In August of 2007 the "Windows Update Catalog" site went live. Although not perfect, this site allows for the relatively easy download of all MSU update files required to patch a new Vista install against the most serious vulnerabilities.
"AutoPatcher" seemed a simpler approach to Vista patching, but its future is uncertain, so I am canning that app for now.
Here is the procedure I have been using to stream updates into BDD, such as it is:
- Go to http://catalog.update.microsoft.com.
- Perform these searches:
- "Vista Critical"
- "Vista Rollup"
- "Vista Security"
- Add all "x86" platform updates to your download cart.
- Review the updates in the cart to ensure that they have not been superceeded (some of them will be obsolete). I have been downloading these different classes of updates into separate "buckets" in the staging directory "e:\staging\packages\vista" (I have "critical_update", "security_update", "update_rollups", and "updates".
- N.B. DO NOT just download and import all "Vista Updates"... some of these have broken the LiteTouch install process for us in the past.
- Right-click the "OS packages" branch in BDD and select "new", point the wizard to the base vista packages staging directory... let 'er rip.
- The next time you perform a Vista install, review all updates that need to be applied after first boot. Return to the catalog site, search for these by KB number and add them to your BDD distribution share.
Note that we still are disabling Automatic Updates during the BDD process... some updates have created significant interference with application installers in the past, so we disable updates in unattend.xml, and we will add task sequencer items to each build to re-enable updates at the end of LiteTouch. See below for details...
There are several pages describing how to use PEIMG to inject Vista "MSU" updates into an offline Vista installation "install.wim" file. I found this one most helpful:
Note that since AutoPatcher for Vista is now up and running, it may ultimately be simpler to use that tool to patch Vista images between service packs.
It will be vital that automatic updates are disabled during deployment, so as not to interfere with AutoPatcher. We then will want it renabled at the completion of setup.
We prevent Windows Update from running automatically with the following unattend.xml setting:
Microsoft-Windows-Shell-Setup_neutral - 7 : ProtectYourPC=3
If we use this option, we will need to be absolutely sure that this setting gets altered back to default at the end of LiteTouch.
We are able to turn automatic updates back on by clearing the current Automatic Update registry settings, then importing the desired settings:
- first run: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /f
- Then run reg import for a file containing the following:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
- Finally, we force Windows Update to do a detection: wuauclt /detectnow
Here is the quick run-through on injecting OS Packages into a Vista image, in case we still feel that we need to do this. As you can see, it is something of an unmaintainable PIA:
Obtain all the hotfixes required via http://support.microsoft.com
(they'll be provided by MS in the .msu file format). 2.
Expand/Extract the .msu files to obtain the .cab file required for integration (peimg requires the .cab file to integrate the hotfix). To do so, type:expand -F:* e:\staging\packages-vista\Windows6.0-KB928089-x86.msu e:\staging\packages-vista\KB928089-x86
After extracting the .msu, you'll notice 4 new files in the directory you extracted the msu into: a txt file, an xml file and 2 cabs. The only file that's needed is the main .cab file or in this case Windows6.0-KB928089-x86.cab. The rest can be deleted including the .msu. This process should be repeated for all the .msu hotfixes.
Alternatively, you can use "7-Zip" to extract the MSU file as they are packaged using standard compression tools.3.
Copy the desired Vista install.wim from the BDD distribution share to a temp working folder, such as "e:\staging\operating systems\Vista\". This will prevent end-users from getting locked out while the file is being serviced.4.
After expanding all the .msu updates, they then need to be imported into the install.wim. Each version of Vista included in the Install.wim needs to be manually updated. So for example, if you wish to import the hotfixes into the Ultimate SKU in the 32-Bit Install DVD, use the following commands:imagex /mountrw "e:\staging\operating systems\Vista\sources\install.wim" 1 e:\mount
(where e:\mount is the folder to mount the install image to and 1 is the image index number for Vista Enterprise. Note that this index number can vary if you are not working from VL media).peimg e:\mount\windows /import=e:\staging\packages-vista\KB928089-x86\Windows6.0-KB928089-x86.cab
Import the rest of the updates by repeating the same peimg command and replacing the cab filename.5.
Now that all of the hotfixes have been imported, it’s time to actually install the hotfixes into the Windows image. If you were to not install the hotfixes, you would be left with Windows Update asking you to install the updates however you would not be required to download them since you already have a local copy. Installing the hotfixes bypasses that issue and actually injects the hotfix into the install. Use the following command to do so:peimg /install=*Package* e:\mount\windows
This command will iterate through all the packages/hotfixes that have Package in their name so it’s not necessary to repeat the command for all the hotfixes. To view all the updates and to check whether they have been installed, type:peimg /list /image=e:\mount\windows6.
unmount the Vista image with the "commit" flag, or all of your modifications will be thrown out:imagex /commit /unmount e:\mount7.
Steps 4 and 5 need to be repeated for all the Vista editions on the distribution share if you wish to update every version. At this point, you may wish to rebuild a Vista ISO file for re-distribution. To simplify things, use a tool such as vLite
to rebuild the ISO so you won't be required to go through the process of extracting the boot sector and using cdimage or oscdimg to rebuild the ISO.