Windows Update and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this section
Benefits and purposes of Windows Update
Overview: Using Windows Update in a managed environment
How automatic updating communicates through the Internet
Controlling automatic updating and access to Windows Update to limit the flow of information to and from the Internet
Procedures for controlling automatic updating and access to Windows Update
This section describes how the Windows® Update service in Windows 7 and Windows Server® 2008 R2 communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.
Benefits and purposes of Windows Update
Windows Update is a service that can be used to support computers running Windows operating systems, including Windows 7 and Windows Server 2008 R2. The service identifies items such as drivers, critical updates, Windows Defender definition files, and other optional updates that can enhance the use of Windows operating systems. If the user consents to turning it on, the Windows Update service, which is built into Windows 7 and Windows Server 2008 R2, scans the user’s computer, communicates with the Windows Update servers over the Internet, and then creates a custom list of updates that apply only to the software and hardware on that specific computer. New content is made available through the Windows Update service regularly, so users have access to the most recent and secure updates and solutions.
Windows Update is not enabled when Windows 7 or Windows Server 2008 R2 are first installed. After the installation of Windows 7 or Windows Server 2008 R2is complete and the first user logs on, the Initial Configuration Tasks interface displays a variety of tasks including Enable automatic updating and feedback. In this task, you can choose to enable automatic updating or configure manual update settings. If you enable automatic updating, the operating system will automatically install important and recommended updates to the computer when Microsoft® releases them. When automatic updating is enabled, the user does not need to visit special Web pages or remember to periodically check for updates. Even if automatic updates are enabled, updates that are listed as optional are not downloaded or installed automatically.
Important
The first time that a user contacts a Windows Update Web server, the user receives a message that prompts the user to validate their copy of Windows. To complete the validation process, called Windows Genuine Advantage, the user is prompted to download an ActiveX® control that checks the authenticity of the Windows software. This ActiveX control is downloaded the first time the user’s copy of Windows is validated and any time a new version of the ActiveX control is available from Microsoft®. If the validation is successful, a special license file is stored on the computer for future verification. The Windows Genuine Advantage validation process does not collect any information that can be used by Microsoft to identify or contact the user. If the computer fails the Windows Genuine Advantage validation process, some updates (including Windows Defender updates) are not downloaded or installed during the Windows Update process. Other security updates are not part of Windows Genuine Advantage, and they are available for download and installation even if this validation fails. For more information, see Genuine Windows in the Enterprise on the Microsoft Web site.
Windows Update options
If you do not perform the Enable automatic updating and feedback task through Initial Configuration Tasks, automatic updating is not enabled. Instead, a reminder will appear periodically with a choice between Have Windows install updates automatically and Let me choose. You also have the choice to be reminded again later.
At any time, however, an administrator of a computer running Windows 7 or Windows Server 2008 R2 can configure automatic updating through Control Panel. The available options are:
Install updates automatically: Windows 7 and Windows Server 2008 R2 download and install updates automatically on a schedule that is specified by an administrator. Updates are installed regardless of what type of account the user logs on with or whether a user is logged on at the time the update occurs.
Download updates but let me choose whether to install them: Windows 7 and Windows Server 2008 R2 automatically start the download whenever they find updates available for the computer. The updates are downloaded in the background, enabling the user to continue working uninterrupted. After the download is complete, an icon in the notification area prompts a person who is logged on as an administrator that the updates are ready to be installed.
Check for updates but let me choose whether to download and install them: Windows 7 and Windows Server 2008 R2 send a notification to which an administrator can respond by downloading and installing the updates.
Never check for updates: An administrator must occasionally run the Windows Update service to check for and download updates.
Note
Even when the administrator selects one of the options that requires user or administrator intervention, the Windows Update service checks for and automatically install updates for the Windows Update service itself so that it can function properly.
An administrator can decline and optionally hide a specific update that has been automatically downloaded. The administrator can download those hidden files later by opening Windows Update and then clicking Restore hidden updates. If any of the declined updates can be applied to the computer, those updates appear the next time that Windows 7 and Windows Server 2008 R2 notify you about available updates.
For more information about configuring automatic updating on an individual computer running Windows 7 or Windows Server 2008 R2, see Procedures for controlling automatic updating and access to Windows Update later in this section.
Alternatives to automatic updating and the Windows Update Web servers
For managed environments, the Windows Update Web servers offers the following alternatives to using automatic updating:
Windows Server Update Services (WSUS)
Systems management software that allows you to distribute software updates
Windows Server Update Services
Windows Server Update Services (WSUS) is a version of Windows Update that is designed for installation inside the boundary defined by an organization's firewall. This feature is very useful for organizations that:
Do not want their systems or users connecting to an update server on an external Web site.
Want to test software updates before deploying them throughout their organizations.
With WSUS, administrators can quickly and reliably deploy critical updates to computers running Windows 7, Windows Server 2008 R2, and other Windows operating systems.
For more information, see the following Microsoft Web sites:
Systems management software
You can use systems management software such as Microsoft Systems Management Server to distribute updates and manage multiple computers in an organization.
For more information, see Microsoft Systems Management Server.
Overview: Using Windows Update in a managed environment
As an administrator, you can use Group Policy settings to block access to the Windows Update server or to specify an internal server to use for automatic updating. You can also disable automatic updating through the Windows interface or by using Group Policy settings. Details about these methods and procedures for controlling these features are described later in this section.
How automatic updating communicates through the Internet
This subsection summarizes the communication process.
Specific information sent or received: Windows Update collects basic information about the computer to identify which updates the computer needs and to improve the updating service. Drivers and replacement files (such as critical updates, definition files, and optional components) can be downloaded to the user’s computer.
For more details, see Update Services Privacy Statement
Triggers: The user controls whether to download updates by using Windows Update. If automatic updating is enabled, it checks for updates on a defined basis (assuming that there is an Internet connection).
User notification:
Windows Update: Users control whether to download files from Windows Update to their computers.
Automatic updating: The way that automatic updating notifies the user depends on how automatic updating is configured. For more information, see Windows Update options earlier in this section.
Note
For information about configuring automatic updating, see To disable or configure automatic updating on a computer running Windows 7 or Windows Server 2008 R2 later in this section.
Logging: Automatic updating logs events to the event log and to Microsoft.
The Windows Update servers track the total number of unique computers that visit, whether updates were needed, and which updates were applied. The success or failure of downloading and installing updates is also recorded. This information is stored on servers with limited access that are located in Microsoft-controlled facilities.
For more details, see Update Services Privacy Statement.
Warning
If you want to block the Windows Update service, you can apply Group Policy settings to specify an internal server to download updates and store logging data. For more information, see Procedures for controlling automatic updating and access to Windows Update later in this section.
Encryption: Initial data is transferred using HTTPS, that is, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with HTTP, and updates are transferred using HTTP. The data packages downloaded to the user’s system by Microsoft are digitally signed and encrypted using SHA-1 hash functions.
Privacy: Automatic updating is covered by the same privacy statement that covers Windows Update. For more information, see Update Services Privacy Statement.
Transmission protocols and ports: The transmission protocols and ports used are HTTP 80 and HTTPS 443.
Ability to disable: You can use Group Policy settings to prevent updates to the operating system through the Windows Update service and to prevent access to Windows Update commands (on menus). You can use Group Policy settings to specify an internal server to use for automatic updating. You can also disable automatic updating by using the Windows interface or Group Policy. Procedures for these methods are explained at the end of this section.
Controlling automatic updating and access to Windows Update to limit the flow of information to and from the Internet
The recommended methods for controlling automatic updating and access to Windows Update are as follows:
You can use Group Policy settings to selectively disable automatic updating.
To do this, disable Configure Automatic Updates. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\Windows Components\Windows Update.
You can use Group Policy settings to configure automatic updating so that instead of searching Windows Update on external servers, automatic updating searches your internal server for updates.
To do this, configure Specify intranet Microsoft update service location. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\Windows Components\Windows Update. The server that you specify in this setting must be running Windows Server Update Services (WSUS).
You can use Group Policy settings to disable automatic updates from the Windows Update servers.
To prevent the operating system from being updated through the Windows Update service, configure Turn off access to all Windows Update features. This policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management\Internet Communication settings.
To prevent access to Windows Update commands (on menus), configure Remove links and access to Windows Update. This policy setting is located in User Configuration under Policies (if present), in Administrative Templates\Start Menu and Taskbar.
You can also configure automatic updating on an individual computer running Windows 7 or Windows Server 2008 R2 by using the Windows interface. For a description of the options available through the Windows interface, see Windows Update options earlier in this section.
How disabling automatic updating or preventing access to Windows Update can affect users and applications
The following Group Policy settings affect automatic updating and access to Windows Update:
Turn off access to all Windows Update features: This Group Policy setting is located in Computer Configuration under Policies (if present), in Administrative Templates\System\Internet Communication Management\Internet Communication settings.
When you enable this setting, the operating system cannot be updated through the Windows Update servers. Users or administrators can still perform actions such as clicking the Windows Update option on the Start menu. However, it is not possible to update the operating system through the Windows Update servers, regardless of the type of account being used to log on.
Remove links and access to Windows Update: This Group Policy setting is located in User Configuration under Policies (if present), in Administrative Templates\Start Menu and Taskbar. When you enable this setting, users cannot access the Windows Update servers when they click Check for updates in the Windows Update Control Panel.
The Windows Update tool can be reached in the following ways:
In Microsoft Internet Explorer®:
Click Tools, and then click Windows Update.
In Windows 7 and Windows Server 2008 R2:
Click Start or click Start, then click All Programs. Then click Windows Update.
Click Start, click Control Panel, and then click Windows Update.
Check for updates is on the left.
Enabling Remove links and access to Windows Update also disables automatic updating notifications. The user will not be notified about or receive critical updates from the Windows Update servicers.
Preventing all access to the Windows Update servers also prevents Device Manager from automatically installing driver updates from the Windows Update servers. For more information about controlling Device Manager, see the section of this document titled Device Manager, Hardware Wizards, and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2.
Blocking automatic updating and access to the Windows Update Web site does not block applications from running.
Procedures for controlling automatic updating and access to Windows Update
This subsection provides procedures for the following tasks:
Configuring or disabling automatic updating by using Group Policy.
Preventing the operating system from being updated through Windows Update by using Group Policy.
Turning off access to Windows Update commands and to automatic updating by using Group Policy.
Specifying an internal server (instead of the Windows Update servers) for software updates by using Group Policy.
Disabling or configuring automatic updating on an individual computer that is running Windows 7 or Windows Server 2008 R2.
To disable or configure automatic updating by using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the details pane, double-click Configure Automatic Updates.
To disable automatic updating, select Disabled.
Note
Disabling this setting disables automatic updating, but it does not block access to Windows Update.
- To configure automatic updating, select Enabled, and then select from the available settings, which are equivalent to the Control Panel settings as shown in the following table:
Setting in Control Panel | Setting in Group Policy When Policy Is Enabled |
---|---|
Any setting (except when automatic updating cannot be turned off) |
5 - Allow local administrator to choose the setting |
Install updates automatically |
4 - Automatically schedule and download the update |
Download updates but let me choose whether to install them |
3 - Automatically download the update and notify the user that the update is ready to install |
Check for updates but let me choose whether to download and install them |
2 - Notify for the user that the update is ready to download and then notify the user that the update is ready to install |
To use Group Policy to prevent the operating system from being updated through Windows Update
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off access to all Windows Update features, and then click Enabled.
Important
This policy also disables automatic updating.
You can also restrict Internet access for this and a number of other features by applying the **Restrict Internet communication** Group Policy setting, which is located in **Computer Configuration** under **Policies** (if present), in **Administrative Templates\\System\\Internet Communication Management**. For more information about this Group Policy setting and the policies that it controls, see [Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows 7 and Windows Server 2008 R2](ee126168\(v=ws.10\).md).
To turn off access to Windows Update commands by using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.
Expand User Configuration, expand Policies (if present), expand Administrative Templates, and then click Start Menu and Taskbar.
In the details pane, double-click Remove links and access to Windows Update, and then click Enabled.
Important
This policy also disables automatic updating.
To specify an internal server for software updates by using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.
Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand Windows Components, and then click Windows Update.
In the details pane, double-click Specify intranet Microsoft update service location, and then click Enabled.
Specify the name of the internal server to function as the update server, and specify the name of the server to store upload statistics.
Important
You must specify an upgrade server and a server to store upload statistics, but they can be the same server. The server that you specify as the upgrade server must be one on which you are running Windows Server Update Services (WSUS).
To disable or configure automatic updating on a computer running Windows 7 or Windows Server 2008 R2
While logged on with an administrator account, click Start, click All Programs, and then click Windows Update.
Click Change settings.
Choose from the available options (which are described in Windows Update options earlier in this section).