From c859eda3f21f4ec1855092681b44b4ba73445dbb Mon Sep 17 00:00:00 2001
From: "Steve DiAcetis (MSFT)"
<52939067+SteveDiAcetis@users.noreply.github.com>
Date: Mon, 3 Oct 2022 13:44:28 -0700
Subject: [PATCH 1/3] Update media-dynamic-update.md
Improving comments to handle cases where SSU is not available, and the combined cumulative update should be used instead.
---
.../deployment/update/media-dynamic-update.md | 88 ++++++++++++++-----
1 file changed, 68 insertions(+), 20 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index acc9d2ff15..936f68a628 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio
Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update
+# Add servicing stack update (Step 1 from the table)
-# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
-# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+# combined cumulative update can be installed.
-# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
-# This error should be caught and ignored, as the last step will be to apply the cumulative update
-# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Now, attempt the combined cumulative update.
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
+# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
+# packages installed.
try
{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
@@ -221,6 +228,13 @@ Catch
}
}
+# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
#
# Optional: Add the language to recovery environment
#
@@ -301,27 +315,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Write-Output "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
- # Add SSU
+ # Add servicing stack update (Step 9 from the table)
- # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
- # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+ # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+ # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+ # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+ # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+ # combined cumulative update can be installed.
- # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update.
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
# This error should be caught and ignored, as the last step will be to apply the cumulative update
# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
- Write-Output "$(Get-TS): Adding package $SSU_PATH"
-
try
{
- Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
+
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
}
@@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
}
+ # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
@@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t
# update Main OS
#
-# Add servicing stack update
-Write-Output "$(Get-TS): Adding package $SSU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+# Add servicing stack update (Step 18 from the table)
+
+# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
+# and installed first before the combined cumulative update can be installed.
+
+# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+Write-Output "$(Get-TS): Adding package $LCU_PATH"
+Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
+
+# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+# update. This second approach is commented out below.
+
+# Write-Output "$(Get-TS): Adding package $SSU_PATH"
+# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
# Optional: Add language to main OS
Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
From 4a898da931443d825d1cab878e4534e79d3f3f28 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 5 Oct 2022 10:02:19 -0700
Subject: [PATCH 2/3] Removing NoRevalidationUponRefresh in XML
---
.../microsoft-recommended-driver-block-rules.md | 6 ------
1 file changed, 6 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 6382926723..e206141c58 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -2169,12 +2169,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
10.0.25210.0
-
-
-
- true
-
-
{A244370E-44C9-4C06-B551-F6016E563076}
From 859785b8793b6088809f4dfa65cd600aa1c1d4e3 Mon Sep 17 00:00:00 2001
From: valemieux <98555474+valemieux@users.noreply.github.com>
Date: Wed, 5 Oct 2022 12:49:31 -0700
Subject: [PATCH 3/3] Update microsoft-recommended-driver-block-rules.md
---
.../microsoft-recommended-driver-block-rules.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index e206141c58..a48576680f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -2169,6 +2169,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
10.0.25210.0
+
{A244370E-44C9-4C06-B551-F6016E563076}