Windows 7 : Updating Software - Methods for Deploying Updates - Windows Server Update Services

Whether you download updates from Microsoft or use WSUS, the Windows Update client is responsible for downloading and installing updates on computers running Windows 7 and Windows Vista. The Windows Update client replaces the Automatic Updates client available in earlier versions of Windows. Both Windows Update in Windows 7 and Automatic Updates in earlier versions of Windows operate the same way: they download and install updates from Microsoft or an internal WSUS server. Both clients install updates at a scheduled time and automatically restart the computer if necessary. If the computer is turned off at that time, the updates can be installed as soon as the computer is turned on. Alternatively, Windows Update can wake a computer from sleep and install the updates at the specified time if the computer hardware supports it.

The Windows Update client provides for a great deal of control over its behavior. You can configure individual computers by using the Control Panel\System And Security\Windows Update\Change Settings page. Networks that use Active Directory Domain Services (AD DS) can specify the configuration of each Windows Update client by using Group Policy.

After the Windows Update client downloads updates, the client checks the digital signature and the Secure Hash Algorithm (SHA1) hash on the updates to verify that they have not been modified after they were signed by Microsoft. This helps mitigate the risk of an attacker either creating malware that impersonates an update or modifying an update to add malicious code.

WSUS is a version of the Microsoft Update service that you can host on your private network. WSUS connects to the Microsoft Update site, downloads information about available updates, and adds them to a list of updates that require administrative approval.

After an administrator approves and prioritizes these updates, WSUS automatically makes them available to any computer running Windows Update (or the Automatic Updates client on earlier versions of Windows). Windows Update (when properly configured) then checks the WSUS server and automatically downloads and installs updates as configured by the administrators. As shown in Figure 1 you can distribute WSUS across multiple servers and locations to scale to enterprise needs. WSUS meets the needs of medium-size organizations and many enterprises.

You must install WSUS on at least one infrastructure server, such as a computer running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. To deploy updates to computers running Windows 7, you must have WSUS 3.0 SP2 or later installed on your server.

Figure 1. WSUS can scale to support thousands of computers.