If you are running any recent version of Windows (including Windows RT), you have Windows Update available as part of the operating system. If you so choose, you can also install Microsoft Update, which is a superset of Windows Update that will allow you to get updates for Microsoft Office, Windows Live, the .NET Framework, Visual Studio, and SQL Server.  This is something that I always do on any workstation or server that I build (although I will change some settings based on whether it is a workstation or a server).

In Figure 1, you can see where it says “You receive updates: For Windows and other products from Microsoft Update”. This means that I have installed Microsoft Update on this machine, so it will look for updates for more Microsoft products besides just the operating system itself and Internet Explorer. If you are running any of these other common Microsoft applications on your machine, I think you should also be running Microsoft Update instead of just Windows Update.

image thumb Windows Update vs. Microsoft Update

Figure 1: Windows and Microsoft Update Applet in Control Panel

Depending on what type of machine you are dealing with, you will want to use different settings for Windows/Microsoft Update. If you are dealing with mission critical, production servers, you will want your servers to be using a Windows Server Update Services (WSUS) server to get your updates instead of pulling them down directly from Microsoft over the internet. In an ideal world, your organization would have a dedicated team that would review each update that is released by Microsoft on Patch Tuesday, install it on some test machines, and then run a full suite of automated regression tests after each update, before approving individual updates to become available on the WSUS server for internal distribution. In real life, I don’t see this level of effort and attention very often.

What seems to happen quite often in real life is that people simply disable Windows Update on their servers and never install Microsoft Update. They also don’t do any manual updates on their servers. After the initial build and provisioning of the server, they never install any updates whatsoever, whether it is BIOS updates, firmware updates, driver updates, OS updates, or application updates. Personally, I think this is a mistake, actually being what I would call “server neglect”.  Of course there is some risk whenever you make any modifications of any sort to a production server, but using a combination of good judgment, planning, and testing can reduce your risks significantly.

If you are using Windows or Microsoft Update, on a production server, you should change how Windows installs important updates to “Checks for updates but let me choose whether to download and install them” (as you see in Figure 2) rather than the Microsoft recommended setting of “Install updates automatically (recommended)”. This will avoid having unplanned server restarts at roughly 3:15AM on the Wednesday morning following Microsoft Patch Tuesday each month, as important updates are installed starting at 3:00AM.  With this setting, you will know when new updates are available, and you can start your planning and testing process.

On the average desktop machine, you should go ahead and use the  install updates automatically setting (otherwise you will probably forget, and be more vulnerable to Zero Day attacks).

image thumb Windows Update vs. Microsoft Update

Figure 2: Windows and Microsoft Update Settings

You should also make sure that the “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” checkbox under Microsoft Update is checked.