Security updates in answer file breaks pass 2 offline servicing

dpengel3 said:

Interesting, @hsehestedt! Have you thought about writing a book?

I do, indeed, have a few immediate questions, if I could pick your wisdom. Keep in mind my context, here. These OS images will be separately, specially created for clients, and will become part of an embedded software environment where (in expected circumstances), there will typically never be a desktop logon once it leaves the factory.

The end game (for a given client/project) is to have an image that can be installed (either via Clonezilla or dism) on many identical devices, and easily (as hands-free/automated as possible) configured so that the device becomes a kiosk running product-specific application software.

I'm not sure whether this effects answers to any of my questions, but it's good to have context up front.

OK, so here are the questions I have:

1. These devices will NEVER go through a Windows recovery event. If there would ever be a need to do so, the device would be returned to the factory for re-imaging. Given that, is there any reason at all to worry about updating the WinRE image?

2. The installation itself will only ever be performed by me (the developer), and then only by way of getting to a final image that can be sysprep'ed then backed up with Clonezilla or dism /Capture-Ffu. As long as the install.wim is updated, is there any reason at all for the WinPE image (boot.wim) to get updated?

Note: I say "by me." What I mean is by a developer at my company. It could be a different developer for each project. My plan, here, is to have a baseline image with a lot of setup (including Windows updates) complete. The developer just goes through the steps of install, customize, sysprep, and then capture. We'll never send an installation ISO/WinPE-based process to a client's manufacturing team, which is why I'm asking the question above.

3. Does Microsoft create a new KB number for each version of the same kind of update? For example, the SSU/LCU KB number today is 5022282. Will the one coming out on Tuesday be different?

4. Right now, the only way I know, for figuring out which update files I need, is to do the following:

- Install
- Perform updates
- Look at update history, and write down the KB #'s
- Go to the MS update catalog and search those numbers, downloading the appropriately-designated versions of the files

Is there a better way? Something standardized?

5. I notice that some of the KB updates from the catalog are .msu (I know what to do with those) while others are just .exe files. Can the .exe files also be applied with dism /Add-Package? Is there some other way to apply those offline? What about mpam-fe.exe - is there a way to apply that offline while I'm doing the other updates?

Thanks, again, for all of your help and for your willingness to share the benefit of a long process of learning!

(And I apologize if any of these would have been answered by reading your batch file - I skimmed it but did not read it in detail.)

1 - The whole WinRE vulnerability is only an issue if someone has physical access to the system and can get to the recovery partition. Otherwise, no, there's really no need to deal with this.

2 - Personally, I like to update the boot.wim (WinPE) only because that is the component used to install Windows. However, you can probably get along just fine without updating this.

3 - For the monthly patch updates, yes, it is a new KB article each month. But that is because what is contained in the monthly updates is different and varied parts and pieces of Windows each time. There are some things for which they use the same KB number but with a version number. As an example, the "Windows Malicious Software Removal Tool" is always KB890830.

4 - You can see what updates have been added to an image by using this command (with the appropriate paths and image file name):

dism /Get-WimInfo /WimFile:"E:\Sources\install.wim"

5 - Good question. I'm not aware of any .EXE files being applied by DISM. All of my updates are just .msu or .cab files. Ironically, the "mpan-fe" is one I have been wondering about for a little while now. I guess that your question is now the perfect reason for me to test this. It's easy for me to test because I have this all automated already. I likely won't have time to try it until this weekend but as soon as I do I will let you know if that works out. However, I suspect that it would need to be installed AFTER Windows setup. It's possible that it could be installed using Windows unattended setup right at the end of installation before the user gets to the desktop the first time, but I have doubts about simply injecting that into a Windows image (other than a sysprep image).

Thank you, again, @hsehestedt. I have more questions, but I need to do some of my own diligence first!

(I'm finding Windows OS image preparation to be as much an experimental science as it is a matter of reading and researching - who knew?)

dpengel3 said:

Thank you, again, @hsehestedt. I have more questions, but I need to do some of my own diligence first!

(I'm finding Windows OS image preparation to be as much an experimental science as it is a matter of reading and researching - who knew?)

Like I noted, it took me a long time to get this all figured out.

For your amusement, I've attached my document that includes all the details regarding this topic. Note that this document covers both unattended installation of Windows and Windows image management. You will be interested in section 2 which is specifically about maintaining Windows images.

You noted that you have more questions. By all means, feel free to ask! If I can do anything to save you time and grief, I would be happy to do so. There were times that I really wish someone could have answered some of my questions, but because I could find no one at times, I had to spend weeks, sometimes months, doing lots of testing and detective work to get the answers I was looking for.

Thanks for that, @hsehestedt. I've downloaded your document and will take a look.

Here's one thing you could probably answer (/should/ be a short answer): These different "versions" of Windows 10 (1809, 1094, 21H1, 21H2, etc.)...what do those refer to? Does it represent some part of the original installation (like the Windows kernel, say) that will NEVER get updated to the next version?

So, if I have 1809, then it means, presumably, that no matter how many cumulative updates I apply, I will never have 1904 (for example)?

I know that for medical devices, we want that kind of stability - like "security updates only" or something. But I've never quite understood what the version is referring to.

- - - Updated - - -

Nevermind - I found the answer in the distinction between feature updates and quality updates. The cumulative updates are quality updates, and since (for medical) we're always using the LTS versions, we will typically not run out of support for those for our given version within the life of the equipment.

hsehestedt said:

If you want some GREATLY enhanced functionality, including the ability to do almost anything you could imagine with the management and updating of Windows images, please do let me know and I will show you where to get my program.

Hi @hsehestedt. I’m interested.

FredV said:

Hi @hsehestedt. I’m interested.

Welcome to TenForums!

I'll get this to you tonight when I am back in front of my primary computer. For now, I just wanted to acknowledge that I saw your message. Thanks for your interest!

You can normally find the latest version of my WIM Tools program up on GitHub at hsehestedt . GitHub. However, I'm in the process of making some changes and have not yet updated GitHub with those changes. As a result, I'll just provide a copy of the program to you here directly. However, in the future, I suggest looking for updates on GitHub. Note that because of the changes I am making, the program will become "Wim Tools MK 2, version 1.0.0.x", a completely different version than you see now. This is because I am removing all support for x86 versions of Windows. Starting with Windows 11 there is no longer an x86 version (32-bit). Only x64 (64-bit) versions of Windows exist. Also, I'm finding it more difficult to even come across systems with 32-bit drivers for Windows 10 now making testing of the x86 specific features difficult.

Let me make a few comments before you download the program...

First, this is not a signed piece of software, as a result, I find that it often gets flagged as potially containing a virus. To prevent this, do this:

Create a folder for the program. As an example, I usually put it in documents\WIM. Create an exception for that folder in your antivirus software.

Next, many of the functions in the program need the Microsoft ADK to be installed. You can install the Microsoft ADK from here:

https://learn.microsoft.com/en-us/wi...ed/adk-install

When you install the ADK, you will be presented a list of options taht you can choose to install. We only need the Deployment Tools. You can deselect everything else if you wish.

When you run the program, if you choose an item from the menu that requires the ADK, the program will inform you if the ADK is not yet installed. Also, the first time that you run the program, I would suggest selecting option # 18, "Program help", then option # 19, "Get general help on the use of this program". After that, you may also wish to view the help for any specific items that you want to run to familiarize yourself with these.

If you have any questions at all, please do let me know!

Thanks. I’ll check it out and will add a watch for new release on github. I knew basic existed (80’s vibes) but never heard of QB64 before. I don’t know if it would been simpler or harder, but I guess it could have been written in powershell. The link to

Code:

https://qb64.com

in your readme is wrong (www. needs to be removed).

About the batch script you provide in the first page of this thread here, is it different in functionnality from the Powershell script given in this article by MS: Update Windows installation media with Dynamic Update ?

In your github project, what about activating the discussion tab ?

hsehestedt said:

2) Inject the security updates into your Windows image

This is the method that I use. With the release updates on Patch Tuesday, I inject both the security and non-security updates into my Windows image. That way, there is no need to install any updates after unattended setup of Windows.

Let me know if you have any questions.

When taking the install.wim from the reference system after applying all updates, will it apply the KB5034441 that update WinRe in a fresh install ?

FredV said:

Thanks. I’ll check it out and will add a watch for new release on github. I knew basic existed (80’s vibes) but never heard of QB64 before. I don’t know if it would been simpler or harder, but I guess it could have been written in powershell. The link to

Code:

https://qb64.com

in your readme is wrong (www. needs to be removed).

About the batch script you provide in the first page of this thread here, is it different in functionnality from the Powershell script given in this article by MS: Update Windows installation media with Dynamic Update ?

In your github project, what about activating the discussion tab ?

Thanks for the information. I actually need to change several things in the readme. That QB64 reference is to a very old version. It is now the Phoenix edition of QB64 which has a whole new web site. There's an interesting story behind that, but that is for another time.

Asd for the functionality of the batch file, it is based upon the link that you provided, but it incorporates a few things that I have learned that are not included in the powershell script. Also, bear in mind that I am not a "real" programmer. I'm especially weak on powershell so I make due with what I have . This whole thing started as an aide to myself, but I posted it because I thought that it might in some small way be of interest to others.

I have some rather substantial updates that I need to put out, I've just been so extremely busy that I have not had the time to put the updates out there yet. I also had a bit of time where I was ill so I'm just catching up on things now.