From 682bf3f67fb7995ed8be63b899adff8b332c12c3 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jan 2025 15:51:43 -0800
Subject: [PATCH 01/26] ccu-9693727
---
.../catalog-checkpoint-cumulative-updates.md | 66 +++++++++++++++++++
1 file changed, 66 insertions(+)
create mode 100644 windows/deployment/update/catalog-checkpoint-cumulative-updates.md
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..66e7894d4f
--- /dev/null
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -0,0 +1,66 @@
+---
+title: Checkpoint cumulative updates and the Microsoft Update Catalog
+description: This article describes how to handle checkpoint cumulative updates when you use the Microsoft Update Catalog to update devices and images.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: conceptual
+ms.author: mstewart
+author: mestew
+manager: aaroncz
+ms.collection:
+ - tier2
+ms.localizationpriority: medium
+appliesto:
+ - ✅ Windows 11, version 24H2 and later
+ms.date: 01/23/2025
+---
+
+# Checkpoint cumulative updates and Microsoft Update Catalog usage
+
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update (CU). Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint CUs, so update processes involving WU and WSUS remain unchanged. This article covers how Catalog users can easily update their devices (or images) through checkpoint CUs.
+
+## Checkpoint CUs
+
+Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
+
+With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This will allow you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This means that you can save time, bandwidth, and hard drive space.
+
+Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
+
+If any checkpoint CUs precede a target update, a device or image needs to take all prior checkpoint CUs before it can take the target update. In other words, a post-checkpoint LCU can be applied to images/devices that are on that checkpoint or on a subsequent LCU. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates.
+
+### Applicability
+
+A checkpoint CU is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+
+This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+
+WinRE is serviced by applying the servicing stack update (SSU) from OnePackage (LCU does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying SSU then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+
+### Current Checkpoint CUs
+
+For Windows 11, version 24H2 and above, for a given update the KB article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs.
+
+## Updating from the Microsoft Update Catalog
+
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint CUs and apply these sequentially under certain situations or in one go using DISM.
+
+### Finding prior Checkpoint CUs
+
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+
+
+
+**Method 2: Install each MSU file individually, in order**
+
+Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
+
+- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
+- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+
+
+
From f2bfea529bb9735e71bebb35ce5b87005da5aff0 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jan 2025 15:56:20 -0800
Subject: [PATCH 02/26] ccu-9693727
---
.../catalog-checkpoint-cumulative-updates.md | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 66e7894d4f..c71bab2808 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -55,12 +55,10 @@ For a given update, users can look up the KB article and find all preceding chec
-**Method 2: Install each MSU file individually, in order**
-
-Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
-
-- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
-- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-
-
+Method 2: Install each MSU file individually, in order
+
+Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
+
+
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
+- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
From 1b7a8b67ffbf62f74038639b982cc760045a06c7 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 22 Jan 2025 16:08:51 -0800
Subject: [PATCH 03/26] ccu-9693727
---
.../update/catalog-checkpoint-cumulative-updates.md | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index c71bab2808..dc46168501 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -54,11 +54,8 @@ When installing a given monthly security or optional nonsecurity preview update,
For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
-
-Method 2: Install each MSU file individually, in order
-
-Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
-
-
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
-- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+| |
+|---|
+|Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
|
+> Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
\ No newline at end of file
From ca009c6fd50474152576d128bfad6a55dfd7b928 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 11:12:49 -0800
Subject: [PATCH 04/26] ccu-9693727
---
.../catalog-checkpoint-cumulative-updates.md | 44 ++++++++++++++++---
1 file changed, 38 insertions(+), 6 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index dc46168501..b6e802f722 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -43,7 +43,7 @@ WinRE is serviced by applying the servicing stack update (SSU) from OnePackage (
### Current Checkpoint CUs
-For Windows 11, version 24H2 and above, for a given update the KB article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs.
+For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs.
## Updating from the Microsoft Update Catalog
@@ -51,11 +51,43 @@ When installing a given monthly security or optional nonsecurity preview update,
### Finding prior Checkpoint CUs
-For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024—KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+ > Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-| |
-|---|
-|Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
|
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint CU, [KB5043080](https://support.microsoft.com/help/5043080).
-> Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
\ No newline at end of file
+### Updating through Checkpoint CUs
+
+**Device has the latest checkpoint CU and doesn't need customization:**
+
+Devices or images that have the latest checkpoint CU installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target CU with no change to your existing process. You can simply copy the target MSU from Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+
+Examples of eligible devices:
+
+| Device is on | Needs to install|
+|---|---|
+|- The checkpoint CU, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
|
+|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
+
+**Device needs FoD or LP customization:**
+
+Installing FoDs or LPs requires the full LCU payload, which now can be split across files associated with each preceding checkpoint CU. So, when customizing FoDs or LPs, all prior checkpoint CUs and the target CU need to be installed regardless of whether the device already had any of the prior checkpoints CU installed. This needs to be done using DISM.
+
+1. Copy the MSUs of the latest CU (the target) and all prior checkpoint CUs to a local folder. Make sure there are no other MSUs present.
+1. Mount the install.wim file.
+1. Run `DISM /add-package` with the latest MSU as the sole target.
+1. Run `/Cleanup-Image /StartComponentCleanup`.
+1. Unmount.
+1. Run `DISM /export-image` to optimize the image size, if that's important to you.
+
+**Device doesn't have the latest checkpoint CU and doesn't need customization:**
+
+Devices that are not on the latest checkpoint CU and do not need FoD/LP customization can either install all needed CUs one by one in the right sequence. Alternately they can be updated using DISM to install all CUs in one go, see above. If there are total 4 checkpoint CUs available and device already has the first one installed, DISM will apply the remaining 3 checkpoint CUs in the right order followed by the target CU, all in one go.
+
+## Related articles
+
+- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
+- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
+- [How to download updates that include drivers and hotfixes from the Windows Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
+- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
From a5475acc005510c2faf96bdba9efd3f963337815 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 11:31:55 -0800
Subject: [PATCH 05/26] ccu-9693727
---
windows/deployment/update/release-cycle.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 2df0fe24ef..82e635558d 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -54,6 +54,14 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
+
+
+
## Optional nonsecurity preview release
**Optional nonsecurity preview releases** provide IT admins an opportunity for early validation of that content prior to the **monthly security update release**. Admins can test and validate production-quality releases ahead of the planned monthly security update release for the following month. These updates are optional, cumulative, nonsecurity preview releases. New features might initially be deployed in the prior month's **optional nonsecurity preview release**, then ship in the following **monthly security update release**. **Optional nonsecurity preview releases** are typically released on the fourth Tuesday of the month at 10:00 AM Pacific Time (PST/PDT). These releases are only offered to the most recent, supported versions of Windows.
From 8c0f17456288528849486e3ee0fa7237f9365d7f Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 11:35:56 -0800
Subject: [PATCH 06/26] ccu-9693727
---
windows/deployment/update/release-cycle.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 82e635558d..c7c628ba1b 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -78,6 +78,12 @@ To access the optional nonsecurity preview release:
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
+
## OOB releases
**Out-of-band (OOB) releases** might be provided to fix a recently identified issue or vulnerability. They're used in atypical cases when an issue is detected and can't wait for the next monthly release, because devices must be updated immediately to address security vulnerabilities or to resolve a quality issue impacting many devices. **Out-of-band (OOB) releases** are provided outside of the monthly schedule when there's an exceptional need.
From 618377a20d1cc9b6fa4c57cf58b841f0a4e7c536 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 11:37:59 -0800
Subject: [PATCH 07/26] ccu-9693727
---
windows/deployment/update/release-cycle.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index c7c628ba1b..266d95bfcf 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/04/2024
+ms.date: 01/23/2025
---
# Update release cycle for Windows clients
@@ -74,7 +74,7 @@ Multiple checkpoints may be shipped during the lifecycle of a given Windows rele
- LCU preview
To access the optional nonsecurity preview release:
-- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
+- Navigate to **Settings** > **Update & Security** > **Windows Update** and select **Check for updates**.
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
From 3c8cfb2a61edf741e908f9b38e27bb8ed3f854b6 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 13:54:40 -0800
Subject: [PATCH 08/26] ccu-9693727
---
.../catalog-checkpoint-cumulative-updates.md | 40 +++++++++----------
windows/deployment/update/release-cycle.md | 2 +-
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index b6e802f722..9c930c27e2 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -17,9 +17,9 @@ ms.date: 01/23/2025
# Checkpoint cumulative updates and Microsoft Update Catalog usage
-Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update (CU). Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint CUs, so update processes involving WU and WSUS remain unchanged. This article covers how Catalog users can easily update their devices (or images) through checkpoint CUs.
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
-## Checkpoint CUs
+## Checkpoint cumulative updates
Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
@@ -31,63 +31,63 @@ Going forward, Microsoft might periodically release cumulative updates as checkp
This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
-If any checkpoint CUs precede a target update, a device or image needs to take all prior checkpoint CUs before it can take the target update. In other words, a post-checkpoint LCU can be applied to images/devices that are on that checkpoint or on a subsequent LCU. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates.
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates.
### Applicability
-A checkpoint CU is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
-WinRE is serviced by applying the servicing stack update (SSU) from OnePackage (LCU does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying SSU then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
-### Current Checkpoint CUs
+### Current checkpoint cumulative updates
-For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint CUs under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint CU will position you to efficiently take future checkpoint CUs.
+For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
## Updating from the Microsoft Update Catalog
-When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint CUs and apply these sequentially under certain situations or in one go using DISM.
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply these sequentially under certain situations or in one go using DISM.
-### Finding prior Checkpoint CUs
+### Finding prior checkpoint cumulative updates
-For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint CU per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
+For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
> Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint CU, [KB5043080](https://support.microsoft.com/help/5043080).
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
-### Updating through Checkpoint CUs
+### Updating through checkpoint cumulative updates
-**Device has the latest checkpoint CU and doesn't need customization:**
+**Device has the latest checkpoint cumulative update and doesn't need customization:**
-Devices or images that have the latest checkpoint CU installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target CU with no change to your existing process. You can simply copy the target MSU from Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+Devices or images that have the latest checkpoint cumulative update installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can simply copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
Examples of eligible devices:
| Device is on | Needs to install|
|---|---|
-|- The checkpoint CU, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
|
+|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
|
|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
**Device needs FoD or LP customization:**
-Installing FoDs or LPs requires the full LCU payload, which now can be split across files associated with each preceding checkpoint CU. So, when customizing FoDs or LPs, all prior checkpoint CUs and the target CU need to be installed regardless of whether the device already had any of the prior checkpoints CU installed. This needs to be done using DISM.
+Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
-1. Copy the MSUs of the latest CU (the target) and all prior checkpoint CUs to a local folder. Make sure there are no other MSUs present.
+1. Copy the MSUs of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other MSUs present.
1. Mount the install.wim file.
1. Run `DISM /add-package` with the latest MSU as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
1. Unmount.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
-**Device doesn't have the latest checkpoint CU and doesn't need customization:**
+**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
-Devices that are not on the latest checkpoint CU and do not need FoD/LP customization can either install all needed CUs one by one in the right sequence. Alternately they can be updated using DISM to install all CUs in one go, see above. If there are total 4 checkpoint CUs available and device already has the first one installed, DISM will apply the remaining 3 checkpoint CUs in the right order followed by the target CU, all in one go.
+Devices that are not on the latest checkpoint cumulative update and do not need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total 4 checkpoint cumulative updates available and device already has the first one installed, DISM will apply the remaining 3 checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
-- [How to download updates that include drivers and hotfixes from the Windows Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
+- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 266d95bfcf..aa99ea62f3 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -1,6 +1,6 @@
---
title: Update release cycle for Windows clients
-description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
+description: Learn about the release cycle for updates so Windows clients in your organization stay productive and protected.
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
From 379b99618c5695f67b63011ea9ea42b1a940aa79 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 14:04:17 -0800
Subject: [PATCH 09/26] ccu-9693727
---
.../catalog-checkpoint-cumulative-updates.md | 28 +++++++++----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 9c930c27e2..acabef6211 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -17,37 +17,37 @@ ms.date: 01/23/2025
# Checkpoint cumulative updates and Microsoft Update Catalog usage
-Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates may be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
-Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was "released to manufacturing" (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
+Windows 11 quality updates use servicing technology and are built cumulatively from the time when a new Windows OS was released to manufacturing (RTM). These monthly updates include all the changes since RTM in the form of binary differentials computed from the initial version of those binaries.
-With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This will allow you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This means that you can save time, bandwidth, and hard drive space.
+With Windows 11, version 24H2, Microsoft introduced a new concept of checkpoint cumulative updates. This change allows you to get features and security enhancements via the latest cumulative update through smaller, incremental differentials containing only the changes since the previous checkpoint cumulative update. This change means that you can save time, bandwidth, and hard drive space.
Going forward, Microsoft might periodically release cumulative updates as checkpoints. The subsequent updates will then consist of:
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
-This process may be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
+This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
-If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this happens seamlessly, and you can continue to use the same tools and processes that you currently use for approving and deploying updates.
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates.
### Applicability
-A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There is no policy change or new requirement around when users must take these updates, though it is best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
-This feature does not introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
-WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update does not apply) and SafeOS DU. This is how it has been for a while now, and there is no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS DU is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
### Current checkpoint cumulative updates
-For Windows 11, version 24H2 and above, for a given update the knowledge base (KB) article will note all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
+For Windows 11, version 24H2 and later, for a given update the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
## Updating from the Microsoft Update Catalog
-When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply these sequentially under certain situations or in one go using DISM.
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations or in one go using DISM.
### Finding prior checkpoint cumulative updates
@@ -61,20 +61,20 @@ Alternately, users can search the KB number in the [Microsoft Update Catalog](ht
**Device has the latest checkpoint cumulative update and doesn't need customization:**
-Devices or images that have the latest checkpoint cumulative update installed and do not need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can simply copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
Examples of eligible devices:
| Device is on | Needs to install|
|---|---|
-|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity releaselike 2024-11 (KB5046740)
|
+|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
**Device needs FoD or LP customization:**
Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
-1. Copy the MSUs of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other MSUs present.
+1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
1. Mount the install.wim file.
1. Run `DISM /add-package` with the latest MSU as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
@@ -83,7 +83,7 @@ Installing FoDs or LPs requires the full latest cumulative update payload, which
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
-Devices that are not on the latest checkpoint cumulative update and do not need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total 4 checkpoint cumulative updates available and device already has the first one installed, DISM will apply the remaining 3 checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
From 39e1c81dd5a7b27f45798f36b3ba665d4ba077b6 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 23 Jan 2025 15:11:33 -0800
Subject: [PATCH 10/26] ccu-9693727
---
windows/deployment/TOC.yml | 2 ++
.../catalog-checkpoint-cumulative-updates.md | 16 ++++++++--------
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index e816d252d7..db0c863b4a 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -294,6 +294,8 @@ items:
href: update/windows-update-logs.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
+ - name: Checkpoint cumulative updates and Microsoft Update Catalog usage
+ href: update/catalog-checkpoint-cumulative-updates.md
- name: Update CSP policies
href: /windows/client-management/mdm/policy-csp-update?context=/windows/deployment/context/context
- name: Update other Microsoft products
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index acabef6211..c569bad856 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -43,11 +43,11 @@ WinRE is serviced by applying the servicing stack update from OnePackage (latest
### Current checkpoint cumulative updates
-For Windows 11, version 24H2 and later, for a given update the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
+For Windows 11, version 24H2 and later, for a given update, the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
## Updating from the Microsoft Update Catalog
-When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations or in one go using DISM.
+When installing a given monthly security or optional nonsecurity preview update, [Microsoft Update Catalog](https://www.catalog.update.microsoft.com) users can determine and download the prior checkpoint cumulative updates and apply them sequentially under certain situations, or in one go using Deployment Image Servicing and Management (DISM).
### Finding prior checkpoint cumulative updates
@@ -55,13 +55,13 @@ For a given update, users can look up the KB article and find all preceding chec
> Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
-Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all MSUs and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
+Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
### Updating through checkpoint cumulative updates
**Device has the latest checkpoint cumulative update and doesn't need customization:**
-Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack (LP) customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target MSU from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
+Devices or images that have the latest checkpoint cumulative update installed and don't need Features on Demand (FoD) or language pack customization can be updated to the latest target cumulative update with no change to your existing process. You can copy the target `.msu` file from Microsoft Update Catalog and install it, for instance using [Add-WindowsPackage (DISM)](/powershell/module/dism/add-windowspackage) or [DISM operating system package (`.cab` or `.msu`) servicing command-line options](/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options).
Examples of eligible devices:
@@ -70,20 +70,20 @@ Examples of eligible devices:
|- The checkpoint cumulative update, 2024-09 (KB5043080)
|- A subsequent monthly security update like 2024-11 (KB5046617), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
|- A subsequent optional nonsecurity preview release like 2024-09 (KB5043178), or
- A subsequent monthly security update like 2024-10 (KB5044284)
|- A subsequent monthly security update like 2025-01 (KB5050009), or
- A subsequent optional nonsecurity release like 2024-11 (KB5046740)
|
-**Device needs FoD or LP customization:**
+**Device needs FoD or language pack customization:**
-Installing FoDs or LPs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or LPs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
+Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
1. Mount the install.wim file.
-1. Run `DISM /add-package` with the latest MSU as the sole target.
+1. Run `DISM /add-package` with the latest `.msu` file as the sole target.
1. Run `/Cleanup-Image /StartComponentCleanup`.
1. Unmount.
1. Run `DISM /export-image` to optimize the image size, if that's important to you.
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
-Devices that aren't on the latest checkpoint cumulative update and don't need FoD/LP customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go, see above. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
From 871071ea651124af44c2acd42050d87bb17888ff Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 24 Jan 2025 11:10:40 -0800
Subject: [PATCH 11/26] edits from pm
---
.../update/catalog-checkpoint-cumulative-updates.md | 6 +++---
windows/deployment/update/release-cycle.md | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index c569bad856..3d038d8a0a 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -12,12 +12,12 @@ ms.collection:
ms.localizationpriority: medium
appliesto:
- ✅ Windows 11, version 24H2 and later
-ms.date: 01/23/2025
+ms.date: 01/27/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
-Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so update processes involving WU and WSUS remain unchanged. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
@@ -39,7 +39,7 @@ A checkpoint cumulative update is just another monthly security update that info
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
-WinRE is serviced by applying the servicing stack update from OnePackage (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
+WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
### Current checkpoint cumulative updates
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index aa99ea62f3..7df3d99935 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 01/23/2025
+ms.date: 01/27/2025
---
# Update release cycle for Windows clients
@@ -58,7 +58,7 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
-Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
@@ -82,7 +82,7 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
-Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, no change is needed to their update process. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
## OOB releases
From 750aa34feffcb2209449d3d33aeee9db07573698 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 24 Jan 2025 11:41:49 -0800
Subject: [PATCH 12/26] edits from pm
---
.../deployment/update/catalog-checkpoint-cumulative-updates.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 3d038d8a0a..a537aea3fa 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -12,6 +12,7 @@ ms.collection:
ms.localizationpriority: medium
appliesto:
- ✅ Windows 11, version 24H2 and later
+ - ✅ Windows Server 2025
ms.date: 01/27/2025
---
From 3a5da118ae2635ad17409b3a3c93f4f6c672dd29 Mon Sep 17 00:00:00 2001
From: "Steve DiAcetis (MSFT)"
<52939067+SteveDiAcetis@users.noreply.github.com>
Date: Mon, 27 Jan 2025 11:12:40 -0800
Subject: [PATCH 13/26] Update media-dynamic-update.md
Due to changes in how optional components are implemented, we are moving the installation of these before the final LCU install. This means cleanup may fail with a warning. Further, other changes include:
1) Moving some script comments into the main article, to improve readability. Most of this is related to the old approach where SSU was a separate update.
2) Adding Optional Components (or Legacy Features) to the script. This help ensure they are showcased before the LCU install.
3) Tweaked the main table of steps, to highlight SSU is coming from LCU, and the sequence change with main OS cleanup.
---
.../deployment/update/media-dynamic-update.md | 350 +++++++++---------
1 file changed, 171 insertions(+), 179 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e5b5cd4a0b..511f9384c1 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 11/11/2024
+ms.date: 1/28/2024
---
# Update Windows installation media with Dynamic Update
@@ -124,27 +124,27 @@ Properly updating the installation media involves many actions operating on seve
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
-|-------------------------------------------|-------------------|--------------------------------|------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
-|Add language pack | 2 | 10 | 18 | |
-|Add localized optional packages | 3 | | 19 | |
-|Add font support | 4 | | 20 | |
-|Add text-to-speech | 5 | | 21 | |
-|Update Lang.ini | | | 22 | |
-|Add Features on Demand | | 11 | | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 12 | 23 | |
-|Clean up the image | 7 | 13 | 24 | |
-|Add Optional Components | | 14 | | |
-|Add .NET and .NET cumulative updates | | 15 | | |
-|Export image | 8 | 16 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|--------------------------------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack update via latest cumulative update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Optional Components | | 12 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 13 | 23 | |
+|Clean up the image | 7 | 14 | 24 | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
-> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
+> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
@@ -178,7 +178,8 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These are not required, but added to highlight when in the sequence they should be addeed. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO. Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
+
```powershell
#Requires -RunAsAdministrator
@@ -187,40 +188,38 @@ function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
Write-Output "$(Get-TS): Starting media refresh"
-# Declare language for showcasing adding optional localized components
-$LANG = "ja-jp"
-$LANG_FONT_CAPABILITY = "jpan"
-
-# Declare media for FOD and LPs
-# Note: Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO.
-# Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO.
-# If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
-$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
-
# Declare Dynamic Update packages. A dedicated folder is used for the latest cumulative update, and as needed
# checkpoint cumulative updates.
$LCU_PATH = "C:\mediaRefresh\packages\CU\LCU.msu"
-$SSU_PATH = "C:\mediaRefresh\packages\Other\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Other\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\Other\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\Other\DotNet_CU.msu"
-# Declare folders for mounted images and temp files
-$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
-$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$WORKING_PATH = "C:\mediaRefresh\temp"
-$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
-$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
-$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\CLIENT_LOF_PACKAGES_OEM.iso"
+
+# Array of Features On Demand for main OS
+# This is optional to showcase where these are added
+$FOD = @(
+'XPS.Viewer~~~~0.0.1.0'
+)
+
+# Array of Legacy Features for main OS
+# This is optional to showcase where these are added
+$OC = @(
+'MediaPlayback'
+'WindowsMediaPlayer'
+)
# Mount the Features on Demand ISO
Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
-
-# Note: Starting with Windows 11, version 21H2, the correct path for main OS language and optional features
-# moved to \LanguagesAndOptionalFeatures instead of the root. For Windows 10, use $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\LanguagesAndOptionalFeatures"
+# Declare language for showcasing adding optional localized components
+$LANG = "ja-jp"
+$LANG_FONT_CAPABILITY = "jpan"
+
# Declare language related cabs
$WINPE_OC_PATH = "$FOD_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
@@ -231,6 +230,14 @@ $WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
$OS_LP_PATH = "$FOD_PATH\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
+# Declare folders for mounted images and temp files
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia\Ge\client_professional_en-us"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
+$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
+$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
+
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
@@ -241,15 +248,16 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
+
```
### Update WinRE and each main OS Windows edition
The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you are updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
-Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It is important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components and Languages are updated from their initial release state. The .NET feature is an exception, that is added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@@ -262,13 +270,15 @@ This process is repeated for each edition of Windows within the main operating s
# Get the list of images contained within the main OS
$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-Foreach ($IMAGE in $WINOS_IMAGES) {
+Foreach ($IMAGE in $WINOS_IMAGES)
+{
# first mount the main OS image
Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
- if ($IMAGE.ImageIndex -eq "1") {
+ if ($IMAGE.ImageIndex -eq "1")
+ {
#
# update Windows Recovery Environment (WinRE) within this OS image
@@ -278,29 +288,9 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 1 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
- # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
- # packages installed.
-
-
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinRE"
try
{
-
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
}
Catch
@@ -308,38 +298,36 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
$theError = $_
Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
#
# Optional: Add the language to recovery environment
#
+
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
- Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
@@ -349,15 +337,17 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinRE"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -373,6 +363,10 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinRE. Exit code: $LastExitCode"
+ }
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
@@ -389,35 +383,15 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# update Main OS
#
- # Add servicing stack update (Step 18 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
- # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
- # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
- # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
- # and installed first before the combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ # Add servicing stack update (Step 17 from the table). Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
- # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
- # Write-Output "$(Get-TS): Adding package $SSU_PATH to main OS, index $($IMAGE.ImageIndex)"
- # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Optional: Add language to main OS
+ # Optional: Add language to main OS and corresponding language experience Features on Demand
Write-Output "$(Get-TS): Adding package $OS_LP_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
- # Optional: Add a Features on Demand to the image
Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -436,22 +410,47 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
Write-Output "$(Get-TS): Adding language FOD: Language.Speech~~~$LANG~0.0.1.0 to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
- # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+ # Optional: Add additional Features On Demand
+ For ( $index = 0; $index -lt $FOD.count; $index++)#
+ {
+ Write-Output "$(Get-TS): Adding $($FOD[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ Add-WindowsCapability -Name $($FOD[$index]) -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Optional: Add Legacy Features
+ For ( $index = 0; $index -lt $OC.count; $index++)
+ {
+ Write-Output "$(Get-TS): Adding $($OC[$index]) to main OS, index $($IMAGE.ImageIndex)"
+ DISM /Image:$MAIN_OS_MOUNT /Enable-Feature /FeatureName:$($OC[$index]) /All | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to add $($OC[$index]) to main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
# Add latest cumulative update
Write-Output "$(Get-TS): Adding package $LCU_PATH to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
- # Perform image cleanup
+ # Perform image cleanup. Some Optional Components might require the image to be booted, and thus
+ # image cleanup may fail. We'll catch and handle as a warning.
Write-Output "$(Get-TS): Performing image cleanup on main OS, index $($IMAGE.ImageIndex)"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ if ($LastExitCode -eq -2146498554)
+ {
+ # We hit 0x800F0806 CBS_E_PENDING. We will ignore this with a warning
+ # This is likely due to legacy components being added that require online operations.
+ Write-Warning "$(Get-TS): Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode. The operation cannot be performed until pending servicing operations are completed. The image must be booted to complete the pending servicing operation."
+ }
+ else
+ {
+ throw "Error: Failed to perform image cleanup on main OS, index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
+ }
- #
- # Note: If I wanted to enable additional Optional Components, I'd add these here.
- # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
- # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
- #
-
+ # Finally, we'll add .NET 3.5 and the .NET cumulative update
Write-Output "$(Get-TS): Adding NetFX3~~~~ to main OS, index $($IMAGE.ImageIndex)"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
@@ -465,7 +464,6 @@ Foreach ($IMAGE in $WINOS_IMAGES) {
# Export
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
@@ -484,31 +482,14 @@ This script is similar to the one that updates WinRE, but instead it mounts Boot
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
-Foreach ($IMAGE in $WINPE_IMAGES) {
+Foreach ($IMAGE in $WINPE_IMAGES)
+{
# update WinPE
Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update (Step 9 from the table)
-
- # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
- # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
- # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
- # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
- # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
- # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
- # combined cumulative update can be installed.
-
- # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
- # Now, attempt the combined cumulative update.
- # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
- # This error should be caught and ignored, as the last step will be to apply the cumulative update
- # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
-
try
{
Write-Output "$(Get-TS): Adding package $LCU_PATH to WinPE, image index $($IMAGE.ImageIndex)"
@@ -518,38 +499,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
{
$theError = $_
Write-Output "$(Get-TS): $theError"
-
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ if ($theError.Exception -like "*0x8007007e*")
+ {
+ Write-Warning "$(Get-TS): Failed with error 0x8007007e. This failure is a known issue with combined cumulative update, we can ignore."
}
- else {
+ else
+ {
throw
}
}
- # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update
- # but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
- # update. This second approach is commented out below.
-
- # Write-Output "$(Get-TS): Adding package $SSU_PATH"
- # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
$WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
- Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
+ Foreach ($PACKAGE in $WINPE_INSTALLED_OC)
+ {
+ if ( ($PACKAGE.PackageState -eq "Installed") -and ($PACKAGE.PackageName.startsWith("WinPE-")) -and ($PACKAGE.ReleaseType -eq "FeaturePack") )
+ {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
-
+ if ($INDEX -ge 0)
+ {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB))
+ {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+
Write-Output "$(Get-TS): Adding package $OC_CAB_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
@@ -558,15 +535,17 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Add font support for the new language
- if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
# Add TTS support for the new language
- if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH)
+ {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) )
+ {
Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH to WinPE, image index $($IMAGE.ImageIndex)"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
@@ -576,9 +555,14 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
- if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
+ if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") )
+ {
Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to update lang.ini. Exit code: $LastExitCode"
+ }
}
# Add latest cumulative update
@@ -588,28 +572,31 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Perform image cleanup
Write-Output "$(Get-TS): Performing image cleanup on WinPE, image index $($IMAGE.ImageIndex)"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+ if ($LastExitCode -ne 0)
+ {
+ throw "Error: Failed to perform image cleanup on WinPE, image index $($IMAGE.ImageIndex). Exit code: $LastExitCode"
+ }
- if ($IMAGE.ImageIndex -eq "2") {
-
+ if ($IMAGE.ImageIndex -eq "2")
+ {
# Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null
# Save setuphost.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder
# This is only required starting with Windows 11 version 24H2
$TEMP = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex
- if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100") {
-
+ if ([System.Version]$TEMP.Version -ge [System.Version]"10.0.26100")
+ {
Copy-Item -Path $WINPE_MOUNT"\sources\setuphost.exe" -Destination $WORKING_PATH"\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
- else {
-
+ else
+ {
Write-Output "$(Get-TS): Skipping copy of setuphost.exe; image version $($TEMP.Version)"
}
# Save serviced boot manager files later copy to the root media.
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null
Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null
-
}
# Dismount
@@ -618,10 +605,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
#Export WinPE
Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
-
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
+
```
### Update remaining media files
@@ -636,14 +623,18 @@ This part of the script updates the Setup files. It simply copies the individual
# Add Setup DU by copy the files from the package into the newMedia
Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
+if ($LastExitCode -ne 0)
+{
+ throw "Error: Failed to expand $SETUP_DU_PATH. Exit code: $LastExitCode"
+}
# Copy setup.exe from boot.wim, saved earlier.
Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe"
Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null
# Copy setuphost.exe from boot.wim, saved earlier.
-if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
-
+if (Test-Path -Path $WORKING_PATH"\setuphost.exe")
+{
Write-Output "$(Get-TS): Copying $WORKING_PATH\setuphost.exe to $MEDIA_NEW_PATH\sources\setuphost.exe"
Copy-Item -Path $WORKING_PATH"\setuphost.exe" -Destination $MEDIA_NEW_PATH"\sources\setuphost.exe" -Force -ErrorAction stop | Out-Null
}
@@ -651,28 +642,20 @@ if (Test-Path -Path $WORKING_PATH"\setuphost.exe") {
# Copy bootmgr files from boot.wim, saved earlier.
$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi
-Foreach ($File in $MEDIA_NEW_FILES){
+Foreach ($File in $MEDIA_NEW_FILES)
+{
if (($File.Name -ieq "bootmgfw.efi") -or ($File.Name -ieq "bootx64.efi") -or ($File.Name -ieq "bootia32.efi") -or ($File.Name -ieq "bootaa64.efi"))
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
elseif ($File.Name -ieq "bootmgr.efi")
{
-
Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)"
Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null
}
}
-```
-
-### Finish up
-
-As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
-
-```powershell
#
# Perform final cleanup
#
@@ -685,4 +668,13 @@ Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
+
+```
+
+### Finish up
+
+As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
+
+```powershell
+TODO
```
From 094d415c7a865a6ecbc9d12bce15cf42a2847035 Mon Sep 17 00:00:00 2001
From: "Steve DiAcetis (MSFT)"
<52939067+SteveDiAcetis@users.noreply.github.com>
Date: Mon, 27 Jan 2025 11:27:28 -0800
Subject: [PATCH 14/26] Update media-dynamic-update.md
---
windows/deployment/update/media-dynamic-update.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 511f9384c1..1e669a15c7 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -178,7 +178,7 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These are not required, but added to highlight when in the sequence they should be addeed. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the FOD ISO. Language packs and the \Windows Preinstallation Environment packages are part of the LOF ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you are using this script for Windows 10, modify to mount and use the LANGPACK ISO.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These are not required, but added to highlight when in the sequence they should be addeed. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you are using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
```powershell
From 9bd82cce5f826a981939db7ae8c967548b50ea6c Mon Sep 17 00:00:00 2001
From: "Steve DiAcetis (MSFT)"
<52939067+SteveDiAcetis@users.noreply.github.com>
Date: Mon, 27 Jan 2025 13:36:06 -0800
Subject: [PATCH 15/26] Update media-dynamic-update.md
---
windows/deployment/update/media-dynamic-update.md | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 1e669a15c7..0ae148a631 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -656,6 +656,13 @@ Foreach ($File in $MEDIA_NEW_FILES)
}
}
+```
+
+### Finish up
+
+As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
+
+```powershell
#
# Perform final cleanup
#
@@ -670,11 +677,3 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
```
-
-### Finish up
-
-As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
-
-```powershell
-TODO
-```
From 1a4d132553d6a0547cd66007fb6f34ea04083423 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Jan 2025 10:01:58 -0800
Subject: [PATCH 16/26] edits and use include file
---
.../catalog-checkpoint-cumulative-updates.md | 2 +-
.../includes/checkpoint-cumulative-updates.md | 17 ++++++++++++++++
windows/deployment/update/release-cycle.md | 20 ++++++++-----------
3 files changed, 26 insertions(+), 13 deletions(-)
create mode 100644 windows/deployment/update/includes/checkpoint-cumulative-updates.md
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index a537aea3fa..cef752e648 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11, version 24H2 and later
- ✅ Windows Server 2025
-ms.date: 01/27/2025
+ms.date: 01/30/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
new file mode 100644
index 0000000000..9e266ddb65
--- /dev/null
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -0,0 +1,17 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.subservice: itpro-updates
+ms.service: windows-client
+ms.topic: include
+ms.date: 01/30/2025
+ms.localizationpriority: medium
+---
+
+
+Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
+- The update package files associated with the checkpoints, and
+- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 7df3d99935..449627bbbe 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 01/27/2025
+ms.date: 01/30/2025
---
# Update release cycle for Windows clients
@@ -54,13 +54,8 @@ Monthly security update releases are available through the following channels:
Many update management tools, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Intune](/mem/intune/), rely on these channels for update deployment.
-Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
-- The update package files associated with the checkpoints, and
-- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
-
-Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
-
-
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Optional nonsecurity preview release
@@ -78,11 +73,9 @@ To access the optional nonsecurity preview release:
- Use [Windows Insider Program for Business](https://insider.windows.com/for-business)
- Use the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
-Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
-- The update package files associated with the checkpoints, and
-- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
-Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
## OOB releases
@@ -97,6 +90,9 @@ Some key considerations about OOB releases include:
- Critical OOB releases are automatically available to WSUS and Windows Update for Business, just like the monthly security update releases.
- Some OOB releases are classified as noncritical.
- Noncritical releases only go to the Microsoft Update Catalog for users or organizations to voluntarily obtain the update.
+
+
+[!INCLUDE [Checkpoint cumulative updates](./includes/checkpoint-cumulative-updates.md)]
## Continuous innovation for Windows 11
From 453ad36bf40b41e29f18af5d1cc9621ab4184e93 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Jan 2025 10:07:34 -0800
Subject: [PATCH 17/26] fix link
---
.../deployment/update/includes/checkpoint-cumulative-updates.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
index 9e266ddb65..c1be20d788 100644
--- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -14,4 +14,4 @@ Starting Windows 11, version 24H2, Microsoft may periodically release cumulative
- The update package files associated with the checkpoints, and
- New update package files that contain incremental binary differentials against the version of binaries in the last checkpoint.
-Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](catalog-checkpoint-cumulative-updates.md) for reference.
+Multiple checkpoints may be shipped during the lifecycle of a given Windows release. Devices updating from Windows Update and WSUS can continue to seamlessly install the latest monthly security update regardless of whether there are any preceding checkpoint cumulative updates, **no change is needed to their update process**. Catalog users can review [Checkpoint cumulative updates and Microsoft Update Catalog usage](../catalog-checkpoint-cumulative-updates.md) for reference.
From 746a55a558255fa98a24c552ec4e49a653707c65 Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Fri, 31 Jan 2025 07:47:26 -0600
Subject: [PATCH 18/26] Update security-compliance-toolkit-10.md
Removed reference to Server 2012 R2, Office 2016, Windows 10 20H2.
Added Server 2025
Updated Office baseline to v2412
---
.../security-compliance-toolkit-10.md | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
index ced5288d21..3556919a26 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -23,18 +23,16 @@ The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10, version 22H2
- Windows 10, version 21H2
- - Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
+ - Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- - Windows Server 2012 R2
- Microsoft Office security baseline
- - Office 2016
- - Microsoft 365 Apps for Enterprise Version 2206
+ - Microsoft 365 Apps for Enterprise Version 2412
- Microsoft Edge security baseline
- Microsoft Edge version 128
- Tools
From 56501a2715c401e2beb228aaa26e499e5d14c1e1 Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Fri, 31 Jan 2025 08:12:47 -0600
Subject: [PATCH 19/26] Update get-support-for-security-baselines.md
Updated versions and removed links to SCM
---
.../get-support-for-security-baselines.md | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
index 05f61ccf78..75939e36c9 100644
--- a/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -16,16 +16,7 @@ The Security Compliance Manager (SCM) is now retired and is no longer supported.
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10, version 1703, can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-
-- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
-- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
+### What file formats are supported by the SCT?
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' `.cab` files are no longer supported.
@@ -56,16 +47,16 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
|--|--|--|--|
+| Windows Server 2025 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-server-2025-security-baseline/4358733) | January 2025 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2022 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-server-2022-security-baseline/ba-p/2724685) | September 2021 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2019 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) | November 2018 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | October 2016 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows Server 2012 R2 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) | August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
### Microsoft products
| Name | Details | Security Tools |
|--|--|--|
-| Microsoft 365 Apps for enterprise, version 2306 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2412 | [SecGuide](https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2412/4357320) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 128 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-128/ba-p/4237524) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
## Related articles
From ef635d68903f2bd699414a1e6de8db3fae68c075 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 08:39:25 -0800
Subject: [PATCH 20/26] edit
---
.../update/catalog-checkpoint-cumulative-updates.md | 4 ++--
.../update/includes/checkpoint-cumulative-updates.md | 4 ++--
windows/deployment/update/release-cycle.md | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index cef752e648..0c3fda339a 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -13,11 +13,11 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11, version 24H2 and later
- ✅ Windows Server 2025
-ms.date: 01/30/2025
+ms.date: 01/31/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
-
+
Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
diff --git a/windows/deployment/update/includes/checkpoint-cumulative-updates.md b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
index c1be20d788..dd9b0e1abd 100644
--- a/windows/deployment/update/includes/checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/includes/checkpoint-cumulative-updates.md
@@ -5,10 +5,10 @@ manager: aaroncz
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
-ms.date: 01/30/2025
+ms.date: 01/31/2025
ms.localizationpriority: medium
---
-
+
Starting Windows 11, version 24H2, Microsoft may periodically release cumulative updates as checkpoints. The subsequent updates will consist of:
- The update package files associated with the checkpoints, and
diff --git a/windows/deployment/update/release-cycle.md b/windows/deployment/update/release-cycle.md
index 449627bbbe..ef01bc96d7 100644
--- a/windows/deployment/update/release-cycle.md
+++ b/windows/deployment/update/release-cycle.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 01/30/2025
+ms.date: 01/31/2025
---
# Update release cycle for Windows clients
From 14751d75763c5009894ca7922c94a717cbd8761d Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 09:50:46 -0800
Subject: [PATCH 21/26] edits
---
.../catalog-checkpoint-cumulative-updates.md | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 0c3fda339a..867e17a256 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -12,13 +12,13 @@ ms.collection:
ms.localizationpriority: medium
appliesto:
- ✅ Windows 11, version 24H2 and later
- - ✅ Windows Server 2025
+ - ✅ Windows Server 2025 and later
ms.date: 01/31/2025
---
# Checkpoint cumulative updates and Microsoft Update Catalog usage
-Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices (and images) updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
+Starting Windows 11, version 24H2, monthly security updates and optional nonsecurity preview release updates might be preceded by a checkpoint cumulative update. Devices updating from Windows Update (WU) and Windows Server Update Services (WSUS) release channels can continue to seamlessly install the latest monthly security update or the optional nonsecurity preview release regardless of whether there are any preceding checkpoint cumulative updates, so **update processes involving WU and WSUS remain unchanged**. This article covers how Microsoft Update Catalog users can easily update their devices (or images) through checkpoint cumulative updates.
## Checkpoint cumulative updates
@@ -32,7 +32,7 @@ Going forward, Microsoft might periodically release cumulative updates as checkp
This process might be repeated multiple times, thereby generating multiple checkpoints during the lifecycle of a given Windows release. The Windows 11, version 24H2 servicing stack can merge all the checkpoints and only download and install content that's missing on the device.
-If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates.
+If any checkpoint cumulative updates precede a target update, a device or image needs to take all prior checkpoint cumulative updates before it can take the target update. In other words, a post-checkpoint latest cumulative update can be applied to images/devices that are on that checkpoint or on a subsequent latest cumulative update. For updates sourced from WU and WSUS this process happens seamlessly. You can continue to use the same tools and processes that you currently use for approving and deploying updates. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
### Applicability
@@ -40,11 +40,10 @@ A checkpoint cumulative update is just another monthly security update that info
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+### Update Windows installation media
+
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
-### Current checkpoint cumulative updates
-
-For Windows 11, version 24H2 and later, for a given update, the knowledge base (KB) article notes all preceding checkpoint cumulative updates under the **Catalog** release channel tab. We expect that your experience updating through a checkpoint cumulative update will position you to efficiently take future checkpoint cumulative updates.
## Updating from the Microsoft Update Catalog
@@ -54,7 +53,7 @@ When installing a given monthly security or optional nonsecurity preview update,
For a given update, users can look up the KB article and find all preceding checkpoints, if any, listed under the **Catalog** release channel. For instance, the 2024-12 monthly security update (KB5048667) has one preceding checkpoint cumulative update per [December 10, 2024-KB5048667 (OS Build 26100.2605)](https://support.microsoft.com/topic/708755a6-d809-4a8a-8d20-53c4108590e6#ID0ELBD=Catalog):
- > Method 2: Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
+ > Install each MSU file individually, in order Download and install each MSU file individually either using DISM or [Windows Update Standalone Installer](https://support.microsoft.com/topic/799ba3df-ec7e-b05e-ee13-1cdae8f23b19) in the following order:
- windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu
- windows11.0-kb5048667-x64_d4ad0ca69de9a02bc356757581e0e0d6960c9f93.msu
Alternately, users can search the KB number in the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) and select the **Download** button for the selected architecture. The download pop-up shows all prior checkpoints for the update so that users can conveniently download all `.msu` files and apply them to their image or device. For instance, Microsoft Update Catalog shows the [2024-12 cumulative update (KB5048667)](https://support.microsoft.com/help/5048667) has one preceding checkpoint cumulative update, [KB5043080](https://support.microsoft.com/help/5043080).
@@ -73,7 +72,7 @@ Examples of eligible devices:
**Device needs FoD or language pack customization:**
-Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
+Installing FoDs or language packs requires the full latest cumulative update payload, which now can be split across files associated with each preceding checkpoint cumulative update. So, when customizing FoDs or language packs for offline media, all prior checkpoint cumulative updates and the target cumulative update need to be installed regardless of whether the device already had any of the prior checkpoints cumulative update installed. This needs to be done using DISM.
1. Copy the .msu files of the latest cumulative update (the target) and all prior checkpoint cumulative updates to a local folder. Make sure there are no other .msu files present.
1. Mount the install.wim file.
From bc3239cafdcdd56555b9b42b7cd520fe8d0783ae Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 10:39:10 -0800
Subject: [PATCH 22/26] Update catalog-checkpoint-cumulative-updates.md
commit
---
.../deployment/update/catalog-checkpoint-cumulative-updates.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 867e17a256..f92a84a8fa 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -90,4 +90,4 @@ Devices that aren't on the latest checkpoint cumulative update and don't need Fo
- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
- [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities)
- [How to download updates that include drivers and hotfixes from the Microsoft Update Catalog](/troubleshoot/windows-client/installing-updates-features-roles/download-updates-drivers-hotfixes-windows-update-catalog)
-- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
+- [Update Windows installation media with Dynamic Update](media-dynamic-update.md)
From 248eef82d97bfc706fc386fff79bdc22decbdeef Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 11:01:47 -0800
Subject: [PATCH 23/26] edits
---
.../deployment/update/catalog-checkpoint-cumulative-updates.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 867e17a256..a4e7755200 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -38,9 +38,10 @@ If any checkpoint cumulative updates precede a target update, a device or image
A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
+### Update Windows installation media
+
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
-### Update Windows installation media
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
From dae02a5ae9b4f40a7084d58759f629ee5c5f3c0d Mon Sep 17 00:00:00 2001
From: Mukund Kher
Date: Fri, 31 Jan 2025 11:03:11 -0800
Subject: [PATCH 24/26] Update catalog-checkpoint-cumulative-updates.md
Commit
---
.../update/catalog-checkpoint-cumulative-updates.md | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index 4778484089..c7ba0f378d 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -38,10 +38,9 @@ If any checkpoint cumulative updates precede a target update, a device or image
A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
-### Update Windows installation media
-
This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+### Update Windows installation media
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
@@ -84,7 +83,7 @@ Installing FoDs or language packs requires the full latest cumulative update pay
**Device doesn't have the latest checkpoint cumulative update and doesn't need customization:**
-Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
+Devices that aren't on the latest checkpoint cumulative update and don't need FoD/language pack customization can either install all needed cumulative updates one by one in the right sequence. Alternately they can be updated using DISM to install all cumulative updates in one go. For more information, see the [Updating through checkpoint cumulative updates](#updating-through-checkpoint-cumulative-updates) section. If there are total four checkpoint cumulative updates available and device already has the first one installed, DISM applies the remaining three checkpoint cumulative updates in the right order followed by the target cumulative update, all in one go.
## Related articles
From 53a7beeb303649515112b4542b9efc9494218f8b Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 11:09:40 -0800
Subject: [PATCH 25/26] edits
---
.../update/catalog-checkpoint-cumulative-updates.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
index c7ba0f378d..ce4b36fd45 100644
--- a/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
+++ b/windows/deployment/update/catalog-checkpoint-cumulative-updates.md
@@ -38,10 +38,10 @@ If any checkpoint cumulative updates precede a target update, a device or image
A checkpoint cumulative update is just another monthly security update that informs how subsequent updates are built. There's no policy change or new requirement around when users must take these updates, though it's best practice to take monthly security updates at the earliest opportunity to keep your devices protected and productive.
-This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
-
### Update Windows installation media
+This feature doesn't introduce any change to the applicability of monthly security updates. As before, these updates apply to the main OS (install.wim) and to WinPE (boot.wim) but not to WinRE (winre.wim).
+
WinRE is serviced by applying the servicing stack update from a cumulative update (latest cumulative update doesn't apply) and SafeOS Dynamic Update. This is how it has been for a while now, and there's no recent change to WinRE servicing and certainly no change due to the checkpoint cumulative updates feature. We understand that not everybody may have had a shared understanding about this, but applying servicing stack update then SafeOS Dynamic Update is the only way to ensure WinRE is serviced. For more information, see [Update Windows installation media with Dynamic Update](media-dynamic-update.md).
From a01cdb5681bbf0da0da91ac69ec2dbaa420a4e1d Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 31 Jan 2025 14:09:44 -0800
Subject: [PATCH 26/26] edits
---
.../deployment/update/media-dynamic-update.md | 36 +++++++++----------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 0ae148a631..33f43d08f6 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 1/28/2024
+ms.date: 1/31/2024
---
# Update Windows installation media with Dynamic Update
@@ -62,7 +62,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2 |
### Azure Stack HCI, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -72,7 +72,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2 | | |
### Windows Server 2022 later Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
@@ -81,8 +81,8 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Latest cumulative update | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2 | | |
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2 | | |
-### Windows 11, version 22H2 and later Dynamic Update packages
-**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
+### Windows 11, version 22H2, and later Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. The following titles are for Windows 11, version 22H2. Windows 11, version 23H2, and version 24H2 have a similar format:
| Update packages |Title |
|-----------------------------------|---------------------------------------------------------------|
@@ -92,7 +92,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2 |
### Windows 11, version 21H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -102,7 +102,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
|Servicing stack Dynamic Update | YYYY-MM Servicing Stack Update for Windows 11 Version 21H2 | | |
### Windows 10, version 22H2 Dynamic Update packages
-**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+**Title**, **Product**, and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
| Update packages |Title |Product |Description |
|-----------------------------------|---------------------------------------------------------------|----------------------------------------------|------------------|
@@ -136,7 +136,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Add Optional Components | | 12 | | |
|Add Safe OS Dynamic Update | 6 | | | |
|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe and setuphost.exe from WinPE | | | | 27 |
+|Add Setup.exe and setuphost.exe from WinPE | | | | 27 |
|Add boot manager from WinPE | | | | 28 |
|Add latest cumulative update | | 13 | 23 | |
|Clean up the image | 7 | 14 | 24 | |
@@ -147,7 +147,7 @@ This table shows the correct sequence for applying the various tasks to the file
> Starting in February 2021, the latest cumulative update and servicing stack update is combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 17 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
> [!NOTE]
-> Microsoft will remove the Flash component from Windows through KB4577586, "Update for Removal of Adobe Flash Player". You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
+> Microsoft removes the Flash component from Windows through [KB4577586: Update for Removal of Adobe Flash Player](https://support.microsoft.com/kb/4577586). You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, "Update for Removal of Adobe Flash Player" will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/).
### Multiple Windows editions
@@ -157,13 +157,13 @@ The main operating system file (install.wim) might contain multiple editions of
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline. However, doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
### Checkpoint cumulative updates
-Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update may have a prerequisite cumulative update that is required to be installed first. These are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates will be available from the download button. In addition, the knowledge base article for the cumulative update will provide additional information.
+Starting with Windows 11, version 24H2, and Windows Server 2025, the latest cumulative update might have a prerequisite cumulative update that is required to be installed first. These updates are known as checkpoint cumulative updates. In these cases, the cumulative update file level differentials are based on a previous cumulative update instead of the Windows RTM release. The benefit is a smaller update package and faster installation. When you obtain the latest cumulative update from the [Microsoft Update Catalog](https://catalog.update.microsoft.com), checkpoint cumulative updates are available from the download button. In addition, the knowledge base article for the cumulative update provides additional information.
-To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` will be used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update will be processed. If you are not customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls cannot be used for steps 12 and 23.
+To install the checkpoint(s) when servicing the Windows OS (steps 9 & 12) and WinPE (steps 17 & 23), call `Add-WindowsPackage` with the target cumulative update. The folder from `-PackagePath` is used to discover and install one or more checkpoints as needed. Only the target cumulative update and checkpoint cumulative updates should be in the `-PackagePath` folder. Cumulative update packages with a revision <= the target cumulative update are processed. If you aren't customizing the image with additional languages and/or optional features, then separate calls to `Add-WindowsPackage` (checkpoint cumulative updates first) can be used for steps 9 & 17 above. Separate calls can't be used for steps 12 and 23.
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -178,7 +178,7 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These are not required, but added to highlight when in the sequence they should be addeed. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO has been superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you are using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only. The script also showcases adding additional languages, Features on Demand, and Optional Components. These aren't required, but added to highlight when in the sequence they should be added. Starting with Windows 11, version 21H2, the language pack (LANGPACK) ISO is superseded by the Features on Demand ISO. Language packs and the \Windows Preinstallation Environment packages are part of the Features on Demand ISO. Further, the path for main OS language and optional features moved to \LanguagesAndOptionalFeatures instead of the root. If you're using this script for Windows 10, modify to mount and use the language pack (LANGPACK) ISO.
```powershell
@@ -253,11 +253,11 @@ Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContai
### Update WinRE and each main OS Windows edition
-The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
+The script updates each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you are updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack via the latest cumulative update, since its components are used for updating other components. Depending on the Windows release that you're updating, there are two different approaches for updating the servicing stack. The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that includes the servicing stack updates (that is, SSU + LCU are combined). Windows 11, version 21H2, and Windows 11, version 22H2 are examples. In these cases, the servicing stack update isn't published separately; the combined cumulative update should be used for this step. However, in rare cases, there might be a breaking change in the combined cumulative update format change, that requires a standalone servicing stack update to be published, and installed first before the combined cumulative update can be installed. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
-Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It is important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components and Languages are updated from their initial release state. The .NET feature is an exception, that is added along with its cumulative update next. Finally, the script exports the image.
+Next, for the mounted OS image, the script starts by applying the servicing stack via the latest cumulative update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then attempts to clean the image, then a final step to apply the latest cumulative update. It's important to apply the latest cumulative update last, to ensure Features on Demand, Optional Components, and Languages are updated from their initial release state. The .NET feature is an exception that's added along with its cumulative update next. Finally, the script exports the image.
This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
@@ -472,7 +472,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc
### Update WinPE
-This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
+This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we save setup.exe and setuphost.exe for later use, to ensure these versions matches the \sources\setup.exe and \sources\setuphost.exe version from the installation media. If these binaries aren't identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media.
```powershell
#
@@ -613,7 +613,7 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
### Update remaining media files
-This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe and boot manager files using the previously saved versions from WinPE.
+This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe, setuphost.exe, and boot manager files using the previously saved versions from WinPE.
```powershell
#