Using a custom NTLite ISO for upgrades, as well as installs

abufrejoval

New Member
I messed up.

After I had spent quite an effort in building a "perfect" custom image from the Windows 11 23H2 business editions ISO "updated to August 2024" from Microsoft, that resulted in something that didn't work ("cannot transfer start control to target" or similar appearing).

Never seen that before, so after trying to find out what I had done wrong, I eventually just went back to something that had worked before, which was the July ISO.

Carefully went through all the options again with what I thought was "updated to July 2024" ISO and happily installed two system without any of the M$ cruft, including lots of applications on top (hours of work).

To my horror I then discovered that I had accidentally chosen a Windows 22H2 business editions "updated to July 2024" ISO as base, not 23H2 so I was now on the older Windows 11 release.

And that's when I noticed that these custom images that I create with NTlite won't support the "update and keep your apps and data" option, but will simply do a blank install

...and...

that using the original Windows 11 23H2 ISO image would add all the M$ cruft again, that I was so badly trying to avoid with NTlite...

So is there any way to either make an update-only variant or offer the choice within the custom NTlite images?
 
I messed up.

After I had spent quite an effort in building a "perfect" custom image from the Windows 11 23H2 business editions ISO "updated to August 2024" from Microsoft, that resulted in something that didn't work ("cannot transfer start control to target" or similar appearing).

Never seen that before, so after trying to find out what I had done wrong, I eventually just went back to something that had worked before, which was the July ISO.

Carefully went through all the options again with what I thought was "updated to July 2024" ISO and happily installed two system without any of the M$ cruft, including lots of applications on top (hours of work).

To my horror I then discovered that I had accidentally chosen a Windows 22H2 business editions "updated to July 2024" ISO as base, not 23H2 so I was now on the older Windows 11 release.

And that's when I noticed that these custom images that I create with NTlite won't support the "update and keep your apps and data" option, but will simply do a blank install

...and...

that using the original Windows 11 23H2 ISO image would add all the M$ cruft again, that I was so badly trying to avoid with NTlite...

So is there any way to either make an update-only variant or offer the choice within the custom NTlite images?
If a update adds stuff back in just rerun your present and remove once again. Ntlite can also be used live meaning when the operating system is running you can also remove to your heart's content.
 
22H2 images updated to the latest CU's are virtually identical to 23H2 images, except they're missing the KB5027397 23H2 Enablement Package.

Starting last year, new 23H2 features got hidden inside 22H2's CU's. The Enablement Package simply unlocks those features, and updates the version string from 22621 to 22631. Removing KB5027397 reverts 23H2 back to a 22H2 feature experience.

Download this KB, and apply it to your current ISO:
Code:
https://catalog.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/caa3ff4a-6420-4341-aeae-33b2d7f463be/public/windows11.0-kb5027397-x64_3a9c368e239bb928c32a790cf1663338d2cad472.msu

No new files or features will be installed, so it won't break your removals. But some Windows settings might be different.
 
Thank you both!

I'll try the work-arounds, which are bound to solve my immediate problem.

But it doesn't quite answer my question or solve the longer term issue of trying to avoid unwanted components and flags from being inserted on release updates by ensuring that the install/update images simply won't contain them.

So is there no flag one could set to make an image "update and keep all apps and data" vs. "overwrite everything"?

I don't mind creating separate images for primary installs and updates if it can't be made an interactive choice the way it's with the original Microsoft images. I was quite surprised when I noticed the previous install was all gone and I didn't even manage to revert the update (even with windows.old still present).

And quite honestly, I've bought NTlite primarily for the purpose of creating custom images, the ability to control existing systems was an unexpected windfall which so far is more confusing them useful to me.

That might change once I invest some time and get familar with it, but so far image management isn't a primary occupation as the population I manage is still around a dozen or two, most of which are really VMs.

And I guess it will be on VMs where I'll do the testing for that now...
 
Thank you both!

I'll try the work-arounds, which are bound to solve my immediate problem.

But it doesn't quite answer my question or solve the longer term issue of trying to avoid unwanted components and flags from being inserted on release updates by ensuring that the install/update images simply won't contain them.

So is there no flag one could set to make an image "update and keep all apps and data" vs. "overwrite everything"?

I don't mind creating separate images for primary installs and updates if it can't be made an interactive choice the way it's with the original Microsoft images. I was quite surprised when I noticed the previous install was all gone and I didn't even manage to revert the update (even with windows.old still present).

And quite honestly, I've bought NTlite primarily for the purpose of creating custom images, the ability to control existing systems was an unexpected windfall which so far is more confusing them useful to me.

That might change once I invest some time and get familar with it, but so far image management isn't a primary occupation as the population I manage is still around a dozen or two, most of which are really VMs.

And I guess it will be on VMs where I'll do the testing for that now...
If you are not wanting to have windows randomly updating and avoid unwanted components in release updates....you can always stop windows updates for a extremely long time by using the delay.

That or completely remove the updates themselves and use Ntlite to do your windows updates when you see something you want.
 
The fundamental problem is how Windows Servicing works. When an install image is provided, all the components are already extracted to their target folders and can be carefully removed while preserving the ability to allow future Updates.

But when WU applies a new CU, the components are packaged inside a set of nested archives and protected by digital signatures. If you wanted to avoid breaking Windows, there is no choice but allow WU to extract whatever it needs to patch – even if that restores previously removed components.

NTLite's strategy is for you to wait until WU is done, and then run NTLite in Remove reinstalls mode which will repeat the previous removals.

Is this process annoying? Yes, it's either disabling Monthly Updates or not having component removals at all.
 
That's filling the essential information gap quite well and explains why NTlite is made the way it is: thanks a lot!

So I guess I'll have little choice but to adapt...

Now I just have to find out how to keep VBS off because it's killing my nested virtualization with VMware Workstation.

Evidently it gets pulled in when you have a discrete TPM chip, even if its only used for biometrics.
 
There are many workarounds to disable VBS, but one easy trick is:
Code:
bcdedit /set hypervisorlaunchtype off

Since you're using VMware, it's unlikely you'll be using Hyper-V at the same time.
 
That's filling the essential information gap quite well and explains why NTlite is made the way it is: thanks a lot!

So I guess I'll have little choice but to adapt...

Now I just have to find out how to keep VBS off because it's killing my nested virtualization with VMware Workstation.

Evidently it gets pulled in when you have a discrete TPM chip, even if its only used for biometrics.
Keep at it...takes time and this program isn't a quick fix. Once you get the hang of it you will be zooming in no time and loving it.
 
There are many workarounds to disable VBS, but one easy trick is:
Code:
bcdedit /set hypervisorlaunchtype off

Since you're using VMware, it's unlikely you'll be using Hyper-V at the same time.
That's a separate long sad story... Evidently if VBS has been enabled at one point or another, VMware workstation starts having issues...

I basically got two new laptops at the same time, which I wanted to provision with a clean Windows 11 23H2...
And an older one, which needed a fresh install (on a new SSD) after the NVMe drive developed "cancer".

#1 a Lenovo LOQ ARP9 with a Ryzen 7 7435HS, basically a Zen3 APU with the iGPU disabled and an Nvidia RTX 4060 in its place,
#2 is a Lenovo Thinkpad X13 G4 featuring a Ryzen 7 PRO 7840U or a Zen4 APU combined with a Radeon 780m iGPU.
#3 is a Lenovo Slim 7 13ACN05 featuring a Ryzen 7 5800U or a Zen 3 APU combined with a Radeon Vega 8 iGPU

And the three behave very differently with regards to disabling VBS or with getting VMware Workstation 17.5.2 to use its own hypervisor instead of Hyper-V.

Long story short on
  1. #1 was easy. Just deactivated "kernel isolation" (putting these in quotes, because I'm translating these terms from an OS localized in German and that is a bit of a hit and miss affair) and VBS was off.
  2. #2 VBS cannot be deactivated, no matter how or what. And I've pretty near tried everything except a complete re-install.
  3. On #3 VBS can be deactivated, but VMware won't run properly, even after a complete uninstall/reinstall cycle, as for some reason it assumes it's still running underneath Hyper-V: evidently it's being mislead by some registry stuff or similar
VMware QA has suffered greatly with the Broadcomm takeover and it's one of the reasons I can't use VMware Workstation 17.6, becasue it fails on non-US system trying to configure user/group permission settings on the host.

As to why VBS cannot be disabled by any of the usual methods, I can only speculate.

Generally the Hyper-V logic seems to take hints from the BIOS. If you enable AMD-V in the BIOS, msinfo will already report "Hyper-V enabled in BIOS".... which could just be a bad way of saying that virtualization is enabled.

But #2 has a "Pro" variant of Ryzen, which also selectively enables memory encryption even on an APU and it has both a Pluton service processor and a discrete TPM, all of which are enabled but not configured, mostly because I want to use biometric login, which requires some TPM for storage.

Since #2 and #3 only have 32 and 16GB of RAM respectively, I may just be able to make do without nested virtualization, but there is other smallish differences between VMware's type 2 hypervisor and Hyper-V as type 1. Again, I guess I'll just have to live with them or try to go with a Windows 10 install first to keep VBS off (tons of work and trouble) or an old Windows 11 edition.

#1 will have 64GB of RAM and I'm glad that one works just fine with nested VMs. It also has no biometric support, its pre-Pluton TPM is enabled but unused. So perhaps that's why disabling VBS was much less of an issue...

I keep Bitlocker deactivated and typically install without secure boot, too, because most of my machine are dual boot (and I believe NTlite ISOs won't work with secure boot, either).

My suspicions fall somewhere between bad VMware QA and Microsoft relently pushing "features" nobody sane really wants: disabling the disabling of Hyper-V and VBS with hardware they juedge "Enterprise" may just be one of those decisions they make on behalf of their customers without asking or even letting them decide.
 
Keep at it...takes time and this program isn't a quick fix. Once you get the hang of it you will be zooming in no time and loving it.
Well, I just re-discovered why I was using NTlite as a custom ISO tool, only: licensing!

I have over twenty physical systems in my home lab, most of them actually running Linux, but then many of those Linux systems are then running Windows VMs again, sometimes with GPU pass-through for CUDA test work.

Most of that is for home-lab testing, nothing anywhere near "productive" running on them, but some of the CUDA GPUs also get to be used for gaming after-hours, so again many machines are dual (or triple) boot.

Add to that constantly changing hardware, components swapped and moved at will and you can imagine that 5 tracked activations could be gone in a few hours, which is why I only installed NTlite on a Windows 2022 server (in fact my main workstation, but also the main file server), because it's the most constant system in the bunch.

Now adding another license or even two might not totally explode my budget, but having to keep track of where I used what is simply not something I ever like to do: I use either open source software or software that uses Borland style "like a book" licensing, where a single concurrent user is covered with everything he does.

I guess I'll just have to look for another solution then, hopefully somebody else comes up with something sane and less restrictive.
 
I think you might be misunderstanding how to use NTLite and/or the license effectively. A license provides 5 activations in total, but it doesn't mean 5 installations of Windows. Install NTLite and activate it on 1 machine that isn't going to have a motherboard or network card change anytime soon, and you can use that first activation to literally make an infinite number of custom Windows images.

As an example, you could install NTLite on a single computer and use it to make 100 custom Windows iterations until you reach your perfect "golden image" and all of that is 1 license activation in total. Then simply copy your custom installation files to a USB and go install that image onto any other computer(s). You can install that custom Windows on a million computers without using anymore NTLite activations, because NTLite only needs to be installed and activated on whatever computer you use to make your custom image with.

If you need a portable NTLite to do live customizations on numerous computers, the business license does that. There are 3 NTLite license types that can be purchased, and they each target a different usage as explained below, which was taken from NTLite's Shop page (link).

LICENSE TYPES
Home: Purchase a Home license and get all the features, elevating your abilities to maintain and tweak your personal machines.

Professional: If you intend to use NTLite in a commercial environment, for example an admin configuring images from a workstation, this is the one for you.

Business: If you intend to use NTLite in a commercial environment, and be able to configure images and other machines live on the spot; having a portable license is the ideal choice.
 
Last edited:
There's no need to install NTLite on every system you own. The primary goal of NTLite is to create install images, which can be deployed to any PC without a NTLite license. Normal Windows licensing rules apply to the target PC's.

In a few specific cases, it might be useful to install NTLite on multiple PC's. Mostly to use the Host Refresh feature to perform a "repair reinstall" to restore a previously removed feature or component. But if you're really an expert admin, it's assumed you're doing extensive testing before unwittingly pushing out a broken image to multiple PC's.
 
There's no need to install NTLite on every system you own. The primary goal of NTLite is to create install images, which can be deployed to any PC without a NTLite license. Normal Windows licensing rules apply to the target PC's.

In a few specific cases, it might be useful to install NTLite on multiple PC's. Mostly to use the Host Refresh feature to perform a "repair reinstall" to restore a previously removed feature or component. But if you're really an expert admin, it's assumed you're doing extensive testing before unwittingly pushing out a broken image to multiple PC's.

That's how the whole thread started...

When I bought NTlite almost two years ago, it was mostly for the ability to create custom images. I used it a couple of times, noticed that it had this other mode whereby you could essentially create installers for clones of a running system, which was interesting but not really a use case I had in mind and it would require activations on those systems.

Since those would disappear in a heartbeat I concentrated on the custom image use case and put NTlite on the most stable system, which is also the file server and holds all ISO and VM image backups.

But then I noticed that I cannot use those NTlite custom ISOs to update systems made with a previous custom ISO: it will invariably result in a new install.

And then I was told that this is because of Windows installation mechanics, and that I'd have to use the profile of the custom ISO to remove components after using a standard Microsoft ISO to upgrade.

But since that approach eats activations, it's unfortunately impractical...
 
Last time I checked, Remove reinstalls don't require a licensed version of NTLite to run locally.
 
Last time I checked, Remove reinstalls don't require a licensed version of NTLite to run locally.
For someone with the label "staff member", that is a frustratingly inprecise statement.

My reading of the license terms implies that operation of NTlite is licensed per machine that it is installed on.

And to my technical understanding NTlite would need to be installed on each machine which was bootstrapped with a custom ISO and now needs some cleanup after M$ added Copilots and other nasties in a release update (or whenever they feel like going against a PC owners wishes).

So if an "eval version" of NTlite can be used to remove packages according to a profile, that would be bypassing the license, or did I miss some clause which provides an exception there?

But then there is plenty of software out there which just brands installations with a licensee name and otherwise doesn't bother them with activations or similar management nightmares, that your company might want to adopt.
 
Did you see my previous reply? I mention making images, as well as using NTLite on live configurations. It sounds like the business license is what you needed all along, which I discuss in my last paragraph and spoiler. I don't have enough hands-on experience myself to comment on remove reinstalls and such, since I just don't use those features, because I pause Windows Update forever and make an updated image each year when Microsoft releases a new ISO, but I do agree with various sentiments I've seen repeated on the forum and Discord, which nuhi should consider.

NTLITE LICENSE/FORUM SUGGESTIONS
1) Remove the "Staff member" tag from posts, as well as from the Members pages (link1, link2), and leave "Moderator" or "Volunteer Moderator" only, because it isn't apparent to members that people like Garlin are unpaid volunteers that don't have a hand in NTLite's development, aside from providing feedback and managing the forum out of their own self-interest. This may also just be a XenForo issue that cannot be changed. On a related note, the "Most solutions" members box could be removed, since we don't use it on this forum anymore.

2) The licensing is objectively confusing, because not only do users get mixed up about the difference between NTLite activations and Windows activations, but there have been other problems at play, which I've posted (link3) about before. If you simply turn off your network adapter from the BIOS for example, it used to force you to activate NTLite again. There have been other quirks like that which confused things too.

3) Because NTLite is aimed at being portable by nature (configuring live installs), it does get confusing how to choose between Home/Pro/Business, and the entire documentation explaining how a license doesn't expire and you get 1 year of new upgrades confused me for the longest time too. It's not intuitive, unless you've specifically worked with licenses/tools of this nature before. The shop page is a lot of complex and technical information to digest, and it doesn't make sense to the masses until they've been using NTLite for a long time. Two examples here are that the words, "Host refresh" and "Remove reinstalls" don't appear on the shop/license page. The documentation needs to reflect how the tool is used and words things.
 
Last edited:
For someone with the label "staff member", that is a frustratingly inprecise statement.
I'm a volunteer mod, "Staff member" is the generic title the NTLite forum's platform assigns to the handful of mod's.

NTLite is the product of a single dev, so he's often busy working on new features, fixing bugs, or resolving billing and licensing issues. Since I don't have any formal association with the company, I can't read nuhi's mind on all matters. If I post an incorrect statement, he will eventually counter it or edit my posting.

You're allowed to use free NTLite on a system, and all the unlicensed features it provides. If "Remove reinstalls" is available on the free edition, then using it isn't implicitly bypassing the license. On the other hand, if "Remove reinstalls" wasn't supposed to be free, nuhi could easily change it if that was his express intention.

To use it in a commercial workplace, would imply you need to purchase the Pro (not Business) license any way. The Business license may or may not be required for the other seats if you're only using the non-licensed features on them.

You can always e-mail [email protected] (which is the dev).
 
Back
Top