Add the ability to integrate Microsoft Defender CAB's into Windows 10 and 11 images

[nuhi]

Exactly...
And I dare say (I hadn't thought that it could depend on an "isolated" version...), seeing the acquisition of other proposed updates (online updates), that every other update is not acquired either.

Let's see what he says nuhi.

Thank you

Hi clarensio,

I have downloaded 19045.3636 from UUP, moved install.wim from it to be Isolated and loaded it.
Went to Updates - Add latest
Only prompt I got was:
Existing item: KB5031356 - Version: 19041.3570 <= 19045.3636, which is fine.

Integrated Defender updates. Reloading the image it shows integrated versions fine in Updates - Existing updates.

Am I missing a step?


On a similar topic, what did you meant by "every other update is not acquired either"?

Thanks.

 

[clarensio]

Integrated Defender updates. Reloading the image it shows integrated versions fine in Updates - Existing updates.

Am I missing a step?


On a similar topic, what did you meant by "every other update is not acquired either"?

Thanks.

Thanks Nuhi and I will try to explain myself better.
With NTLite 9466 this happened:
- I added the WD update (engine and definition) with that same error message that you also reported.
- I then installed the OS but then that engine update was not acquired in WD: it wanted the upgrade which I thought I had already done.

With NTLite 9472, however, the WD upgrade is acquired and present.

Regarding "every other update is not acquired either" I was referring to the acquisition of the Windows CUI tried to integrate it (so as not to have it in Windows Update) but I couldn't, even if it was "missing".


But maybe I was wrong, as for the impossibility of carrying out DISM ResetBase in NTLite due to "the presence of ongoing update processes" (I think NTLite said).

But anyway, I too will investigate more carefully (for DISM I click OK anyway and move on).

Thank you

 

[bseklecki_ge]

What's the point?
In fact, it's a bit ridiculous that you integrate Defender updates into your build, knowing that you keep it, even though Defender updates its definitions between 1-? times a day when you are online.
You can postpone Windows Update - but DF updates still run.
It would be better to remove the definitions before installation and minimize installation by approx. 100 mb with the pre-installed definitions which are outdated.
All users get the latest definitions as soon as they are online without having opened WU.
It is Windows (DF) per design!

A lot of OT/ICS environments rely on air-gapped configuration, and only receive pre-validated/tested update definition, periodically, through something like LANDESK / Ivanti.

Would you hook up your Windows SCADA for your plutonium enrichment centrifuges to the Internet? >:}

 

[francis11]

I'd bet that security issues in most closed environments are more caused by outdated software than Defender being updated with the latest definitions.
It also wouldn't surprise me if a centrifuge out there is still running XP whether it's in research or nuclear development!

 

[bseklecki_ge]

I'd bet that security issues in most closed environments are more caused by outdated software than Defender being updated with the latest definitions.
It also wouldn't surprise me if a centrifuge out there is still running XP whether it's in research or nuclear development!

Yes I agree.

But the perception from most OT Vendors (names omitted for their own protection) is that any changes done to a Windows OS image that improves cyber security could potentially impact performance and thus invalidates whatever limited warranty they provide about the reliability and performance of their software.

They're just desperately looking for excuses to refuse your customer service request.

When you dance with the Devil, you wait for the music to stop.

Obliviously, the situation is not a dichotomy; a middle-ground is sought.

Windows Defender needs regular engine/definition updates, but direct or proxy internet connections may never be authorized due to organization institutional cultural morays that consider air-gapping the crux of good security. Landesk/Ivanti is a good alternative.

Additionally, OS images are often updated, as reimaging is common practice when you have thin clients such as HMI PanelPCs.

So ensuring that the most recent OS image has a relatively recent versions of SSUs, CUs, and Windows Defender Engine/Definition is a step in the right direction. If you're installing a fresh copy v1607/Win10 EntIOT LTSB from 2016 today, because that's the only OS licensed to run on your HMI PanelPC sold by your OT vendor, and they categorically refuse to update their OS recovery image, then it becomes your responsibility to maintain deviations (at the risk of loosing their customer service support).

One of those deviations? Windows Defender definitions from 2023. 7 years newer than than those that shipped bundled with the Microsoft OEM v1607 R.T.M. ISOs.

Come work in O.T. ? Ideally Renewable Energy....

 

[garlin]

Some of us have worked in corporate or institutional settings, where there are mandated security policies which are enforced by another internal group. They don't allow much leeway in interpreting policy. One key principle is unless you have a policy exception, any new PC added to the internal network must be updated as much as possible when it's brought online.

While you can argue that device will eventually update itself, it's vulnerable for an unknown window of opportunity. Security policy says this is unacceptable risk, so you make every effort to bake updates into the image or install process.

People who don't like or agree to these restrictions don't get hired into these IT roles. This world is very real.

 

[francis11]

And still wonder why their get hacked by outdated software not to forget office employes share "sh*t" everywhere to get a like of the day from their Workstation even their handbook say, they are forbidden to do SoMe in working ours.

Come work in O.T. ? Ideally Renewable Energy....

Thanks for the offer - still driving gasoline car and have no intention to change to an overpriced E-car with shortmile range to support bad food rests.

 

[garlin]

I know bseklecki_ge will enjoy this:

Where do we find the latest SecHealthUI Appx package, since it's not available on the Store?

Browse the Windows 11 / Microsoft Defender Anti-Malware/Platform Update Kit for Windows 11 discussion on MDL forum.
Work backwards from the final post, until you see someone sharing the most recent download URL for securityhealthsetup_*.exe

For example, Nov 2023 release (1.0.2311.17002):

http://download.windowsupdate.com/d/msdownload/update/software/defu/2023/11/securityhealthsetup_76fc0a39cf868048394de1fc7dbe55fe04a4f281.exe

1. Download this EXE file.
2. Download ResourceExtractor from GitHub. This command-line tool is less balky than Resource Hacker.

3. Extract the Microsoft.SecHealthUI_8WEKYB3D8BBWE.appx package. Only the source EXE file argument will change over time.

ResourceExtractor.exe extract securityhealthsetup_76fc0a39cf868048394de1fc7dbe55fe04a4f281.exe RT_RCDATA/MICROSOFT.SECHEALTHUI_8WEKYB3D8BBWE.APPX/1033 Microsoft.SecHealthUI_8WEKYB3D8BBWE.appx

4. Add this package file under Updates. The Defender UI app is separate from the Platform (Engine) and Definition updates.

Can this process be automated? Not really, MDL community is looking at the Insider release updates, and parsing out the WU links for Defender UI package downloads. It's presented here for reference, if you're interested in the solution.