Windows Update and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Windows Update
Overview: Using Windows Update in a Managed Environment
How Automatic Updating Communicates Through the Internet
Controlling Automatic Updating and Access to Windows Update to Limit the Flow of Information to and from the Internet
Procedures for Controlling Automatic Updating and Access to Windows Update
Benefits and Purposes of Windows Update
The Windows Update Web Site
The Windows Update Web site is an online catalog that can be used to support computers running Microsoft Windows operating systems, including Windows Server 2008. The catalog contains items such as drivers, critical updates, Help files, Windows Defender definition files, and Internet products. The update software built into Windows Server 2008 can scan the user’s computer and, after communicating with the Windows Update Web site, create a tailored list of updates that apply only to the software and hardware on that specific computer. A person using Windows Update can then choose from the tailored list of updates. New content is added to the Windows Update Web site regularly so users can get the most recent and secure updates and solutions.
Automatic Updating
This option for updating a computer allows for updates without interrupting the user’s Internet experience. When automatic updating is enabled, the user does not need to visit special Web pages or remember to periodically check for new updates.
When the computer is first started after installation of Windows Server 2008, the Initial Configuration Tasks interface appears, displaying a variety of tasks including Enable automatic updating and feedback. In this task, you can choose to enable automatic updating or you can manually configure settings. If you enable automatic updating, the operating system will automatically install important and recommended updates for your computer as Microsoft releases them. Optional updates are not downloaded or installed automatically. (You can use Control Panel later to adjust your settings.) If you use Initial Configuration Tasks to manually configure settings, the same display appears as when you manually configure the settings through Control Panel. If you do not perform the Enable automatic updating and feedback task through Initial Configuration Tasks, automatic updating is not enabled.
If you install Windows Server 2008 and do not specify any choices for automatic updating, after a delay, a reminder will appear, with a choice between Have Windows install updates automatically and Let me choose. You also have the choice to be reminded again later.
Regardless of whether Initial Configuration Tasks is currently displayed on a computer running Windows Server 2008, automatic updating can be configured through Control Panel by an administrator of the computer. The available options are:
Install updates automatically: Windows Server 2008 downloads and installs updates automatically on a schedule specified by an administrator of the computer. Updates are installed regardless of what type of account you log on with or whether you are logged on at the time.
Download updates but let me choose whether to install them: Windows Server 2008 automatically starts the download whenever it finds updates available for the computer. The updates are downloaded in the background, enabling you to continue working uninterrupted. After the download is complete, an icon in the notification area will prompt a person logged on as an administrator that the updates are ready to be installed.
Check for updates but let me choose whether to download and install them: Windows Server 2008 sends a notification after which an administrator of the computer can respond by downloading and installing any updates.
Never check for updates: It is left to you to go to Windows Update and download updates from time to time.
An administrator can decline a specific update that has been downloaded. The administrator can download those declined files again by opening Windows Update and then clicking Restore hidden updates. If any of the previously declined updates can still be applied to the computer, those updates will appear the next time that Windows Server 2008 notifies you of available updates.
For more information about configuring automatic updating on an individual computer running Windows Server 2008, see Procedures for Controlling Automatic Updating and Access to Windows Update, later in this section.
Alternatives to Automatic Updating and the Windows Update Web Site
For managed environments, there are several alternatives to using automatic updating with the Windows Update Web site:
Windows Update Catalog Web site
Windows Server Update Services (WSUS)
Systems management software, such as that available from Microsoft, that allows you to distribute software updates
Windows Update Catalog Web Site
By using the Windows Update Catalog site, you can learn about updates that are available and then use your own software distribution tools to deploy updates. The Windows Update Catalog site provides a single location for Windows Update software updates and drivers that display the Designed for Windows logo. The Windows Update Catalog Web site is at:
https://go.microsoft.com/fwlink/?LinkId=75160
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is a version of Windows Update designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that:
Do not want their systems or users connecting to an external Web site.
Want to first test software updates before deploying them throughout their organizations.
With WSUS, administrators can quickly and reliably deploy critical updates to computers running Windows Server 2008, Windows Server 2003, and other Windows operating systems.
For more information about WSUS, see the following pages on the Microsoft Web site:
Systems Management Software
You can use systems management software to distribute updates and manage multiple computers in an organization. For information about the systems management software available from Microsoft, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=70683
Overview: Using Windows Update in a Managed Environment
As an administrator, you can use Group Policy to block access to the Windows Update Web site or to specify an internal server for automatic updating to use when it searches for updates. You can also disable automatic updating through the Windows interface or by using Group Policy. Details on the methods and procedures for controlling these features are described later in this section.
How Automatic Updating Communicates Through the Internet
This subsection summarizes the communication process.
Specific information sent or received: Windows Update collects basic information about the computer to identify which updates the computer needs and to improve the updating service. For more details, see the privacy statement on the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=72162
Drivers and replacement files (critical updates, Help files, and Internet products) may be downloaded to the user’s computer.
Default settings: By default, Windows Server 2008 allows access to the Windows Update Web site. After setup of Windows Server 2008, the Initial Configuration Tasks interface encourages the enabling of automatic updating.
Triggers: The user controls whether to download updates from the Windows Update Web site. If automatic updating is enabled following setup, it is triggered about once per day (assuming there is an Internet connection).
User notification:
Windows Update Web site: Users control whether to go to Windows Update to download files to their computers.
Automatic updating: The way that automatic updating notifies the user depends on how automatic updating is configured. For more information, see “Automatic Updating,” earlier in this section.
Note
For information about configuring automatic updating, see “To Disable or Configure Automatic Updating on a Computer Running Windows Server 2008,” later in this section.
Logging: Automatic updating logs events to the event log.
Encryption: Initial data is transferred using HTTPS, that is, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with HTTP, and updates are transferred using HTTP. The data packages downloaded to the user’s system by Microsoft are digitally signed.
Privacy: Automatic updating is covered by the same privacy statement that covers Windows Update. The privacy statement is on the Microsoft Web site at:
Data storage and access: The Windows Update Web site tracks the total number of unique computers that visit, and records whether updates were needed and which updates were applied. The success or failure of downloading and installing updates is also recorded. This information is stored on servers with limited access that are located in Microsoft-controlled facilities. For more details, see the privacy statement on the Microsoft Web site at:
Note
If you want to block the use of the Windows Update Web site, you can apply Group Policy settings to specify an internal server for updates and for storing upload statistics. For more information, see Procedures for Controlling Automatic Updating and Access to Windows Update, later in this section.
Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.
Ability to disable: You can use Group Policy to prevent the operating system from being updated through the Windows Update Web site, to prevent access to Windows Update commands (on menus), or both. You can use Group Policy to specify an internal server to use for automatic updating. You can also disable automatic updating, by using the Windows interface or Group Policy. Procedures for these methods are explained at the end of this section.
Controlling Automatic Updating and Access to Windows Update to Limit the Flow of Information to and from the Internet
The recommended methods for controlling automatic updating, access to Windows Update, or both are as follows.
You can use Group Policy settings to disable automatic updating by preventing the operating system from being updated through the Windows Update Web site.
To disable automatic updating by preventing the operating system from being updated through the Windows Update Web site, configure Turn off access to all Windows Update features. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management\Internet Communication settings.
To prevent access to Windows Update commands (on menus), configure Remove links and access to Windows Update. This policy setting is located in User Configuration under Policies (if present), in Administrative Templates\Start Menu and Taskbar.
You can use Group Policy to configure automatic updating so that instead of searching the Windows Update Web site, automatic updating searches your internal server for updates.
To do this, configure Specify intranet Microsoft update service location. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\Windows Components\Windows Update. The server you specify in this setting must be one on which you are running Windows Server Update Services (WSUS).
You can use Group Policy to selectively disable automatic updating.
To do this, disable Configure Automatic Updates. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\Windows Components\Windows Update.
You can also configure automatic updating on an individual computer running Windows Server 2008 by using the Windows interface. For a description of the options available through the Windows interface, see “Automatic Updating,” earlier in this section.
How Disabling Automatic Updating or Preventing Access to Windows Update Can Affect Users and Applications
The following list explains two Group Policy settings that affect automatic updating, access to Windows Update, or both.
Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management\Internet Communication settings.
When you enable this setting, the operating system cannot be updated through the Windows Update Web site, and automatic updating is disabled. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu. However, it will not be possible to update the operating system through the Windows Update Web site, regardless of the type of account being used to log on.
Remove links and access to Windows Update: This Group Policy setting is located in User Configuration under Policies (if present), in Administrative Templates\Start Menu and Taskbar. When you enable this setting, users will not be able to access the Windows Update Web site when they click the Check for updates command that can be reached in the Windows Update tool (part of Control Panel). The Windows Update tool can be reached in a variety of ways, including:
In Microsoft Internet Explorer, through the Tools/Windows Update command.
Through the Windows Update option on the Start menu or on Start/All Programs.
Through Start/Control Panel/Windows Update (where the Check for updates command is on the left).
Enabling Remove links and access to Windows Update also disables automatic updating notifications; that is, the user for which this policy setting is enabled will neither be notified about nor receive critical updates from the Windows Update Web site.
Preventing all access to the Windows Update Web site also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. For more information about controlling Device Manager, see the section of this white paper titled Device Manager, Hardware Wizards, and Resulting Internet Communication in Windows Server 2008.
Blocking automatic updating and access to the Windows Update Web site will not block applications from running.
Procedures for Controlling Automatic Updating and Access to Windows Update
This subsection provides procedures for:
Configuring or disabling automatic updating by using Group Policy.
Preventing the operating system from being updated through Windows Update by using Group Policy.
Turning off access to Windows Update commands and to automatic updating by using Group Policy.
Specifying an internal server (instead of the Windows Update Web site) for software updates by using Group Policy.
Disabling or configuring automatic updating on an individual computer running Windows Server 2008.
To Disable or Configure Automatic Updating by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the details pane, double-click Configure Automatic Updates.
To disable automatic updating, select Disabled.
Note
Disabling this setting disables automatic updating but does not block access to Windows Update.
To configure automatic updating, select Enabled, and then select from the available settings, which are equivalent to the Control Panel settings as shown in the following table:
Setting in Control Panel Setting in Group Policy When Policy Is Enabled Any setting, except that automatic updating cannot be turned off
5 - Allow local admin to choose setting
Install updates automatically
4 - Auto download and schedule the install
Download updates but let me choose whether to install them
3 - Auto download and notify for install
Check for updates but let me choose whether to download and install them
2 - Notify for download and notify for install
The Control Panel settings are described more detail in “Automatic Updating,” earlier in this section.
To Prevent the Operating System from Being Updated Through Windows Update by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off access to all Windows Update features, and then click Enabled.
Important
This policy also disables automatic updating.
You can also restrict Internet access for this and a number of other features by applying the **Restrict Internet communication** policy setting, which is located in **Computer Configuration** under **Policies** (if present), in **Administrative Templates\\System\\Internet Communication Management**. For more information about this Group Policy and the policies that it controls, see [Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008](cc754607\(v=ws.10\).md).
To Turn Off Access to Windows Update Commands by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
Expand User Configuration, expand Policies (if present), expand Administrative Templates, and then click Start Menu and Taskbar.
In the details pane, double-click Remove links and access to Windows Update, and then click Enabled.
Important
This policy also disables automatic updating.
To Specify an Internal Server for Software Updates by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the details pane, double-click Specify intranet Microsoft update service location, and then click Enabled.
Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics.
Important
You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server you specify as the upgrade server must be one on which you are running Windows Server Update Services (WSUS).
To Disable or Configure Automatic Updating on a Computer Running Windows Server 2008
While logged on with an administrator account, click Start, click All Programs, and then click Windows Update.
Click Change settings.
Choose from the available options, which are described in “Automatic Updating,” earlier in this section.