a description of the options available through the Windows interface, see “Automatic Updating,” earlier in this section.

How Disabling Automatic Updating or Preventing Access to Windows Update Can Affect Users and Applications

The following list explains two Group Policy settings that affect automatic updating, access to Windows Update, or both.

  • Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.

    When you enable this setting, the operating system cannot be updated through the Windows Update Web site, and automatic updating is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu. However, it will not be possible to update the operating system through the Windows Update Web site, regardless of the type of account being used to log on.

  • Remove links and access to Windows Update: This Group Policy setting is located in User Configuration\Administrative Templates\Start Menu and Taskbar. When you enable this setting, users will not be able to access the Windows Update Web site when they click the Check for updates command that can be reached in the Windows Update tool (part of Control Panel). The Windows Update tool can be reached in a variety of ways, including:

    • In Microsoft Internet Explorer, through the Tools/Windows Update command.

    • Through the Windows Update option on the Start menu or on Start/All Programs.

    • Through Start/Control Panel/Security/Windows Update.

    • Through Start/Control Panel/System and Maintenance/System (where the Windows Update command is on the left).

    Enabling Remove links and access to Windows Update also disables automatic updating notifications; that is, the user for which this policy setting is enabled will neither be notified about nor receive critical updates from the Windows Update Web site.

Preventing all access to the Windows Update Web site also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled Device Manager, Hardware Wizards, and Resulting Internet Communication in Windows Vista.

Blocking automatic updating and access to the Windows Update Web site will not block applications from running.

Procedures for Controlling Automatic Updating and Access to Windows Update

This subsection provides procedures for:

  • Configuring or disabling automatic updating by using Group Policy.

  • Preventing the operating system from being updated through Windows Update by using Group Policy.

  • Turning off access to Windows Update commands and to automatic updating by using Group Policy.

  • Specifying an internal server (instead of the Windows Update Web site) for software updates by using Group Policy.

  • Disabling or configuring automatic updating on an individual computer running Windows Vista.

To Disable or Configure Automatic Updating by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate Group Policy object (GPO).

  2. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  3. In the details pane, double-click Configure Automatic Updates.

  4. To disable automatic updating, select Disabled.

Note

Disabling this setting disables automatic updating but does not block access to Windows Update.

  1. To configure automatic updating, select Enabled, and then select from the available settings, which are equivalent to the Control Panel settings as shown in the following table:
Setting in Control Panel Setting in Group Policy When Policy Is Enabled

Any setting, except that automatic updating cannot be turned off

5 - Allow local administrators to select

Install updates automatically

4 - Auto download and schedule the install

Download updates but let me choose whether to install them

3 - Auto download and notify for install

Check for updates but let me choose whether to download and install them

2 - Notify for download and notify for install

The Control Panel settings are described more detail in “Automatic Updating,” earlier in this section.

To Prevent the Operating System from Being Updated Through Windows Update by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off access to all Windows Update features, and then click Enabled.

Important

This policy also disables automatic updating.

You can also restrict Internet access for this and a number of other features by applying the **Restrict Internet communication** policy setting, which is located in **Computer Configuration\\Administrative Templates\\System\\Internet Communication Management**. For more information about this Group Policy and the policies that it controls, see [Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Vista](cc749503\(v=ws.10\).md).  
  

To Turn Off Access to Windows Update Commands by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.

  2. Expand User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar.

  3. In the details pane, double-click Remove links and access to Windows Update.

    Important   This policy also disables automatic updating.

To Specify an Internal Server for Software Updates by Using Group Policy

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

  3. In the details pane, double-click Specify intranet Microsoft update service location, and then click Enabled.

  4. Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics.

Important

You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server you specify as the upgrade server must be one on which you are running Windows Server Update Services (WSUS).

To Disable or Configure Automatic Updating on a Computer Running Windows Vista

  1. While logged on with an administrator account, click Start, click All Programs, and then click Windows Update.

  2. Click Change settings.

  3. Choose from the available options, which are described in “Automatic Updating,” earlier in this section.