Windows Update Explained
Source as it is
How the Software Update Service Works and Why it Matters to You
Published: September 2008
For more information, please see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx
We’ve all heard about or even experienced the havoc that computer viruses and other malicious software can cause to PCs and computer networks. Computer hackers are constantly trying to find ways to attack networks and computers with the intent of committing fraud and other crimes. When they succeed, individuals and enterprises can lose a great deal of time and money. In spite of their high cost and the headaches they cause, many security breaches are easily avoidable. The security fixes are available, but users don’t get them installed quickly enough (or at all).
Have you ever wondered what Microsoft is doing to help? Or did you know that Microsoft® Windows® Update is an important part of the solution, but weren’t sure exactly what it does or how it works. If so, this paper is for you.
For individual PC users, this paper will help you understand how to use Windows Update to keep your PC up to date, not only to help protect it from malicious software, but to keep it functioning at its best. If you’re responsible for networked computers, this paper will help you understand how Windows Update and Windows Server® Update Services (WSUS) can help protect groups of computers.
With Internet usage increasing, it’s more important than ever to keep your PC protected from malicious code. Understanding this, the people at Microsoft have been hard at work to help ensure that your PC continues to function well and that your personal information is very safe. Special teams at Microsoft proactively search for security vulnerabilities in Microsoft software and provide security updates. One of those teams is the Microsoft Security Response Center (MSRC). The MSRC is on call 24 hours a day, 7 days a week and dedicated to identifying, monitoring, resolving, and responding to Microsoft software security vulnerabilities.
In addition to security updates, Microsoft provides other software updates that make your computer run better and give you a better Windows experience. For example, an update may fix an issue with a hardware device, improve the performance of your computer, or deliver improved Windows features.
Downloading and installing the latest software updates, particularly security updates, quickly and consistently on your PC is vital to maintain both its security and its proper functioning. For network administrators, applying updates on computers across your organization—small, medium, or large—is a crucial measure for keeping your systems secure and running properly. Yet doing this manually requires constant time and attention, which many people simply don’t have available for the task. There must be an easier way!
Fortunately, there is an easier way, thanks to Windows Update, a free, built-in service included with Windows. This service helps you keep your PC more secure and reliable as well as compatible with devices and applications. It provides a single location for getting updates and scheduling automatic updating.
Using Windows Update by itself, you get updates for Windows and new or updated hardware drivers. For the other Microsoft software installed on your computer, use Microsoft Update. By turning on Microsoft Update, you get all of the benefits of Windows Update, but you get security and non-security updates for your other Microsoft software, such as Microsoft Office and the Windows Live™ network of internet services. Turning on Microsoft Update is recommended for all Windows PCs. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.
It is easy to improve the security and reliability of your PC, and take advantage of the continuous improvements Microsoft makes to Windows. Just use this four-step process:
1. Turn on Windows Update. You probably did this when you set up your new PC by selecting the option to “Help protect Windows automatically.”
2. Use the recommended settings. Windows Update is designed to work automatically and not interrupt you while you’re working on other things. Using the recommended settings, you get all of the benefits from the service, such as quick delivery of very important security updates, and you get them with fewer interruptions.
3. Turn on Microsoft Update. Microsoft Update includes updates for both Windows and other Microsoft products. This makes it easy to keep all your Microsoft software updated. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.
4. Check Windows Update periodically. You will find a list of lower priority recommended and optional updates that you can choose to download and install. These include driver updates, new product features, and so forth. These updates will keep your PC functioning smoothly.
Windows Update has slightly different settings in the Windows Vista® and Microsoft Windows XP operating systems, as described in the following sections. For more information about Windows Update and its features, see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx.
In Windows Vista, you can configure Windows Update settings and view and install updates from Windows Update in your Control Panel. If you go to the Windows Update Web site (http://update.microsoft.com), Windows Update opens automatically.
Getting Help in Windows Vista
Figure 1: Windows Update control panel in Windows Vista
To configure or change settings, click the Change settings link in the left navigation pane. The Change settings screen displays.
Figure 2: Change settings screen in Vista
The most secure option is Install updates automatically (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer if you don’t have time to install them personally. Nor must you worry about Windows Update slowing down your PC’s Internet connection, while it downloads updates, because it operates in the background in a way that won’t interfere with your Internet usage. For more information about how Windows Update behaves during the download and installation process, see “How Updating Works,” later in this paper.
Updates in Windows Vista
Important updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.
Recommended updates address non-critical problems and help enhance your computing experience. Examples include upgrades to Windows features and less important software updates.
Optional updates are not downloaded or installed automatically. Examples include less critical driver updates and new Windows or Microsoft software.
Even if your PC is configured for automatic updating, you should periodically check that important updates have been installed and also check for Optional updates. To do to this, click the Check for updates link in the left navigation pane of the Windows Update control panel. On the screen that displays, you can review any available updates and install them.
In Windows XP, check for updates from the Windows Update Web site http://update.microsoft.com, and configure automatic updating settings from the Automatic Updates program in Control Panel, shown in the following figure.
Getting Help in Windows XP
For general Windows Update help and support go to http://update.microsoft.com and click Get help and support in the left-hand navigation pane.
To get help for the Automatic Updates program in Control Panel, click How does Automatic Updates work?
Figure 3: Automatic Updates control panel in Windows XP
The most secure option is Automatic (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer.
Updates in Windows XP
High-priority updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.
Optional updates are not downloaded or installed automatically. You need to manually view and install these updates from within Windows Update. Examples include less important software updates, drivers, updates to Windows features, and new Windows or Microsoft software.
You can choose to have updates downloaded automatically and then install them manually, or you can choose to both download and install updates manually. In either case, Windows Update still continuously checks for most updates automatically and notifies you when High-Priority updates are available. Still, the most convenient and secure option is to let Windows Update download and install updates automatically.
With Windows XP, you should check the Windows Update Web site regularly because many of the updates that improve your experience with Windows are not installed automatically. To view all of the available updates, first make sure you upgrade to Microsoft Update, and then click the Custom button, as shown in the following figure.
Figure 4: Windows Update Web site for Windows XP
Windows Update makes it easy to automatically update a home computer or small group of business computers. However, if you are managing a network of 10 or more computers, you may want to manage the update process for computers on your network. By managing the update process, you have more control over which updates are installed and when they are installed.
Windows Server Update Services (WSUS) is a free add-on for the Windows Server operating system to help network administrators manage updates for computers. By using WSUS with Active Directory® group policy, administrators can fully manage update settings and the distribution of updates for computers on their network. To find out more about using WSUS, go to the Windows Software Update Services (WSUS) Web site http://technet.microsoft.com/en-us/wsus/default.aspx.
Note: Microsoft also provides the System Center Family of business software for fully managing (including updates) desktop computers and servers in medium to large organizations. For more information, see http://www.microsoft.com/systemcenter/en/us/default.aspx.
Microsoft provides a complete, programmable, and scriptable API that network administrators and software developers can use to create custom updating behaviors for WSUS. System administrators can use the WSUS API to determine which updates apply to a computer or group of computers, download those updates, and install them with little or no user intervention. Independent software vendors and developers can integrate WSUS features into computer management or update management software to provide a seamless operating environment. For more information, see http://msdn.microsoft.com/en-us/library/bb905331.aspx.
During the updating process, the Windows Update client operates in the background to download and install updates. (The Windows Update client is the Windows Update component running on your PC.) It does this automatically, according to your settings, and in a “silent” manner that doesn’t disrupt your computer usage. This section describes how Windows Update behaves during the update process.
The Windows Update client on your PC checks the Windows Update server at Microsoft for the availability of new updates at random intervals, every 17 to 22 hours. The randomization ensures that the Windows Update server is not overloaded with requests for updates all at the same time. The client is very efficient in checking for new updates and searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
When checking for updates, the Windows Update client evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office.
If the computer is not online at the time you specified to check for updates, then the Windows Update client begins checking every five hours until it successfully finds updates. If more than 30 days have gone by without successfully finding updates, the client will notify you. If you should receive such a notification, you should connect your computer to the Internet, go to the Windows Update Web site, and check for updates.
Once the Windows Update client determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.
To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Background Intelligent Transfer Service (BITS) technology which downloads updates using idle bandwidth. This technology ensures that Windows Update downloads only when no other active download is in progress on the computer. This allows you to smoothly carry on day-to-day activities even while updates are being downloaded in the background.
Windows Update also supports pausing and restarting downloads. You do not have to worry if you need to shut down your computer, or if you have lost your Internet connection while an update is downloading. Once the connection is reestablished, the download will continue where it left off.
When downloading is complete, depending on your Windows Update settings, the Windows Update client either installs the updates automatically, or else it notifies you of the download without performing the installation. You do not need to be logged in to your computer for Windows Update to automatically install updates.
When you install Microsoft software
When you install or reinstall a program, you must reinstall updates that came out after the installation CD or installer was created. For some programs there may be multiple updates available and some updates may require a previously released update to be installed.
If your computer is not turned on during the scheduled time for installing updates, the Windows Update client will try to wake up the PC (if the PC was asleep), or wait for the PC to be turned on again. As soon as the PC is running again, it will install the updates.
When the option to automatically install updates is configured, the Windows Update client, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. To reduce the number of computer restarts required, the client attempts to install as many updates as possible together. If you are using the computer, you may be given the option to postpone the restart.
Most updates can be installed automatically without any user intervention. Some updates, however, such as service packs require the user to provide explicit consent. These are not automatically installed. When you install updates manually, be sure to restart your PC if prompted to do so. Otherwise, the PC may not be updated until a restart is performed.
The Windows Update client reports back to Microsoft regarding which updates have installed successfully and which, if any, failed to install. This helps the Windows Update team verify the quality of the updates provided by Windows Update. No personally identifiable information (PII) is sent to Microsoft or stored by Microsoft with the report. For more information, read the Windows Update privacy statement online at http://update.microsoft.com/windowsupdate/v6/vistaprivacy.aspx?ln=en-us.
The Windows Update client keeps a log of all the different actions it performed on a particular computer at %windir%\windowsupdate.log. On Windows Vista, this log is available from the Windows Update control panel.
From time to time, Microsoft needs to update and enhance the Windows Update service, and that includes updating the Windows Update client software on your PC. If Windows Update is configured to check for updates, it installs a newer version of the Windows Update client automatically, so that it can continue to check for updates. If Windows Update is completely turned off, the client is not updated. If the client doesn’t update automatically then it may not be able to notify you about new updates. For this reason, Windows Update always updates the client automatically before checking for other updates. Given how important it is to maintain the quality of the update service, Windows Update always updates itself when it is turned on, regardless of whether you've chosen the option to have updates automatically installed or to be notified that they are available so that you can manually install them. If you have automatic updating turned off completely, the next time you manually check for updates, you will be prompted to update the Windows Update client before installing any updates.
Windows update implements many security checks and restrictions to ensure that the security of your computer is not compromised. The most critical checks validate the authenticity and quality of the software and updates that are installed on a machine. Some of the ways in which Windows Update maintains the integrity of the updates that get installed are as follows:
1. Windows Update uses the Secure Socket Layer (SSL) protocol to send and receive information. SSL is used to encrypt the information being transferred, prevents hackers from tampering with information being transferred, and verifies that the Windows Update agent is transferring data from an authorized Microsoft server.
2. Each update is individually signed using the Secure Hashing Algorithm (SHA-1). This technology allows Windows Update to confirm that the update has been downloaded correctly and hasn’t been changed by anyone. The update signature is also compared to information in the update metadata that was previously downloaded.
3. Windows Update also checks for the certificate associated with each update. This certificate provides a means for Windows Update to validate the source of each update. Currently Windows Update will only install updates that have certificates issued by Microsoft or other providers that are trusted by Microsoft.
Windows Update has many more internal security checks and controls. For example, Windows Update ensures that any action that can make your machine less secure (like turning off Windows Update) can only be performed by an authorized administrator.
To help keep your PC more secure and reliable, it's a good idea to install new updates as soon as they're available. The easiest way to install updates is to use the Windows Update service and make sure automatic updating is turned on. Now that you know how important—and easy—it is, be sure to check your Windows Update settings today.
For additional information about configuring and using Windows Update or to find a discussion group, see the Windows Update Home Page. http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx
For help and support, including solutions for top issues with using Windows Update and explanations of error messages, see the Microsoft Update Solution Center. http://support.microsoft.com/ph/6527#tab3
For information about managing Windows Update on an enterprise network, see the Update Management Tech Center.
To learn how Microsoft monitors and responds to security issues, see the Microsoft Security Response Center Web site. It offers tools such as an alert service, monthly webcast, blog, and Really Simple Syndication (RSS) feeds to help you stay current with security-related updates and information for Windows. http://www.microsoft.com/security/msrc/default.mspx
To learn about new security updates, find how-to articles and security tips, and get answers to security-related questions, see the Microsoft Security at Home Web site for the free, monthly Security Newsletter for Home Users from Microsoft. http://www.microsoft.com/protect/default.mspx
For a clearinghouse of information and links about protecting your computer, see http://www.microsoft.com/protect/computer/updates/default.mspx.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, the Security Shield logo, Windows, Windows Live, Windows Vista, Windows Server, the Windows logo, and the Windows Update Icon are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.