From c859eda3f21f4ec1855092681b44b4ba73445dbb Mon Sep 17 00:00:00 2001
From: "Steve DiAcetis (MSFT)"
<52939067+SteveDiAcetis@users.noreply.github.com>
Date: Mon, 3 Oct 2022 13:44:28 -0700
Subject: [PATCH 1/6] Update media-dynamic-update.md
Improving comments to handle cases where SSU is not available, and the combined cumulative update should be used instead.
---
.../deployment/update/media-dynamic-update.md | 88 ++++++++++++++-----
1 file changed, 68 insertions(+), 20 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index acc9d2ff15..936f68a628 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+# combined cumulative update can be installed.
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
-# This error should be caught and ignored, as the last step will be to apply the cumulative update
-# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
+# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
+# packages installed.
try
{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
@@ -221,6 +228,13 @@ Catch
}
}
+# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
#
# Optional: Add the language to recovery environment
#
@@ -301,27 +315,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Write-Output "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
- # Add SSU
+ # Add servicing stack update (Step 9 from the table)
- # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
- # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+ # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+ # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+ # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+ # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+ # combined cumulative update can be installed.
- # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update.
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
# This error should be caught and ignored, as the last step will be to apply the cumulative update
# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
- Write-Output "$(Get-TS): Adding package $SSU_PATH"
-
try
{
- Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
+
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
}
@@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
}
+ # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
@@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
# update Main OS
#
-# Add servicing stack update
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Add servicing stack update (Step 18 from the table)
+
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
+# and installed first before the combined cumulative update can be installed.
+
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+Write-Output "$(Get-TS): Adding package $LCU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
+
+# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
# Optional: Add language to main OS
Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
From 4a898da931443d825d1cab878e4534e79d3f3f28 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 5 Oct 2022 10:02:19 -0700
Subject: [PATCH 2/6] Removing NoRevalidationUponRefresh in XML
---
.../microsoft-recommended-driver-block-rules.md | 6 ------
1 file changed, 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 6382926723..e206141c58 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -2169,12 +2169,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
10.0.25210.0
-
-
-
- true
-
-
{A244370E-44C9-4C06-B551-F6016E563076}
From 859785b8793b6088809f4dfa65cd600aa1c1d4e3 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 5 Oct 2022 12:49:31 -0700
Subject: [PATCH 3/6] Update microsoft-recommended-driver-block-rules.md
---
.../microsoft-recommended-driver-block-rules.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index e206141c58..a48576680f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -2169,6 +2169,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
10.0.25210.0
+
{A244370E-44C9-4C06-B551-F6016E563076}
From b1e7b0786dab133f73cacfab5452c6666fe85567 Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Fri, 7 Oct 2022 11:20:29 -0700
Subject: [PATCH 4/6] Update microsoft-recommended-driver-block-rules.md
---
.../microsoft-recommended-driver-block-rules.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 56669890d4..675ca402e2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -2198,6 +2198,14 @@ If you prefer to apply the vulnerable driver blocklist exactly as shown above, f
4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity
5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer
+To check that the policy was successfully applied on your computer:
+
+1. Open Event Viewer
+2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
+3. Select **Filter Current Log...**
+4. Replace "<All Event IDs>" with "3099" and select OK
+5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
+
> [!NOTE]
> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot.
From 663d28e8e5d6902ca5a4f9321465790b06aed137 Mon Sep 17 00:00:00 2001
From: jsuther1974
Date: Fri, 7 Oct 2022 11:21:03 -0700
Subject: [PATCH 5/6] Update microsoft-recommended-driver-block-rules.md
---
.../microsoft-recommended-driver-block-rules.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 675ca402e2..c482f8070f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -14,7 +14,7 @@ author: jgeurten
ms.reviewer: aaroncz
ms.author: dansimp
manager: dansimp
-ms.date: 10/06/2022
+ms.date: 10/07/2022
---
# Microsoft recommended driver block rules
From aaa1d437a90a1da4faa38a2c6cbff9ad532fef0b Mon Sep 17 00:00:00 2001
From: Leslie H Cole
Date: Tue, 11 Oct 2022 04:43:01 -0700
Subject: [PATCH 6/6] ms.collection: scotvorg additions
---
store-for-business/acquire-apps-microsoft-store-for-business.md | 2 ++
store-for-business/add-unsigned-app-to-code-integrity-policy.md | 2 ++
store-for-business/index.md | 2 ++
store-for-business/microsoft-store-for-business-overview.md | 2 ++
.../prerequisites-microsoft-store-for-business.md | 2 ++
.../roles-and-permissions-microsoft-store-for-business.md | 2 ++
.../sign-up-microsoft-store-for-business-overview.md | 2 ++
7 files changed, 14 insertions(+)
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 9922255c06..cc1559b3db 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -11,6 +11,8 @@ manager: scotv
ms.reviewer:
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 58ca7bff3e..7336fbb295 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -12,6 +12,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 03852f5eee..ae4d414d42 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -11,6 +11,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: high
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 06da85f98c..0607856c38 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -12,6 +12,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 99e6061d97..ea2f631f22 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -12,6 +12,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 83baa7d2d3..28a59d03e1 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -13,6 +13,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 5303f4a421..d73ec0d752 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -12,6 +12,8 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
+ms.collection:
+- scotvorg
ms.date: 07/21/2021
---