Whenever I have to deal with Microsoft's update services, I get confused about the different terms. When I configured the security health validator (SHV) policy of NAP (Network Access Protection) in Windows Server 2008, I was puzzled again by the difference of the phrases "Automatic Updates", "Windows Update" and "Microsoft Update".
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
There are two different kinds of SHV policies with respect to updates. One is called "Automatic Updates" and the other one "Security Update Protection". The latter offers two other options: "Windows Update" and "Windows Server Update Services". And below that you will find this: "Note: Clients may always get their updates from Microsoft Update". What the hell is the difference between Automatic Updates and Security Update Protection using Windows Update? And what's about Microsoft Update? Isn't that another update service? If you are confused now, then you should read ahead. If not, then you are released for today. 😉
The most important difference is the one between Windows Update and Microsoft Update. Windows Update allows you to patch Windows and Microsoft Update patches Windows and some other Microsoft applications (Microsoft Office, SQL Server, Exchange). In Windows XP/2003 you only can use Microsoft Update if you have the latest Windows Update Agent installed. You can do this thru Windows Update configuration which you can find in the Help and Support Center. Microsoft Update is then enabled by default, but you can disable it by clicking on "Change settings". In Vista, you can change this setting in the Control Panel under System. Okay, that's easy, so far.
But what is "Automatic Updates" then? Windows Update and Microsoft Update are also Web sites where you can download updates manually. "Automatic Updates" is not another service, it just means that the Windows Update Agent schedules the download updates automatically, regardless of whether you are using Windows Update or Microsoft Update.
However, "Automatic Updates" can mean something else sometimes. In Windows XP/2003 it is the name of the service of the Windows Update Agent. Now guess how this service is called in Windows Vista and Windows Server 2008? Its name is "Windows Update". Note that this Windows Update service not only downloads from Windows Update but also from Microsoft Update. So sometimes "Windows Update" and "Automatic Updates" just refer to the same thing, i.e. to the Windows Update Agent service.
To come back to my starting point, why does NAP distinguish between Automatic Updates and Windows Update?
If you enable Security Update Protection, it just means that the NAP client is compliant if it got the latest security updates installed, regardless if they were downloaded from a WSUS server, Microsoft's patch management solution, from Windows Update or Microsoft Update. However, you can also restrict the possible download source to Windows Update or WSUS.
If you check Automatic Updates in the NAP configuration, it only means that the Windows Update Agent is set to download updates automatically no matter if the download source is Windows Update, Microsoft Update or your local WSUS server. Note that even if Automatic Updates is activated, the client might not have the latest updates installed, for example if it wasn't online for some time.
In my view, Microsoft's terminology is quite confusing. Why not just one Update service and one term for it? Well, I hope that after blogging about it, I won't get confused again about this.