Add the ability to integrate Microsoft Defender CAB's into Windows 10 and 11 images

S

steven4554

New Member
Include the ability to integrate the defender-dism-x64.cab into both Windows 10 and 11. I make these cabs and provide for download every Tuesday on MDL Forum and MSFN, so members can integrate them into their offline images. These cabs cannot be installed on a live OS, only offline images. I also make arm64 and x86 versions too.
 
Welcome steven4554, I recognized your name from all your great contributions on MSFN forum.

Correct me if I'm wrong -- DefenderUpdateWinImage.ps1 doesn't actually "integrate" updates; but mounts an image, applies file changes, and commits them. This script can't run unmodified as NTLite handles its own mounting, though it could be removed.

The one caveat is you can only update Defender in one image at a time. NTLite has a feature to apply the same set of update CABs to several images in parallel. It wouldn't work in that case since this isn't a real KB file.

I'll volunteer on working out the script changes.
 
Thanks for replying garlin.

Yes I suppose it would be difficult to include, as you stated that Ntlite does service all images in the same install.wim, but if you can figure out a way to include them for postupdates then that would be great. If it works, then it's definitely better than nothing.

Off topic - I still update and provide update lists for Windows Updates Downloader on both My Digital Life forum and as you know MSFN.
 
I managed a first rewrite, using Get-WindowsImage to report NTLite's current mount folder. The final version won't require parameters except for the package's filename.

Waiting for nuhi to explain how to run commands from a preset. Worse case, it can be run live on the mounted image.

Code: 
PS C:\Users\GARLIN\Downloads> .\defender-update-kit-x64\DefenderUpdateWinImage.ps1 -Action AddUpdate -WorkingDirectory TEMP -Package .\defender-update-kit-x64\defender-dism-x64.cab
Os Image Path      : C:\Users\GARLIN\AppData\Local\Temp\NLTmpMnt01
Working Directory  : TEMP
Action             : AddUpdate
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.

Adding TEMP\cab\package-defender.xml to Extraction Queue
Adding TEMP\cab\Definition Updates\Updates\mpasbase.vdm to Extraction Queue
Adding TEMP\cab\Definition Updates\Updates\mpasdlta.vdm to Extraction Queue
Adding TEMP\cab\Definition Updates\Updates\mpavbase.vdm to Extraction Queue
Adding TEMP\cab\Definition Updates\Updates\mpavdlta.vdm to Extraction Queue
Adding TEMP\cab\Definition Updates\Updates\mpengine.dll to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\com.microsoft.defender.be.chrome.json to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\ConfigSecurityPolicy.exe to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\DefenderCSP.dll to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\endpointdlp.dll to Extraction Queue
....
Adding TEMP\cab\Platform\4.18.2205.7-0\zh-TW\MpAsDesc.dll.mui to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\zh-TW\MpEvMsg.dll.mui to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\zh-TW\mpuxagent.dll.mui to Extraction Queue
Adding TEMP\cab\Platform\4.18.2205.7-0\zh-TW\ProtectionManagement.dll.mui to Extraction Queue

Expanding Files ....
Progress: 5 out of 226 files
Expanding Files Complete ...
226 files total.
0
Updating security intelligence and antimalware engine.
Updating platform.
Successfully updated Defender.
Details of Defender update applied to the image are:
    Defender package version: 20220802.1
    Security intelligence version: 1.371.1205.0
    Engine version: 1.1.19400.3
    Platform version: 4.18.2205.7
 
For comparison, in reading the change logs, I understand that there is native support for Windows Defender update in the most recent versions?
 
It's a fantastic option (at the end of the test), considering that if there are already Defender updates in the ISO (as in the case of those from UUPDump - not erazable...), adding the latest Defender updates via NTLite doesn't seem to be implemented in the processed ISO.
 
clarensio said:
It's a fantastic option (at the end of the test), considering that if there are already Defender updates in the ISO (as in the case of those from UUPDump - not erazable...), adding the latest Defender updates via NTLite doesn't seem to be implemented in the processed ISO.
Click to expand...
UUP Dump does not provide Defender updates, it includes whatever version is present in the Windows build.

Like Edge, OneDrive, Teams, and UWP inbox Apps -- Defender is designed to be self-updated after install. Therefore the ISO always includes outdated base versions of those packages.

Platform updates and definitions are not released as components. They're self-extracting files or CAB's which overwrite the previous versions found in the image. You apply the extracted files using a file copy.
 
garlin said:
Just select them from the Updates Downloader. It's magic.
Click to expand...
Testing it now.
Thanks again and have wonderful weekend.

For the purposes of documentation, question on usage:

We should add both the?

1) Latest MPAM-FE (microsoft.com)
2) The updateplatform.{amd64fre|arm64fre}_######.msi/msu ? (catalog.update.microsoft.com)

Update for Microsoft Defender Antivirus antimalware platform - KB4052623 -- https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623

1698415532420.png

1698415588299.png
 
Last edited:
garlin said:
UUP Dump does not provide Defender updates, it includes whatever version is present in the Windows build.
Click to expand...
I understand more about the ISO from UUP Dump

Snap12.jpg

and this prevents you from acquiring any new updates with NTLite.
Then I can always be wrong...
 
There's some confusion on what UUP Dump is trying to provide, and the Windows servicing model.

Windows starts with a base release (ISO), and you apply different CU's or Enablement packages to update the build version. If you study their customized build script, it first builds a base ISO from all the UUP files. Unless you have opted out, the next step is applying all the KB updates it downloaded to bring the base image up to the selected Windows build.

What is missing from this servicing model? Features like Edge, Defender and Windows Apps are not updated on the base ISO. You get a default (and very old) version of those packages. If one of the CU's includes a replacement package, it might get refreshed. But usually it doesn't.

Edge, Defender and Windows Apps (Store apps) are intended to be updated after installation by Edge Updater or WU. Those sources are separate from the UUP files used to create images. UUP Dump won't update these packages for you.

NTLite can easily replace the old versions in the image. Since Defender updates are released very often, it's not component-based but actually a file archive which is trivial to work with. The only hard part is fixing the installed Updates data to reflect the new files.
 
garlin said:
NTLite can easily replace the old versions in the image. Since Defender updates are released very often, it's not component-based but actually a file archive which is trivial to work with. The only hard part is fixing the installed Updates data to reflect the new files.
Click to expand...
I can't do it with NTLite since even though I select the new versions I get the message that the Upgrades are already present.

I haven't found any other ways to replace existing files with updated ones...
 
This is what I see after adding Defender updates to 22H2 (May 2023):

1698471112977.png

Do you have a specific integration example?
 
The problem is precisely this. Here's what happens.
1) I prepare the ISO from UUP Dump.
2) I extract the version (isolated) from the ISO and upload it
3) load the preset to this
4) I add Defender updates
Snap15.jpg

5) I get the "Error..." message with one of the Defender updates
Snap14.jpg
6) I apply the adjustments to install.wim (clearly without Defender updates (cause the error)
Subsequently
7) reload install.wim
8) I add Defender updates (the same ones) without getting error messages
9) I apply the adjustments to install.wim (only added Defender updates
10) Everything goes well
Snap13.jpg
Conclusion:
Editing install.wim and simultaneously integrating Defender (later) updates fails
Doing the same thing in 2 steps is successful
This is what I can't explain
 
garlin said:
I think what you've reported, is applying Defender updates to isolated install.wim fails. But a normal ISO works for everyone else.
+nuhi
Click to expand...
Exactly...
And I dare say (I hadn't thought that it could depend on an "isolated" version...), seeing the acquisition of other proposed updates (online updates), that every other update is not acquired either.

Let's see what he says nuhi.

Thank you
 
What's the point?
In fact, it's a bit ridiculous that you integrate Defender updates into your build, knowing that you keep it, even though Defender updates its definitions between 1-? times a day when you are online.
You can postpone Windows Update - but DF updates still run.
It would be better to remove the definitions before installation and minimize installation by approx. 100 mb with the pre-installed definitions which are outdated.
All users get the latest definitions as soon as they are online without having opened WU.
It is Windows (DF) per design!
 
francis11 said:
What's the point?
In fact, it's a bit ridiculous that you integrate Defender updates into your build, knowing that you keep it, even though Defender updates its definitions between 1-? times a day when you are online.
You can postpone Windows Update - but DF updates still run.
It would be better to remove the definitions before installation and minimize installation by approx. 100 mb with the pre-installed definitions which are outdated.
All users get the latest definitions as soon as they are online without having opened WU.
It is Windows (DF) per design!
Click to expand...
I agree about the "definition", less so about the "engine".

And then I don't chase dimensional savings.

What I have verified, perhaps also for each type of update - inserted CU which was then carried out after installation SO - I believe, with the "isolated" versions, still present (bug?) that should be verified.
 
You must log in or register to reply here.
Back
Top