Not sure if this is a bug or by design (was suggested by MS person that is probably a bug) XP Pro/Home sp2 fully patched as of 04/24/2006. Visiting the Windows Update site and manually checking for updates (either Express of Custom" generates two keycontainer files at almost the same instant in the Machine keycontainer folder at: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Each of these files I have confirmed contains two 512 bit keys (an Exchange and a Signature keypair). The file-generation happens at the instant the button(s) are clicked (before the local scan and any install recommendations are found). This is reproducible and several others have verified this behaviour. However, if Windows updates automatically, the files are not generated (or at least persisted). Q1: Are these machine keycontainer files supposed to be persisted by Windows Update? Q2: If so, what are they used for? Generally applications can create transient keycontainers but should definitely clean them up.