Whenever I have to deal with Microsoft's update services, I get confused about the different terms. When I configured the security health validator (SHV) policy of NAP (Network Access Protection) in Windows Server 2008, I was puzzled again by the difference of the phrases "Automatic Updates", "Windows Update" and "Microsoft Update".

Latest posts by Michael Pietroforte (see all)

There are two different kinds of SHV policies with respect to updates. One is called "Automatic Updates" and the other one "Security Update Protection". The latter offers two other options: "Windows Update" and "Windows Server Update Services". And below that you will find this: "Note: Clients may always get their updates from Microsoft Update". What the hell is the difference between Automatic Updates and Security Update Protection using Windows Update? And what's about Microsoft Update? Isn't that another update service? If you are confused now, then you should read ahead. If not, then you are released for today. 😉SHV Policy

Get Microsoft UpdateThe most important difference is the one between Windows Update and Microsoft Update. Windows Update allows you to patch Windows and Microsoft Update patches Windows and some other Microsoft applications (Microsoft Office, SQL Server, Exchange). In Windows XP/2003 you only can use Microsoft Update if you have the latest Windows Update Agent installed. You can do this thru Windows Update configuration which you can find in the Help and Support Center. Microsoft Update is then enabled by default, but you can disable it by clicking on "Change settings". In Vista, you can change this setting in the Control Panel under System. Okay, that's easy, so far.

Vista Microsoft UpdateBut what is "Automatic Updates" then? Windows Update and Microsoft Update are also Web sites where you can download updates manually. "Automatic Updates" is not another service, it just means that the Windows Update Agent schedules the download updates automatically, regardless of whether you are using Windows Update or Microsoft Update.

However, "Automatic Updates" can mean something else sometimes. In Windows XP/2003 it is the name of the service of the Windows Update Agent. Now guess how this service is called in Windows Vista and Windows Server 2008? Its name is "Windows Update". Note that this Windows Update service not only downloads from Windows Update but also from Microsoft Update. So sometimes "Windows Update" and "Automatic Updates" just refer to the same thing, i.e. to the Windows Update Agent service.

To come back to my starting point, why does NAP distinguish between Automatic Updates and Windows Update?

If you enable Security Update Protection, it just means that the NAP client is compliant if it got the latest security updates installed, regardless if they were downloaded from a WSUS server, Microsoft's patch management solution, from Windows Update or Microsoft Update. However, you can also restrict the possible download source to Windows Update or WSUS.

If you check Automatic Updates in the NAP configuration, it only means that the Windows Update Agent is set to download updates automatically no matter if the download source is Windows Update, Microsoft Update or your local WSUS server. Note that even if Automatic Updates is activated, the client might not have the latest updates installed, for example if it wasn't online for some time.

In my view, Microsoft's terminology is quite confusing. Why not just one Update service and one term for it? Well, I hope that after blogging about it, I won't get confused again about this.

  1. Avatar
    Leonardo 16 years ago

    I think Microsoft should’ve just went ahead and shot down the “Microsft update” client as an upgrade to “Windows Update” and kept the naming the same.
    An opt-in popup that takes you to the WU applet would suffice for the home/small-businesses that use “Windows Update” on XP and new Vista users…
    MS: KISS!

    PS: Thank you for your continued coverage, I’ve grown to look forward to your articles. Kudos on the new site layout.

  2. Avatar

    I think it is okay to rename a service if the new name fits better to the extended functionality. However, “Microsoft Update” is a bit misleading because it only allows you to update a couple of Microsoft products. I wished MS had just one central update service and let me choose what products I want to update this way. And thanks for the compliments. 🙂

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account