Before the Internet, updates such as service packs and "patches" were impossibly hard to come by. You ordered upgrade "media" or maybe bought a magazine with a CD in it. Of course, the Internet changed all that. In fact, when ftp.microsoft.com was first set up, among the first services was the ability to get updates for MS-DOS and Windows. With the introduction of Windows Update, we invested heavily in building not just a software delivery service, but a commitment to delivering high quality updates in a timely manner. It took some time to get to the point where customers trust these automatic updates, and we're proud of how far we've come. Today Windows Update is one of the largest services on the Internet by several measures, and of course we're using Windows 8 development as a chance to improve the experience of product updates too. This post was authored by Farzana Rahman, the group program manager of our Windows Update group.
When it comes to Windows Update, one of the most discussed topics is the disruptiveness of restarts in the course of automatic updating. And for good reason—restarts can interrupt you right in the middle of something important.
The obvious question to ask first is why does the installation of updates even require a restart at all? Ideally, we would like all update installations to happen seamlessly in the background without a restart. But, in reality, there are situations where the installer is not able to update files because they are in use. In these cases, we need to restart your machine to complete the installation. The automatic updating experience thus needs to be able to handle cases where restarts are required.
We know this architectural challenge is one that frustrates administrators and end-users alike, but it does represent the state of the art for Windows. It is important to understand that for many updates, even if you could continue running the existing code that is already in memory, it is that very code that is a security vulnerability (for example), so the risk to the security (or reliability) of the machine would remain until you restart your machine. We'll keep working on this one. In the meantime, applications that support the Windows Restart Manager (introduced in Windows Vista) can return you to precisely where you left off after a restart.
In this blog, I want to talk about some of the improvements we are making to the automatic updating experience in Windows 8, which will make restarts a little less annoying.
First, some facts about Windows Update
Windows Update (or WU, as we like to say within the team) currently updates over 350 million PCs running Windows 7 and over 800 million PCs across all the supported Windows platforms. There are actually many more PCs updated by WU indirectly if you account for our Windows Software Update Server, and for those machines (or customers) that do all updates manually for any number of reasons.
Since its genesis over a decade ago, the Windows Update experience has evolved quite a bit to adapt to a changing ecosystem, especially the changing requirements around security. And Windows Update has been quite successful in updating PCs in time to stay ahead of large-scale exploits against Windows.
Since the introduction of automatic updating, we have constantly worked to tighten the time it takes to distribute new updates to everyone who uses WU. The chart below (figure 1) shows us how fast downloads and installations occur on Windows 7, from the time of release of an update. The speed of each download is primarily determined by the internet connectivity of the PC, something that WU has no control over, so it is interesting to see below that the majority of update activity occurs in the first three days after release. This three-day number is a key one that I will come back to when we talk about improvements in Windows 8.
In one week, 90% of users worldwide who need the update have successfully completed installation, including the restart, with the number of installations pretty much flattening out after that.
Figure 1 – Completed download and installation of updates from time of release of update
The balance of how broadly and how quickly we can update has proven beneficial to our users to the point where updating is mainly viewed as a background maintenance task (and justly so!) with nearly 90% of users choosing to update automatically on Windows 7. That’s 90% of the total user base telling us to automatically install updates without showing any notifications, or asking for confirmation.
Automatically install updates
Notify me before install
Notify me before download
Never check for updates
Figure 2 – Usage of various modes of automatic updating
Automatic updating and restarts on Windows 7
The next logical question to ask is what is the install experience for people who have chosen to automatically install updates? Below, data collected anonymously from WU gives an insight into the various modes of installation for those who have chosen to install automatically.
As you see above, there are 3 main categories of automatic update installations. Here is what we learned from analyzing each category.
Install-at-shutdown – The majority of automatic update users (39%) are updating when they shut down their systems. For these users, there is no automatic restart because the system can complete all steps of the installation during shutdown. This is the least disruptive experience for users, and so we do want to “hitch a ride” whenever we can on user-initiated shutdowns instead of inconveniencing users with a separate restart.
Install-at-scheduled-time - For the 30% who are scheduling automatic updates, their installations start at a scheduled time (the default is 3 AM in the time-zone where the PC is located) or the next time the user logs in (if we miss the 3 AM window). WU automatically completes any restarts necessary to finish the installation. To ensure that you get the chance to save any important files and data before the restart, we show you a 15-minute countdown timer before the restart.
A fifteen-minute countdown timer warns you of the restart
Allowing restarts to occur without user interaction has helped us to rapidly update a major portion of the Windows ecosystem with critical updates. On average, within a week of releasing a critical update, 90% of PCs have installed the update (see Figure1). On the other hand, this behavior of automatic restarts has some unintended consequences for the user. Restarts can occur without notice, and might occur monthly or even more often if there is an out-of-band update. This unpredictability can potentially result in loss of user data. Most of our automatic installs and the subsequent restarts happen at 3 AM, when users are not around to save any important work. We have heard a lot of painful stories of users coming back to their PCs in the morning to find that a restart occurred, and that some important data was lost. In other cases, the user doesn’t lose data, but needs to restart a job that they were in the middle of (for example, a long copy job).
Interactive install - We were surprised to see 31% of users interactively installing updates; of these 31%, approximately 20% have selected to automatically install, but they manually intervene anyway. WU provides a pop-up notification telling you when updates are available if you have selected to automatically install. The notifications are clearly capturing people’s attention, so they click on the notification and interactively install the updates. But this is actually reinforcing an unintended behavior. If you signed up to get automatic updates, you really shouldn’t need to bother interactively installing an update every time one is available. Most installs should occur silently in the background, and WU should notify you only for critical actions (for example, a pending restart). This also matches feedback from customers, who tell us they find the constant notifications to be distracting. Their expectation when they choose automatic updating is that updating will occur automatically. This seems to be a case where making sure people are in control of their PC experience actually resulted in too much information, and ultimately the price of being in control was a feeling of a loss of control.
With these lessons learned, we set about defining a better automatic updating and restart experience for Windows 8.
Solving the challenge around updating and restarts
The question for us on the WU team is always “What is the best way to quickly update the PC while not being intrusive to the user?” Turns out, this is a hard question to answer, and there is no one simple answer.
The challenge we faced was to find the balance between updating with speed and giving notice to the user for upcoming restarts. Clearly, updating and securing the PC before vulnerabilities can be exploited is just as important as it ever was. However, we also want to deliver a better experience around handling restarts and avoiding data loss without compromising our goal of timely updating.
To this end, the guiding principles we used to design the experience were
- The automatic updating experience is not intrusive to users but keeps them aware of critical actions
- Minimize restarts and make them more predictable
- Continue to keep the PC and the ecosystem up-to-date and secure in a timely manner
Windows Update and handling restarts on Windows 8
Based on these principles, we made the following improvements to the Windows 8 updating experience.
WU will consolidate all the restarts in a month, synchronizing with the monthly security release. This means that your PC will only restart when security updates are installed and require a restart. With this improvement, it does not matter when updates that require restarts are released in a month, since these restarts will wait till the security release. Since security updates are released in a single batch on the second Tuesday of every month, you are then getting essentially one restart a month. This simplification helps in three ways: it keeps the system secure in a timely manner, reduces restarts, and makes restarts more predictable.
There is one exception to the rule to wait for the monthly security release, and that is in the case of critical security update to fix a worm-like vulnerability (for example, a Blaster worm). In that case, WU will not wait, but will go ahead and download, install, and restart automatically. But this will happen only when the security threat is dire enough.
WU notifies you of any upcoming automatic restart. Let’s assume that WU has already detected, downloaded, and installed security updates, and now requires a restart. Windows Update will notify you of an upcoming automatic restart through a message on the login screen that will persist for 3 days. Because the majority of update activity occurs in the first three days of the release of each update [see Figure1], we wanted to give you 3 days to allow you to restart at your own convenience. You would restart by selecting “Update and shutdown” or “Update and restart” on the login screen, or by going to Windows Update in the Control Panel. You will no longer see any pop-up notifications or dialogs about pending restarts. Instead, the message appears in a more visible and appropriate place (the log-in screen). The use of the login screen has become ubiquitous even in home environments, as more and more machines become portable.
Here is a timeline view of that experience:
1. A message about the upcoming restart is shown in the login screen for three days or until the PC is restarted (whichever is sooner). This means you now have three days to restart the PC at your convenience. All you need to do is see the login screen once in 3 days to see the message about the upcoming restart and by default the lock screen will appear after 15-minute idle timeout.
2. In addition to the restart notification on the login screen, the Power options on the lock screen will change to “Update and restart” immediately after the update occurs, and will include “Update and shutdown” on days two and three, to make the message even more apparent to you. This allows you to restart your PC at your own convenience.
3. If after three days, the restart still has not occurred, then WU will automatically restart your PC for you. In this case, the automatic restart will happen either at the end of the three-day grace period, or, to prevent data loss if WU detects that there are critical applications open at the end of the three-day grace period, it will wait to automatically restart the next time you login. I’ll address this behavior in more depth in the next section.
4. After the restart has occurred, the message on the login screen will go away and the power options will revert to the original choices. We know people would like Windows to automatically log in after the restart, but we strongly advise against doing so, given the potential security issues with this configuration.
Delay the automatic restart if there is potential of losing user data. If the PC has hit the three-day deadline and still needs an automatic restart, WU will only automatically restart the machine if there is no chance of losing the user’s data. That means, if you are not at your PC (i.e. it is locked), if you have applications running in the background, or if there is potentially unsaved work, WU delays the automatic restart until the next time you come back to your machine and log in. At log-in, you will be asked to save your work, and you’ll see a warning that the machine will be restarted within 15 minutes.
Ensure minimal interruption to user activity. Having a restart notification or dialog pop up in the middle of an important presentation, a game or a movie is not a pleasant situation, to say the least. When attempting to automatically restart the PC, if you are in presentation mode, playing a game, or watching a movie full-screen, WU detects this state, and delays the automatic restart until the next available opportune moment or the next time you log back in to the PC.
The experience for business users. For PCs in an enterprise setting, if no policy has been set by the IT administrator, the updating experience is exactly the same as it is for home users. However, an IT administrator can set a policy to prevent auto-restart after automatic installs (just as in Windows 7). If they set this policy, there will be no three-day countdown and no automatic restart. Instead, users will see a message on the login screen indicating that the PC needs to be restarted, and the message persists until the restart occurs. This informs users that a restart is required while keeping them in control of when to restart.
The experience for users in “notify mode.” I also want to address the experience for users who have chosen to be notified before downloading or installing updates (5.82% of the WU user base from Figure2). For a user in this “notify mode,” a message will be shown on the login screen. If you choose to be notified before downloading updates, you will see the login screen message saying “Important updates are ready to be installed” when updates are ready to be downloaded. If you choose to be notified before install, you will see the same login screen message after updates are downloaded, but before they are installed. In either case, you won’t see the message about a pending restart on the login screen since installation is not automatic.
Cumulatively, these improvements help us achieve the balance we are striving for with Windows Update - keeping the PC (and PC ecosystem) up-to-date, without an intrusive experience.
What about updating 3rd party applications?
Lastly but not the least, I want to address the feedback from users who would like WU to update their 3rd-party applications. People clearly find the experience with multiple updaters on the system less than optimal (and we agree!) Each application updater gives you a different experience, you have to remember to go visit each updater to install updates, you never know when or how updaters will run and what they might do, and so on. People would like one updater for the entire system. On the other hand, users have also told us that they trust the quality of updates distributed by WU and hence are comfortable with choosing to automatically update their systems. We would not want to do anything that might reduce trust in the system by encouraging people to take on this management task manually and exposing their PCs to potential vulnerabilities for even short times.
Through WU and the “Microsoft Update” option (opt-in) we also offer updates for Microsoft products and for 3rd-party device drivers, with a common set of setup tools for each. All of these updates are carefully screened, and must adhere to the Windows conventions for updates regarding rollback and recovery, and overall system impact. As an example, drivers we publish through Windows Update go through tests run by the Windows Logo Program for Hardware, which after validating the updates, signs them for authentication. And, we are continuously working to improve the validation system, to deliver better and higher quality drivers. The wide variety of delivery mechanisms, installation tools, and overall approaches to updates across the full breadth of applications makes it impossible to push all updates through this mechanism. As frustrating as this might be, it is also an important part of the ecosystem that we cannot just revisit for the installed base of software.
However, as we discussed at the //build/ conference, the new Windows Store will provide a one-stop shop for (free and paid-for) Metro style apps, with an integrated update service to help ensure apps are maintained in a consistent manner. Because of the vetting process for these apps and the commitment from developers to deliver value to customers, we’re able to bring you this improvement as well. We’ll have more on this topic in future posts as soon as the Store becomes available to you for public testing.
Looking forward to your feedback.