Managing Privacy: Dynamic Update and Resulting Internet Communication

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

In this section

Benefits and purposes of Dynamic Update

Overview: Using Dynamic Update in a managed environment

How Dynamic Update communicates with sites on the Internet

Controlling Dynamic Update to limit the flow of information to and from the Internet

This section explains how Dynamic Update communicates across the Internet, and it explains steps to limit, control, or prevent that communication in an organization with many users.

Benefits and purposes of Dynamic Update

With Dynamic Update, if you start a computer from an existing operating system (for example, Windows 8), and then run Setup from that operating system, Setup can check for new Setup files, including drivers and other files.

Note

If you perform a network boot, for example, from a Pre-Boot Execution Environment (PXE)-enabled computer, and then run Setup, Dynamic Update does not occur. Similarly, if you start a computer with the Windows Preinstallation Environment (Windows PE), even if media is used, Dynamic Update does not occur.

In an interactive installation, the person installing is prompted to choose whether to allow Dynamic Update to occur. In an unattended installation that uses an answer file, an entry in the answer file can control whether Dynamic Update occurs.

Using Dynamic Update reduces the need to apply patches to recently installed systems, and it makes it easier to run Setup with hardware that would otherwise prevent Setup from being completed successfully.

Note

Additional drivers that were recently added or updated that would not prevent Setup from completing successfully are downloaded to the system the first time the user runs Windows Update.

Dynamic Update performs the same type of check for software updates as can be performed through the existing, earlier operating system, However, Dynamic Update runs during Setup, and a limited set of software updates can be downloaded through Dynamic Update. All files that are made available through Dynamic Update are very carefully tested and fall into three categories:

  • Setup software updates: These updates help Setup run correctly. Dynamic Update handles only limited, important Setup updates.

  • New or changed drivers: These are drivers that are known to be necessary for success with Setup. They include only network, video, audio, and mass storage drivers. Dynamic Update downloads only the files that are required for a particular computer, which means that the Dynamic Update software briefly examines the computer hardware. The information that is collected is not saved. The only purpose for examining the hardware is to select appropriate drivers for it. This keeps the download time as short as possible, and it ensures that only necessary drivers are downloaded to the hard disk drive.

    Note

    Another alternative for installing drivers during Setup is to use interactive Setup, and press F6 when prompted. Or you can make use of a deployment technology (such as unattended setup), which enables you to create operating system images and control the drivers that are included in a specific image.

  • Updates to operating system features: These are high-priority updates that can help make operating system features more resistant to attack immediately after installation and any blocking issues that prevent Setup from completing. These updates help increase the security of a newly installed operating system when it first connects to a network—before you begin your standard software update process (whether you use the Windows Update Web servers, Windows Server Update Services, or a system management solution).

Dynamic Update checks for the new files in the same location that the existing operating system used for software updates. (This is the same location from which Setup was run.) This location could be any of the following:

  • The Windows Update Web servers: On a computer that has been receiving software updates from the Internet, Dynamic Update continues to go to the Internet; that is, Windows Update Web servers.

  • A Windows Server Update Services server: On a computer that previously used Windows Server Update Services (WSUS), Dynamic Update continues to go to a WSUS server.

    For information about WSUS, see Windows Server Update Services:

  • A system management server: On a computer that previously used system management servers (for example, servers running Systems Center Configuration Manager), Dynamic Update continues to use a management server.

    For more information, see Microsoft Systems Center Configuration Manager

Overview: Using Dynamic Update in a managed environment

In a managed environment where you are Windows on many computers, you might want to prevent Dynamic Update from connecting to the Windows Update Web servers. To do this, you can use Windows Server Update Services or a system management solution, or you can perform an unattended installation with an answer file entry that prevents Dynamic Update. For more information, see Controlling Dynamic Update to limit the flow of information to and from the Internet later in this section.

How Dynamic Update communicates with sites on the Internet

This subsection focuses on the communication that occurs between Dynamic Update and the Windows Update Web servers during an interactive installation or a preinstallation compatibility check when the computer has access to the Internet. This subsection also provides a description of the default behavior of Dynamic Update with an unattended setup.

Note

This subsection describes how Dynamic Update works if a computer runs an earlier operating system, the computer is currently configured to go to the Windows Update Web servers for software updates, and you run Setup from the operating system already running on the computer. You can adjust the description to fit other scenarios, for example, when you are upgrading from Windows 8, or where WSUS is being used.

For a description of how you can control the behavior of Dynamic Update during unattended installations, see Controlling Dynamic Update to limit the flow of information to and from the Internet later in this section.

Specific information sent or received: When Dynamic Update contacts the Windows Update Web servers, it sends only the exact operating system version and the information that is necessary to select appropriate drivers (for example, network, video, audio, or mass storage drivers).

The files that Dynamic Update downloads are only those that are important to:

  • Ensure that Setup runs successfully.

  • Help protect operating system features immediately after installation (until the normal software-update process can begin).

Files with minor updates that have little impact on the preceding items are not made available through Dynamic Update. Some of the updated files will be replacements (for example, an updated Setup file) and some will be additions (for example, a driver that was not available at the time the Setup CD was created).

Default behavior and triggers: During a conventional interactive installation, Dynamic Update occurs automatically.

During an unattended installation with an answer file, if the answer file does not contain any entries that are related to Dynamic Update, Dynamic Update will occur.

Note

If the computer is not connected to the Internet during installation, Dynamic Update cannot occur during a conventional interactive setup or during an unattended installation with an answer file.

User notification: During an interactive installation, a progress indicator appears that enables the person to track the status of the update process. During an unattended installation, there is no notification. (By definition, an unattended installation means that no user interaction is required.)

Logging: By default, the progress of Setup is logged in systemroot\Sources\Panther\setupact.log in the installation folders for the operating system that is being upgraded. After the upgrade is complete, the information about the new installation is stored in systemroot\Panther\setupact.log. You can view this log if you have questions about Dynamic Update, for example, if you want to know whether Dynamic Update occurred or which files were successfully downloaded during Dynamic Update.

Encryption: Dynamic Update uses the same encryption methods as Windows Update. This means that the initial data is transferred by using HTTPS (that is, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with HTTP) and updates are transferred by using HTTP.

Access and privacy: No information about the hardware devices on a particular computer is saved or stored by Dynamic Update, so no one can access this information. The information is used only to select appropriate drivers.

Transmission protocol and port: Dynamic Update uses the same transmission protocols and ports as Windows Update: HTTP with port 80 and HTTPS with port 443.

Ability to disable: During interactive Setup, Dynamic Update cannot be disabled. During an unattended installation with an answer file, Dynamic Update is disabled if the answer file includes the following lines:

<DynamicUpdate>
     <Enable>false</Enable>
</DynamicUpdate>

Controlling Dynamic Update to limit the flow of information to and from the Internet

If you do not want Dynamic Update to connect to the Windows Update Web servers during the installation, you have several options:

  • Use Windows Server Update Services or a system management solution: You can use Windows Server Update Services or a system management solution to cause Dynamic Update to use a server that you configure instead of the Windows Update Web servers.

    For more information, see the following websites:

    Windows Server Update Services

    Microsoft Systems Center 2012 Configuration Manager

  • Avoid Dynamic Update: You can avoid using Dynamic Update, which means that Setup will use only the files and drivers that are provided on the installation media. The method to avoid using Dynamic Update depends on how you are performing the installation. Options include:

    • Interactive installation: During an interactive installation, when prompted, you can choose to not use Dynamic Update. As an alternative, you can ensure that the computer does not have Internet access.

    • Unattended setup: During an unattended installation with an answer file, Dynamic Update does not occur if the answer file includes the following lines:

      <DynamicUpdate>
           <Enable>false</Enable>
      </DynamicUpdate>
      

      For more information, see the Windows Deployment with the Windows ADK

      For additional information about performing automated installations, see Appendix A: Resources for Learning About Automated Installation and Deployment.