New
#11
1 - The whole WinRE vulnerability is only an issue if someone has physical access to the system and can get to the recovery partition. Otherwise, no, there's really no need to deal with this.
2 - Personally, I like to update the boot.wim (WinPE) only because that is the component used to install Windows. However, you can probably get along just fine without updating this.
3 - For the monthly patch updates, yes, it is a new KB article each month. But that is because what is contained in the monthly updates is different and varied parts and pieces of Windows each time. There are some things for which they use the same KB number but with a version number. As an example, the "Windows Malicious Software Removal Tool" is always KB890830.
4 - You can see what updates have been added to an image by using this command (with the appropriate paths and image file name):
dism /Get-WimInfo /WimFile:"E:\Sources\install.wim"
5 - Good question. I'm not aware of any .EXE files being applied by DISM. All of my updates are just .msu or .cab files. Ironically, the "mpan-fe" is one I have been wondering about for a little while now. I guess that your question is now the perfect reason for me to test this. It's easy for me to test because I have this all automated already. I likely won't have time to try it until this weekend but as soon as I do I will let you know if that works out. However, I suspect that it would need to be installed AFTER Windows setup. It's possible that it could be installed using Windows unattended setup right at the end of installation before the user gets to the desktop the first time, but I have doubts about simply injecting that into a Windows image (other than a sysprep image).