Dynamic Update and Resulting Internet Communication in Windows Server 2008

  • Article

Applies To: Windows Server 2008

In This Section

Benefits and Purposes of Dynamic Update

Overview: Using Dynamic Update in a Managed Environment

How Dynamic Update Communicates with Sites on the Internet

Controlling Dynamic Update to Limit the Flow of Information to and from the Internet

Benefits and Purposes of Dynamic Update

With Dynamic Update, if you start a computer from an existing operating system (for example, Windows Server 2003 with Service Pack 2) and then run Setup for Windows Server 2008 from that operating system, Setup can check for new Setup files, including drivers and other files.

Note

If you perform a network boot, for example, from a Pre-Boot Execution Environment (PXE)-enabled computer, and then run Setup for Windows Server 2008, Dynamic Update does not occur. Similarly, if you start a computer with the Windows Preinstallation Environment (Windows PE), Dynamic Update does not occur.

In an interactive installation, the person installing Windows Server 2008 is prompted to choose whether to allow Dynamic Update to occur. In an unattended installation using an answer file, an entry in the answer file can control whether Dynamic Update occurs.

Using Dynamic Update reduces the need to apply patches to recently installed systems, and makes it easier to run Setup with hardware that requires a driver that was recently added or updated on the Windows Update Web site. For example, if a new video adapter requires a driver that was recently added to the Windows Update Web site, with Dynamic Update, the driver can be downloaded so that the video adapter is supported during Setup.

Dynamic Update performs the same kind of check for software updates as can be performed through the existing, installed operating system (for example, through Windows Server 2003 with Service Pack 2), except that Dynamic Update happens during Setup for Windows Server 2008, and a limited set of software updates can be downloaded through Dynamic Update. All files that are made available through Dynamic Update are very carefully tested and fall into three categories:

  • Setup software updates: These updates help Setup run correctly. Dynamic Update handles only limited, important Setup updates.

  • New or changed drivers: These are drivers that are known to be necessary for success with Setup. They include only network, video, audio, and mass storage drivers. Dynamic Update downloads only the files that are required for a particular computer, which means that the Dynamic Update software briefly examines the computer hardware. The information collected is not saved. The only purpose for examining the hardware is to select appropriate drivers for it. This keeps the download time as short as possible and ensures that only necessary drivers are downloaded to the hard disk.

    Note that another alternative for installing drivers during Setup is to use interactive Setup and press F6 when prompted. A third alternative is to make use of a deployment technology that allows you to create operating system images and control the drivers included in a specific image.

  • Updates to operating system features: These are high-priority updates that can help make operating system features more resistant to attack in the period immediately after installation. These updates help increase the security of a newly-installed operating system when it first connects to a network, during the time before you begin your standard software update process (whether you use the Windows Update Web site, Windows Server Update Services, or a system management solution).

Dynamic Update checks for the new files in the same location that the existing operating system (the one from which Setup for Windows Server 2008 was run) was using for software updates:

  • The Windows Update Web site: On a computer that had been receiving software updates from the Internet, Dynamic Update continues to go to the Internet, that is, the Windows Update Web site.

  • A Windows Server Update Services (WSUS) server: On a computer that previously used WSUS, Dynamic Update continues to go to a WSUS server.

    For information about WSUS, see the following pages on the Microsoft Web site:

  • A system management server: On a computer that previously used system management servers, for example, servers running Microsoft Systems Management Server 2003 R2, Dynamic Update continues to go to a management server.

    For information about system management server software offered by Microsoft, see the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=70683

Overview: Using Dynamic Update in a Managed Environment

In a managed environment where you are installing Windows Server 2008 on many computers, you might choose to prevent Dynamic Update from connecting to the Windows Update Web site. To do this, you can use Windows Server Update Services or a system management solution, or you can perform unattended installation with an answer file entry that prevents Dynamic Update. For more information, see Controlling Dynamic Update to Limit the Flow of Information to and from the Internet, later in this section.

How Dynamic Update Communicates with Sites on the Internet

This subsection focuses on the communication that occurs between Dynamic Update and the Windows Update Web site during an interactive installation (or a pre-installation compatibility check) when the computer has access to the Internet. This subsection also provides a description of the default behavior of Dynamic Update with unattended setup.

Note

This subsection describes how Dynamic Update works if a computer runs an existing operating system (for example, Windows Server 2003 with Service Pack 2), the computer is currently configured to go to the Windows Update Web site for software updates, and you run Setup for Windows Server 2008 from the operating system already running on the computer. Adjust the description to fit other scenarios, for example, where WSUS is being used.

For a description of how you can control the behavior of Dynamic Update during unattended installations, see Controlling Dynamic Update to Limit the Flow of Information to and from the Internet, later in this section.

  • Specific information sent or received: When Dynamic Update contacts the Windows Update Web site, it sends only the exact operating system version and the information necessary for appropriate drivers to be selected (network, video, audio, and mass storage drivers). The information it collects about the hardware devices on that particular computer is only what is needed to identify drivers needed for a successful completion of Setup.

    The files that Dynamic Update downloads are only those that are important to:

    • Ensure that Setup runs successfully.

    • Help protect operating system features in the period immediately after installation (until the normal software-update process can begin).

    Files with minor updates that have little impact on the preceding items are not made available through Dynamic Update. Some of the updated files will be replacements (for example, an updated Setup file) and some will be additions (for example, a driver not available at the time that the Setup CD was created).

  • Default behavior and triggers: During interactive installation, the person installing is offered the following options:

    • Go online to get the latest updates for installation

    • Do not get the latest updates for installation

    If the person installing chooses the first option, Dynamic Update occurs.

    During unattended installation with an answer file, if the answer file does not contain any entries related to Dynamic Update, Dynamic Update will occur.

    Note that for either interactive or unattended installation, if the computer is not connected to the Internet during installation, Dynamic Update cannot occur.

  • User notification: During an interactive installation, the person installing is notified when the choice of whether to run Dynamic Update is offered. During an unattended installation, there is no notification (unattended installation by definition means that no user interaction is required).

  • Logging: By default, the progress of Setup is logged in systemroot\Panther\setupact.log. You can view this log if you have questions about Dynamic Update, for example, if you want to know whether Dynamic Update occurred, or which files were successfully downloaded during Dynamic Update.

  • Encryption: Dynamic Update uses the same encryption methods as Windows Update. This means initial data is transferred using HTTPS, that is, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with HTTP, and updates are transferred using HTTP.

  • Access and privacy: No information about the hardware devices on a particular computer is saved or stored, so no one can access this information. The information is used only to select appropriate drivers.

    For information about access and privacy for a related feature, Windows Update, see Windows Update and Resulting Internet Communication in Windows Server 2008, later in this white paper.

  • Transmission protocol and port: Dynamic Update uses the same transmission protocols and ports as Windows Update: HTTP with port 80 and HTTPS with port 443.

  • Ability to disable: During interactive Setup, the prompt for Dynamic Update will always appear (it cannot be disabled), but the person installing can decline at the prompt. During unattended installation with an answer file, Dynamic Update is disabled if the answer file includes the following lines:

    <DynamicUpdate>
     <Enable>false</Enable>
</DynamicUpdate>

Controlling Dynamic Update to Limit the Flow of Information to and from the Internet

As summarized in "Overview: Using Dynamic Update in a Managed Environment," earlier in this section, if you do not want Dynamic Update to connect to the Windows Update Web site during the installation of Windows Server 2008, you have several options: