John O'L

The small program that's installed on your machine when you verify the authenticity of your Windows installation and arrange for automatic updates includes several things.

1. The "verifier" creates a unique encrypted "Key" number that is placed on your computer, or reads the key already on your machine, and checks the harware to make sure that nothing has changed. The key is generated by an examination of your computer, and tells who built your machine; the Product Number and Serial number of your Windows; and PnP identities, Serial numbers, and BIOS versions of the main hardware components present on the machine. The encrypted Key number describes the combination of machine and Microsoft software in fairly complete terms. It does not identify who owns and/or operates the machine, or where it's located; but it allows that specific hardware/software configuration to be identified whenever it communicates with Microsoft (or with an OEM builder who provides support for it). Once the key has been created and placed on the machine, its main use is simply to tell if the specific Windows product is still on the same machine for which it was purchased.

2. When the verifier has accepted your configuration, a "downloader" allows downloading updates, in bits and pieces if necessary.

3. An "installer" allows unattended installation of updates after a download is completed and all the new pieces are on your machine.

4. A "scheduler" sets up a time for your machine to check in again later to see if new updates are available.

You are probably getting the firewall notice each time the scheduler asks to see if new updates are available, since that's a new connection to Microsoft for each visit. When you just click ok to allow the connection, it's apparently a one-time-only permission, so you'll be asked again the next time a new connection is needed. You probably can put the connection into your firewall's setup to "always allow" that particular connection, which would eliminate the notices, but you'll have to talk to your firewall to see if that can be done.

Once you approve the connection, it's good until the communication is complete and any new updates are on your machine; but this doesn't necessarily happen in a single stream of bits. As long as the connection that was approved remains open, with your machine set to send or receive another packet, even if the machine is shut down and later restarted, it can still be the "same connection," and a download usually can resume where it left off. Some of the downloads have been very large¹, and most of them are at least a few MB. The downloader manages getting the files needed for an update, and closes the connection when the needed download(s) are finished.

When a download is complete, the installer pops up a notice that it's ready to install the update. There are minor variations in how you can tell the installer "how automatic" it should be, but in the most common "install automatically" setup, if the machine is in use the installer will wait until you click on the notice and tell it to proceed, or will wait until the machine is "idle" and then proceed automatically. I believe you can still set it up to always require you to manually approve each update installation, if you're really paranoid.

For an update that requires a reboot, a popup will warn that a reboot is about to occur, and you can defer the reboot if you wish. If you don't tell it to wait, after a pause of a few minutes the reboot should proceed automatically.

The next time the scheduler initiates a new connection, all of these components run again. If the verifier finds no changes to the machine or to Microsoft programs, it will proceed to look for and download updates. Some minor hardware changes are accepted and a new "Key" is set on your machine without your participation. If a significant change, especially to machine hardware, is found, the verifier may notify you and ask you to re-verify.

Note that the verification happens every time you connect to Microsoft for downloads. You participate in the verification only when you first set it up, or when there's a question about changes in your setup, but it runs each time you connect to the download site.

¹ Microsoft's estimate of time required to download the SP1 update to my machine, after it checked my connection speed, was something over 200 hours. My experience has been that I need to add about 50% to their estimates. I ordered the CD.

John