1. First, be sure that the date and time of your system is accurately set. If you do not have a continuous Internet connection through a cable modem or DSL modem, the automatic synchronization might not always occur. In that case, you can force an immediate synchronization by clicking the Update Now button, which is not available unless the Automatically synchronize with an Internet time server check box is selected.
a. Connect to the Internet, and then open Date and Time in the Control panel.
b. Click the Internet Time tab and click Update Now, which should synchronized the computer clock immediately.
c. If Synchronization should fail, it may be for one of the following reasons:
? The computer is not connected to the Internet. Establish an Internet connection before attempting to synchronize the clock.
? A personal or network firewall is preventing the clock synchronization.
Warning: Most corporate and organizational firewalls will block time synchronization, as do some personal firewalls. Home users should read your firewall documentation for information about unblocking network time protocol (NTP). You should be able to synchronize your clock if you switch to the Microsoft Internet Connection Firewall.
? The Internet time server is too busy or not available for some reason. If this is the case, try synchronizing the clock later, or update it manually by double-clicking the clock on the taskbar or using a different time server.
? The date set on the computer is inaccurate. Internet time servers will not synchronize the clock if the date is incorrect. Ensure that the date is set correctly in the Control Panel, Date and Time Properties.
2. The article [Q306525] explains how to configure the Automatic Updates features to include how to download updates and drivers from the Windows Update Catalog.
3. The article [Q327838] explains the Automatic Updates feature that you can use to specify the schedule that Windows follows to install updates on your computer.
Note: Also be advised that if you disable the AutoUpdate service by accessing the AutoUpdate properties page and set the computer for manual updates, the AutoUpdate icon disappears from the notification area but the by design automatic update service is not deactivated, [Q283151].
4. The article [Q555027] explains that when you try to connect to web site by using Internet Explorer 6 or Internet Explorer 6 with Service Pack 1 - it may open with blank page, instead of web site, and the problem could be that some dll's didn't register themselves. Check the registering process in this article as well as downloading and following the instructions for "IEFix" - a general purpose fix for Internet Explorer (Win 98/ME/2000/XP). Problems generally experienced when attempting to access the Microsoft Windows Update site:
? Blank Web page
? Scripting error message(s)
a. The article [Q217116] warns that an Internet Explorer Script Error may occur when accessing Windows Update if your Internet Service Provider (ISP) uses auto-configuration servers and discusses the potential fix.
b. The article [Q308260] states that a Web page may not display or work correctly and you may receive a Script Error because the HTML source code for the Web page does not work correctly with client-side scripts such as Microsoft JScript or Visual Basic and suggest several troubleshooting tips as well as updates to fix the issue(s).
c. The article [Q814458] describes the by design condition that occurs after you install the February, 2003, Cumulative Patch (MS03-004) for Internet Explorer (prevents malicious Web sites from accessing information in another Internet domain, or on your local computer) when scripts in an HTML dialog window (that is opened by using the showModalDialog or showModelessDialog method) tries to set the security domain of the document to a different value.
d. Please read the article, "How to strengthen the security settings for the Local Machine zone in Internet Explorer (Q833633)."
? Error message(s) similar to:
a. Error Installing Dependency.
b. An unknown error occurred.
? You chose not to download the software controls or there was a problem with downloading the controls, in which case much of the Windows Update site will be unavailable to you. If you would like to download the controls now, please click Try Again below.
? Your Internet Explorer security settings are set to High. In order to use the Windows Update site, you need to set your security settings at medium. To change your security settings: From the View menu on the toolbar, choose Internet Options. Click the Security tab, and then select Internet zone in the drop-down box. Click Medium.
? Internet Explorer cannot open the Internet site < address > . A connection to the server could not be established.
? The computer stops responding (hangs) when attempting a download.
5. The article [Q811269] states that when you download a Microsoft Windows Update, the installation process may stop -- and the issue can occur if using the AOL Web browser interface but should this issue occur otherwise, is to clear your Internet Explorer temporary files and cookies and then remove the Windows Update temporary files.
6. If a password to an account that is joined to a workgroup is reset, access to any or all of the following may be lost and can occur if the password was forcefully reset by an administrator or owner instead of being changed by the user, [Q290260]:
? Web page credentials
? File share credentials
? EFS-encrypted files
? Certificates with private keys (SIGNED/ENCRYPTed e-mail)
7. The article [Q822798] explains that when you install a service pack, an error addressing the Cryptographic service may be received. If the service is active, use the information in the article [Q822798] to re-register the DLL files associated with the Chryptographic Services.
8. Are there perhaps problems with the features concerning, "Internet Connection Sharing"?
9. The article [Q883821] discusses the error codes you may receive when connecting to the Update site and provides proceures for troubleshooting the issues. Other "error codes" may be searched by accessing this link, entering the code in the Search for box in the upper left side, and then pressing enter.
10. The Update Information Tool (Qfecheck.exe) is a command-line tool which can be used to confirm, track, and verify installed hotfixes by reading the information stored in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates". It confirms two things: files not current and/or file current but not considred valid. This tool does not however verify hotfix integrity, [Q282784]. It can also be used to track and verify the installation of hotfixes, and:
? helps customers who thought they had properly installed an update, but had not, and are now experiencing a problem. This tool easily enumerates all of the installed fixes by Microsoft Knowledge Base article number and users can then confirm whether they have installed the appropriate set of fixes before using a valuable support incident and potentially experience problems.
? identifies a common set of fixes that are required for all servers to help ensure that hotfixes are applied in a consistent manner across many servers. It allows you to create logs for each computer in an organization that show which fixes are installed. Once logs are created, you can easily scan them for consistency.
? may alert you to when on rare situations in which, because of a network problem, a problem with the update itself, or a subsequent update that improperly overwrites a previous fix, updates could be damaged or removed in error. This tool ensures that not only have the fixes been installed, but that they are current on the computer.
? when used regularly to audit hotfixes, it help achieve higher reliability and function.
11. Data store in the All Users folder and default program templates and settings stored in the Default User folder may be lost after reinstalling, repairing, or upgrading. Shortcuts may be missing from the Start menu, as well as items in the Startup group, and documents, pictures, or music files stored in the Shared Documents folder. This occurs if any of the following actions are used on a system preinstalled with Windows XP by a computer manufacturer (also known as an Original Equipment Manufacturer, or OEM) , by:
a. reinstalling in the same folder by clicking Upgrade (Recommended) after running Winnt32.exe, or by clicking the Install Windows XP link on the "Welcome to Microsoft Windows XP" screen that appears when inserting the Windows XP CD-ROM. This is also known as performing an in-place upgrade or an in-place installation.
b. repairing, when starting a system from the Windows XP CD-ROM, pressing ENTER to set up Windows XP, and then pressing R to repair.
c. upgrading the Windows XP Home Edition installation preinstalled on a system manufactured for the retail version of Windows XP Professional.
12. If you use a Windows XP-based computer to connect to the Microsoft Windows Update site through an authenticating Web proxy that uses integrated (NTLM) proxy authentication, the connection may not succeed since the Update site uses ActiveX controls to determine which updates are installed and these ActiveX controls do not properly use HTTP keep-alive headers when IE is configured to use HTTP 1.0, [Q312955].
13. The article [Q303215] describes and discusses the command-line tool Hfnetchk that can be used to centrally assess a computer or group of computers for the absence of security patches.
14. The article [Q320454] provides information about the Microsoft Baseline Security Analyzer (MBSA) tool that replaces the standalone HFNetChk tool and can be used from the graphical user interface (GUI) or the command-line interface to scan Windows-based computers for common security misconfigurations and generate individual security reports which are stored on the computer in the %userprofile%\SecurityScans folder. By default, a security update scan reports missing updates that Windows Update marks as critical security updates (also known as baseline critical security updates).
15. Security Settings:
a. Before modifying security settings, it is important to take into consideration the default settings. There are three fundamental levels of security granted to users besides "special groups". These are granted to end users through membership in the Users, Power Users, or Administrators GROUPS.
? Administrator - Adding users to this group is the most secure option, because the default permissions allotted do not allow members to modify operating system settings or other user's data. However, user level permissions often do not allow the user to successfully run legacy applications. The members of the Users group are only guaranteed to be able to run programs that have been certified for Windows.
? Power User - The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.
? User - The Users group is the most secure, because the default permissions allotted to this group do not allow members to modify operating system settings or other users' data. However, user level permissions often do not allow the user to successfully run legacy applications. The members of the Users group are only guaranteed to be able to run programs which have been certified for Windows. They can create local groups, can manage only the local groups that they created, and have Full Control over all of their own data files (%userprofile%) and their own portion of the registry -- HKEY_CURRENT_USER.
b. To view "security policy settings" (Click to see an example screenshot) on a computer running Windows XP Professional, click Control Panel, Performance and Management, Administrative Tools and then double-click Local Security Policy.
c. To view the Local Security Settings container from a command line, click Start, Run and then type secpol.msc and then press Enter.
d. To review security-related events using Event Viewer, open it and in the console tree, click Security.
e. Make the Administrators group the owner of all "resources" (Click to see an example screenshot). In Control Panel, Performance and Maintenance, Administrative Tools, double click Local Security Policy. Under Security Settings, double-click Local Policies, Security Options and then double click the policy System objects: Default owner for objects created by members of the administrators group. In the drop-down list box, select Administrators group, and then click OK.
Note: To see owners of objects in a share or folder, at the command line type dir /q, and then press Enter.
16. When using the Windows Update site an error message similar to the following may be received and can occur if a computer used is behind a firewall, connected to the Internet through a proxy server, or can also be caused by incorrect restriction settings in certain registry keys regardless of whether you're the Administrator, [Q316524]:
Administrators Only (-2146828218)
? To install items from Windows Update, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
17. Security and Certificates:
a. Valid only for the period of time specified within -- every certificate contains Valid From and Valid To dates that set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the "now-expired certificate" (Click to see screenshot - Autoenrollment Settings Properties).
b. One of the main benefits of certificates is that hosts no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access and use. Computers must be able to exchange information with a high degree of confidence in the identity of the other device, service, or person involved in the transaction.
c. Certificates can also be used to verify the authenticity of software code download from the Internet, install from a company intranet, or purchased on CD-ROM and install on a computer. Unsigned software--software that does not have a valid software publisher's certificate--can pose a risk.
d. There are four basic sources for the certificates found in the "certificate stores" (click to see a screen shot):
? Certificates that come on the CD and included during the installation of Windows XP.
? Application such as an Internet browser to engage in a SSL session, during which certificates are stored on your computer after establishment of trust.
? Chosen certificates when installing software or receive an encrypted or digitally signed e-mail from others.
? Certificates requested from a certification authority, such as a certificate needed to access specific organizational resources.
e. Supplemental reading: "Internet Explorer Connectivity and Certificate Display Issues (Q811383)."
f. It is not always desirable to use one set of credentials which roam ? part of the user's profile and encrypted (%Userprofile%\Application Data\Microsoft\SystemCertificates\My\Certificates) ? for access to different resources ensuring that if one password is compromised it does not compromise all security. Group Policy allows you to limit use of the Stored User Names and Passwords. In the Group Policy MMC snap-in:
? Double-click the Security Options folder (Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options).
? Right-click Network access: Do not allow storage of credentials or .NET Passports for network authentication, click Enabled, and then click OK, [Troubleshooting Certificate Status and Revocation].
Note: The certificates are stored in a location known as a certificate store -- the machine store used by the computer and the user store or My store used by the currently logged on user.
g. "Behavior of Stored User Names and Passwords (Q281660)."
h. "HOW TO: Manage Stored User Names and Passwords on a Computer That Is Not in a Domain in Windows XP (Q306541)."
i. "HOW TO: Manage Stored User Names and Passwords on a Computer in a Domain in Windows XP (Q306992)."
j. "How to create and use a password reset disk for a computer that is not a domain member in Windows XP (Q305478)."
18. Privacy Preferences:
a. In Internet Explorer v6.x, the Internet Explorer Customization Wizard can be run where you can define the "privacy preferences" (Click to see an example screenshot) for disclosing personal information to Web sites and choose a privacy level that determines whether Web sites can store and retrieve cookies on your computer and to use them to access and track the personal information that you provide.
b. All security zones are set to Custom upgrading to Internet Explorer v6.x and as a result, the slider used to make changes might be missing. This behavior occurs because the default security settings have changed and all security zones are set to Custom to indicate the existing security settings do not match the new defaults. To reset security settings for each zone:
? In IE, Click Tools, Internet Options, Security tab, and the select the zone wanted.
? Click Default Level and if necessary reconfigure any custom settings.
? Do this for each of the "four zones" (Click to see an example screenshot); Local internet zone, Trusted sites zone, Internet zone, and Restricted sites zone.
c. A security level assigned to each zone defines the level of browser access to Web content. Choose to make each zone more or less secure - each zone can control access to a site based on the zone in which the site is located and the level of trust assigned (Enable, Disable and Prompt). Choosing the Custom level enables you to configure settings for ActiveX controls, downloading and installation, scripting, password authentication, cross-frame security, Java capabilities, and many others. It also enables you to assign administrator-approved control, which runs only approved ActiveX controls.
Note: Security zones enable you to choose whether active content (ActiveX Controls and scripts) can be run from inside HTML e-mail messages in OE. By default, Outlook Express 6 uses the Restricted Zone instead of the Internet Zone.
19. Install the SPCheck tool to determine the service pack level of installed components on a file-by-file basis, [Q279631]. SPCheck examines each component one file at a time. Because of this, it must run under a security context that is equivalent to the local administrator account. If it is not run in this security context, files may be reported as missing even though they are installed on the computer. SPCheck searches for files by using the "PATH" environmental variable. If files are reported as missing (although they can be found on the target computer), ensure that the folder or folders which the component is installed in are included in the PATH environmental variable.
20. The article [Q319109] explains that when you visit the Windows Update site, you may find that the list of updates includes items already installed and may occur if the updates already installed have not been registered correctly. If this generally applies, see the article [Q822798].
21. The Command-Line option for XPsp1.exe and Update.exe to list hotfixes that are currently installed, use:
Note: Please be advised, the article [Q328001] states that after you install Windows XP Service Pack 1 (SP1), you cannot use the Start Windows Using Last Known Good Configuration feature to undo the installation and to use the Add or Remove Programs tool in Control Panel.
22. Access and read the subject "Internet Explorer Add-on Management and Crash Detection" and use the information for troubleshooting purposes -- disable any found (one at a time) and determine the result.
23. The article [Q323166] discusses the procedure and explains that you can search the Windows Update Catalog to find updates for download and installation later.
24. Supplemental reading:
a. "Windows Update Troubleshooter."
b. "Description of the "Install on Demand" and "Automatically Check for Updates" Features (Q222639)" specifies whether to automatically download and install Web components that can be installed by Internet Explorer Active Setup.
c. "HOW TO: Configure Automatic Updates to Prompt You Before You Download Updates in Windows XP (Q283629)."
d. "A Description of the Credential Management Feature in Windows XP Professional (Q283677)."
e. "Description of the Automatic Update Feature in Windows XP (Q294871)."
f. "Windows XP Application Compatibility Update (December 17, 2001) (Q313484)."
g. "You Cannot Use Any Windows Update Features (Q326686)."
Note: This behavior occurs if the Windows Update feature has been turned off.
h. "Detecting Digital Signing Issues in Windows XP (Q813442)."
Note: Errors generally are: Software Update Incomplete; The page cannot be displayed; FileName will be installed (policy=ignore); and a host of others.
i. "You cannot install some updates or programs (Q822798)."
j. "Updates from the Windows Update Web site are not installed and an "Error 0x80070005: Access is denied" error message is logged to the Windows Update.log file (Q836926)."
k. "Appendix B - Troubleshooting Strategy for resolving problems in Internet Explorer v6.x" -- heavy concerning ActiveX
l. "Chapter 4 - Security Zones Internet Explorer v6.x" - TechNet article.
Several times now after I use windows update with XP Professional it freezes when loading & I have to reset then restore.I tried going in safe mode but couldn't find any problems.Anyone got a clue on what is occuring?