Windows Update, Automatic Updates, and Internet Communication
Applies To: Windows Server 2003 with SP1
This section provides information about the following:
The benefits of Windows Update and Automatic Updates
How Windows Update and Automatic Updates communicate with sites on the Internet
How to control Windows Update and Automatic Updates to limit the flow of information to and from the Internet
Important
This section describes methods for controlling the way the Automatic Updates component interacts with the Windows Update Web site. To control the way Automatic Updates interacts with Windows Update, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the computer at a regularly scheduled time, regardless of what type of account the person who uses the computer has, or whether that person is logged on at the time.
Benefits and Purposes of Windows Update and Automatic Updates
Windows Update
Windows Update is an online catalog that can be used to support computers running Microsoft Windows operating systems, including Windows Server 2003 with Service Pack 1 (SP1). The catalog contains items such as drivers, critical updates, Help files, and Internet products. Windows Update scans the computer and provides a tailored selection of updates that apply only to the software and hardware on that specific computer. Windows Update then enables you choose updates for your computer's operating system and hardware. New content is added to the Windows Update Web site regularly, so you can always get the most recent and secure updates and solutions.
Windows Update contains two key components:
Web site control: The Windows Update Web site includes an ActiveX Web control program that downloads and installs updates. The Windows Update team receives feedback from their customers on how to improve their Web site, and responds by periodically updating the Web control. The newest version of the Web control program is downloaded automatically when you visit the Windows Update site or when any of the other Windows features calls on the Windows Update control. Just like downloading an ActiveX control, you may receive a security dialog box that a Web control is attempting to be installed. You may not receive the dialog box if you have selected to always trust Microsoft as a content provider (using security settings in Microsoft Internet Explorer). If you do not click Yes on the security dialog box, the control will not be updated and you will not be able to access the Windows Update site.
Updates: As needed, you can access the Windows Update Web site and select component updates to download and install. You control the downloading and installation of the updates. The Windows Update Web site is located at:
Automatic Updates
Automatic Updates is not enabled by default. The person who installs the operating system is prompted to enable this option following setup. When Automatic Updates is configured so that updates automatically download and install, the person who uses the computer does not need to visit special Web pages or remember to periodically check for new updates. Automatic Updates can be configured to use one of the following options:
Automatic download and installation of updates: Windows Server 2003 downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account the person who uses the computer has, or whether that person is logged on at the time.
Automatic download only: Windows Server 2003 automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling you to continue working uninterrupted. After the download is complete, if you are logged on as an administrator, an icon in the notification area will prompt you that the updates are ready to be installed.
Notification only: Windows Server 2003 sends a notification after which an administrator of the computer can respond by downloading and installing any updates.
Turn off Automatic Updates: It is left to you to go to the Windows Update Web site and download updates from time to time.
An administrator can decline a specific update that has been downloaded. The administrator can download those declined files again by opening the Performance and Maintenance category in Control Panel, clicking the System tool, clicking the Automatic Updates tab, and then clicking Offer updates again that I’ve previously hidden. If any of the previously declined updates can still be applied to the computer, those updates will appear the next time that Windows Server 2003 notifies the administrator of available updates.
For more information about using Control Panel to configure Automatic Updates, see "Procedures for Controlling Windows Update and Automatic Updates," later in this section.
Alternatives to Windows Update and Automatic Updates
For managed environments, there are several alternatives to Windows Update:
Windows Update Catalog Web site
Microsoft Software Update Services (SUS)
Distribution software, such as Microsoft Systems Management Server, that can be used to distribute software updates
For more information, see the documentation for your distribution software, and see Appendix A: Resources for Learning About Automated Installation and Deployment, especially the "Related Documentation and Links" subsection in that appendix.
Windows Update Catalog Web Site
By using the Windows Update Catalog site, you can use your own software distribution tools to deploy updates to Windows in a managed environment without requiring users to connect to the Windows Update Web site. The Windows Update Catalog site provides a comprehensive catalog of updates that can be distributed over a managed network. It provides a single location for Windows Update content and drivers that display the Designed for Windows logo. Administrators can search the site using keywords or predefined search criteria to select the relevant downloads and then download the updates to a location on their internal network.
An enhancement in products in the Windows Server 2003 family enables you to select updates that you plan to deploy later, which means that you can control how and when the updates are deployed. For additional information, see information about Windows Update on the Microsoft Web site at:
https://windowsupdate.microsoft.com/
Microsoft Software Update Services (SUS)
Microsoft Software Update Services (SUS) is a version of Windows Update designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that
Do not want their systems or users connecting to an external Web site
Want to first test these updates before deploying them throughout their organizations
Microsoft Software Update Services enables administrators to quickly and reliably deploy critical updates to servers running Windows Server 2003 and Windows 2000 Server as well as desktop computers running Windows XP Professional and Windows 2000 Professional.
For more information about Software Update Services and updated versions of Software Update Services, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=29906
Overview: Using Windows Update and Automatic Updates in a Managed Environment
As an administrator, you can use Group Policy to block the use of Windows Update or to specify an internal server for Automatic Updates to use when searching for updates. You can also disable Automatic Updates using Control Panel or using the Group Policy Administrative template, Wuau.adm. Details on the methods and procedures for controlling these features are described in the following subsections.
How Windows Update and Automatic Updates Communicate with Sites on the Internet
This subsection summarizes the communication process.
Specific information sent or received: Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the computer. The computer is uniquely identified and is logged in the download and installation success report, but the person using the computer is not uniquely identified.
Data storage and access: Windows Update tracks the total number of unique computers that visit the Windows Update Web site. The success or failure of downloading and installing updates is also recorded but no personal information, such as user name or e-mail address, is recorded as part of this. The information that is recorded is stored on servers at Microsoft with limited access that are located in controlled facilities.
For more information, see "Privacy," later in this list.
Note
If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information, see "Procedures for Controlling Windows Update and Automatic Updates."
Default and recommended settings: By default, Windows Server 2003 allows access to the Windows Update Web site. Recommended settings are described in the next subsection, "Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet."
Triggers: You control whether to run Windows Update. If Automatic Updates is enabled following setup, it is triggered about once per day when there is an Internet connection.
User notification:
Windows Update Web site: You control whether to go to the Windows Update Web site to download files to your computers.
Automatic Updates: The way that Automatic Updates notifies you depends on how Automatic Updates is configured. For more information, see "Automatic Updates," earlier in this section.
Note
For information about configuring Automatic Updates, see "To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows Server 2003 with SP1," later in this section.
Logging: Automatic Updates logs events to the event log.
Encryption: Initial data is transferred using HTTPS, and updates are transferred using HTTP. The data packages downloaded to the system by Microsoft are digitally signed.
Privacy: To view the privacy statement for Windows Update, see the Windows Update Web site, and click Windows Update Privacy Statement. The Windows Update Web site is located at:
https://windowsupdate.microsoft.com/
Automatic Updates is covered by the same privacy statement that covers Windows Update.
Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.
Ability to disable: You can use Group Policy to prevent the operating system from being updated through Windows Update, to prevent access to Windows Update commands, or both. You can use Group Policy to specify an internal server to use for Automatic Updates. You can disable Automatic Updates using Control Panel tools or Group Policy. Procedures for these methods are given at the end of this section.
Controlling Windows Update and Automatic Updates to Limit the Flow of Information to and from the Internet
The recommended methods for controlling Windows Update and Automatic Updates or both are as follows.
Important
When using these methods, also control the type of accounts that people log on with. If an account does not allow software to be installed (for example, if the account is a user account), only one option for Automatic Updates will function while that person is logged on. That option is the automatic download and installation of updates, which means that updates are installed on the computer at a regularly scheduled time, regardless of what type of account the person who uses the computer has, or whether that person is logged on at the time.
You can use Group Policy settings to disable both Windows Update and Automatic Updates.
To disable Windows Update and Automatic Updates by preventing the operating system from being updated through Windows Update, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.
To disable Windows Update and Automatic Updates by preventing access to Windows Update commands, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar.
You can use Group Policy to configure Automatic Updates so that instead of searching the Windows Update Web site, Automatic Updates searches your internal server for updates.
To do this, configure Specify intranet Microsoft update service location in Computer Configuration\Administrative Templates\Windows Components\Windows Update. The server you specify in this setting must be one on which you are running Software Update Services or an updated version of Software Update Services.
You can use Group Policy settings in the Administrative template Wuau.adm to selectively disable Automatic Updates.
To do this, disable Configure Automatic Updates in Computer Configuration\Administrative Templates\Windows Components\Windows Update.
You can also configure Automatic Updates on individual computers by using Control Panel. For a description of the options available through Control Panel, see "Automatic Updates," earlier in this section.
How Disabling Windows Update and Automatic Updates Can Affect Users or Administrators and Applications
The following list shows the effects of two Group Policy settings, both of which prevent the use of Windows Update and Automatic Updates.
Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings.
When you enable this setting, the operating system cannot be updated through Windows Update, and Automatic Updates is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu, and the Windows Update Web site will appear in the browser. However, it will not be possible to update the operating system through Windows Update, regardless of the type of account being used to log on.
Remove links and access to Windows Update This Group Policy setting is located in User Configuration\Administrative Templates\Start Menu and Taskbar. When you enable this setting, you will not be able to access the Windows Update Web site from any of the following locations:
The Windows Update option on the Start menu
The Tools menu in Microsoft Internet Explorer
The Windows Update button in Add New Programs (Add New Programs is in Control Panel under Add or Remove Programs)
Enabling this setting also disables Automatic Updates notifications—that is, the user for which this policy setting is enabled will neither be notified about nor receive critical updates from Windows Update.
Removing access to Windows Update also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled Device Manager, Hardware Wizards, and Internet Communication.
Blocking Windows Update and Automatic Updates will not block applications from running.
The Windows Update site is located at:
https://windowsupdate.microsoft.com/
Procedures for Controlling Windows Update and Automatic Updates
This subsection provides procedures for the following:
Configuring or disabling Automatic Updates by using Group Policy.
Preventing the operating system from being updated through Windows Update by using Group Policy. With this policy, commands for accessing Windows Update are visible and the Windows Update site can be viewed through the browser, although Windows Update cannot be used.
Turning off access to Windows Update commands and to Automatic Updates by using Group Policy.
Specifying an internal server for Windows Update by using Group Policy.
Configuring or disabling Automatic Updates using Control Panel on a computer running Windows Server 2003 SP1.
To Configure or Disable Automatic Updates Using Group Policy
See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated (specifically, Wuau.adm), and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.
In the details pane, double-click Configure Automatic Updates.
Select Not Configured, Enabled, or Disabled. If you choose Enabled, choose from the available settings, which are equivalent to the Control Panel settings described in "Automatic Updates," earlier in this section.
Note
Disabling this setting disables Automatic Updates but does not block access to Windows Update.
To Prevent the Operating System from Being Updated Through Windows Update by Using Group Policy
See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off access to all Windows Update features.
Important
This policy also disables Automatic Updates. You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Key.
To Turn Off Access to Windows Update Commands by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click User Configuration, click Administrative Templates, and then click Start Menu and Taskbar.
In the details pane, double-click Remove links and access to Windows Update.
Important
This policy also disables Automatic Updates.
To Specify an Internal Server for Windows Update Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click Windows Update.
In the details pane, double-click Specify intranet Microsoft update service location and then click Enabled.
Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics.
Important
You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server you specify as the upgrade server must be one on which you are running Software Update Services or an updated version of Software Update Services.
To Configure or Disable Automatic Updates Using Control Panel on a Computer Running Windows Server 2003 with SP1
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Automatic Updates.
Choose from the available options, which are described in "Automatic Updates," earlier in this section.