From 2369337dc227451195d2b0f7b2367817eb8c00d5 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 26 Jul 2023 18:00:45 -0400 Subject: [PATCH] Update Boot Image with CU Article 12 --- windows/deployment/update-boot-image.md | 58 ++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update-boot-image.md b/windows/deployment/update-boot-image.md index 2ede59d33e..f35ddfa10d 100644 --- a/windows/deployment/update-boot-image.md +++ b/windows/deployment/update-boot-image.md @@ -92,7 +92,7 @@ Note about Windows Server 2012 R2 - Create a new empty empty folder to mount the boot image to. For example, `C:\Mount`. -#### [**PowerShell**](#tab/powershell) +### [**PowerShell**](#tab/powershell) ```powershell Mount-WindowsImage -Path "" -ImagePath "\.wim" -Index 1 -Verbose @@ -100,7 +100,7 @@ Mount-WindowsImage -Path "" -ImagePath "\" /Index:1 /MountDir:"" @@ -114,10 +114,14 @@ For more information, see [Modify a Windows image using DISM: Mount an image](/w - If needed, add any drivers to the boot image. +### [**PowerShell**](#tab/powershell) + ```powershell Command to be determined ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe/Image:"" /Add-Driver /Driver:"\.inf" @@ -126,6 +130,8 @@ DISM.exe /Image:"" /Add-Driver /Driver:" [!IMPORTANT] > > For Microsoft Configuration Manager boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers through Configuration Manager via the **Drivers** tab in the **Properties** of the boot image. This will ensure that the drivers in the boot image can be properly managed through Configuration Manager. Drivers are not affected by the cumulative update installed later in this walkthrough. @@ -135,32 +141,44 @@ For more information, see [Add and Remove Driver packages to an offline Windows - Add any desired optional components to the boot image. - The below examples assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly. +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" -Path "" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\.cab" ``` +--- + You can add as many desired optional components as needed on a single DISM.exe command line. For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). - Make sure that after adding the optional component to also add the language specific component for that optional component. For example, for English United States (en-us), add the following: +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" -Path "" -Verbose ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\_en-us.cab" ``` You can add as many desired optional components as needed on a single DISM.exe command line. +--- + > [!IMPORTANT] > > For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the **Optional Components** tab in the **Properties** of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems. @@ -180,18 +198,24 @@ You can add as many desired optional components as needed on a single DISM.exe c - Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image. +### [**PowerShell**](#tab/powershell) + ```powershell Add-WindowsPackage -PackagePath "" -Path "" -Verbose ``` For more information, see [Add-WindowsPackage](/powershell/module/dism/add-windowspackage) +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Add-Package /PackagePath:"" ``` For more information, see [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#add-package). +--- + > [!IMPORTANT] > > Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update. @@ -201,26 +225,36 @@ For more information, see [Add or Remove Packages Offline Using DISM](/windows-h - Copy the updated bootmgr files from the updated boot image to the ADK installation path. - This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932). +### [**PowerShell**](#tab/powershell) + ```powershell Copy-Item "\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force Copy-Item "\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force ``` +### [**Command Line]**](#tab/command-line) + ```cmd Command to be determined ``` +--- + ## Step 9: Perform component cleanup - Run DISM.exe commands that will clean up the mounted image and help reduce its size +### [**PowerShell**](#tab/powershell) + ```powershell Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile ``` +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Resetbase /Defer @@ -229,54 +263,74 @@ DISM.exe /Image:"" /Cleanup-image /StartComponentCleanup /Res For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#cleanup-image). +--- + ## Step 10: Verify all desired packages have been added to boot image - After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed. +### [**PowerShell**](#tab/powershell) + ```powershell Get-WindowsPackage -Path "" ``` For more information, see [Get-WindowsPackage](/powershell/module/dism/get-windowspackage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Image:"" /Get-Packages ``` For more information, see [DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options#get-packages). +--- + ## Step 11: Unmount boot image and save changes - Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes. +### [**PowerShell**](#tab/powershell) + ```powershell Dismount-WindowsImage -Path "" -Save -Verbose ``` For more information, see [Dismount-WindowsImage](/powershell/module/dism/dismount-windowsimage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Unmount-Image /MountDir:"" /Commit ``` For more information, see [Modify a Windows image using DISM: Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image) and [DISM Image Management Command-Line Options: /Unmount-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#unmount-image). +--- + ## Step 12: Export boot image to reduce size - Once the boot image has been unmounted and saved, its size can be further reduced by exporting it. +### [**PowerShell**](#tab/powershell) + ```powershell Export-WindowsImage -SourceImagePath "\.wim" -SourceIndex 1 -DestinationImagePath "\-export.wim" -CompressionType max -Verbose ``` For more information, see [Export-WindowsImage](/powershell/module/dism/export-windowsimage). +### [**Command Line]**](#tab/command-line) + ```cmd DISM.exe /Export-Image /SourceImageFile:"\.wim" /SourceIndex:1 /DestinationImageFile:"\-export.wim" ``` For more information, see [Modify a Windows image using DISM: Reduce the size of an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#reduce-the-size-of-an-image) and [DISM Image Management Command-Line Options: /Export-Image](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14#export-image). +--- + - Once the export has completed, delete the original boot image and then rename the exported boot image with the name of the original boot image. ## Considerations for Microsoft Configuration Manager