Jaa


Windows 7 refreshed media creation

The fastest way to patch a Windows 7/Server 2008 R2 machine is to take advantage of the Convenience Update Rollup from April 2016 (KB3125574). The Conv. UR updates a lot of components and to ensure that that happens without any servicing problems, it has as a prerequisite the Servicing Stack Update from April 2015 (KB3020369). To install most of the other patches in between April 2016 and October 2016 we will include the following updates:

  1. KB3020369 (April 2015 Servicing Stack Update)
  2. KB3125574 (April 2016 Convenience Update Rollup)
  3. KB3177467 (September 2016 SSU)
  4. KB3172605 (July 2016 Functional Update Rollup, 7C* package)
  5. KB3179573 (August 2016 FUR, 8C* package)
  6. KB2841134 (Internet Explorer 11, Optional)
  7. KB3185330 (October 2016 Monthly Quality Rollup, 10B' package [contains September 2016 FUR, 9C* package])

*3rd Tuesday package of that month.

Download all the packages from the Microsoft Update Catalog (now updated to work on all browsers) to a folder:

https://www.catalog.update.microsoft.com/Search.aspx?q=3020369 https://www.catalog.update.microsoft.com/Search.aspx?q=3125574 https://www.catalog.update.microsoft.com/Search.aspx?q=3177467 https://www.catalog.update.microsoft.com/Search.aspx?q=3172605 https://www.catalog.update.microsoft.com/Search.aspx?q=3179573 https://www.catalog.update.microsoft.com/Search.aspx?q=2841134 https://www.catalog.update.microsoft.com/Search.aspx?q=3185330

Expand the .MSU files to extract the .CAB file which will be used with DISM:

image1

Command used:
expand -f:*Windows*.cab C:\files\Window7MediaRefresh\*.msu C:\files\Window7MediaRefresh\CABs (thank you abbodi1406)

Afterwards we should have the following:

image2

For this guide we will use the install.wim file from a Windows 7 Enterprise x64 SP1 Media:

image3

Mount the image as described in the offline servicing article below:

Add or Remove Packages Offline Using DISM https://technet.microsoft.com/en-us/library/hh824838.aspx

Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Name:"Windows 7 ENTERPRISE" /MountDir:C:\test\offline

And now we can start adding the first package, the KB3020369 SSU:

Dism /Image:C:\test\offline /Add-Package /PackagePath:C:\files\Window7MediaRefresh\CABs\Windows6.1-KB3020369-x64.cab

image4

We can check the installation state using the command below:
Dism /Image:C:\test\offline /Get-Packages

It is in a "Install Pending" state:
Package Identity : Package_for_KB3020369~31bf3856ad364e35~amd64~~6.1.1.1
State : Install Pending
Release Type : Update
Install Time : 11/4/2016 9:11 AM

The next update to install is the Convenience Update Rollup KB3125574:

Dism /Image:C:\test\offline /Add-Package /PackagePath:C:\files\Window7MediaRefresh\CABs\Windows6.1-KB3125574-v4-x64.cab

image5

Package Identity : Package_for_KB3125574~31bf3856ad364e35~amd64~~6.1.4.4
State : Install Pending
Release Type : Update
Install Time : 11/4/2016 10:33 AM

We cannot continue to install updates offline, because of the DISM limitation below:

Limitations

  • When you are installing a package in an offline image, the package state is “install pending” because of pending online actions. In other words, the package will be installed when the image is booted and the online actions are processed. If subsequent actions are requested, they cannot be processed until the previous pending online action is completed. You can use the /PreventPending option when you add a package with /AddPackage to skip the installation of a package when there are pending online actions.

https://technet.microsoft.com/en-us/library/hh825265.aspx

Commit the changes with the command below to seal the image:
Dism /Unmount-Image /MountDir:C:\test\offline /Commit

image6

Now we need to install a Windows 7 VM/PC with this image to finish the outstanding servicing actions and install the other updates. Do this either by hand or using your favorite deployment tool.

After the image is installed we should see the following (SP1 + KB3020369 + KB3125574 only):

C:\Windows\system32>Dism /Online /Get-Packages

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7601.23403

Packages listing:
Package Identity : Package_for_KB3020369~31bf3856ad364e35~amd64~~6.1.1.1
State : Installed
Release Type : Update
Install Time : 11/4/2016 12:29 AM

Package Identity : Package_for_KB3125574~31bf3856ad364e35~amd64~~6.1.4.4
State : Installed
Release Type : Update
Install Time : 11/4/2016 12:29 AM

Package Identity : Package_for_KB976902~31bf3856ad364e35~amd64~~6.1.1.17514
State : Installed
Release Type : Update
Install Time : 11/21/2010 3:01 AM

Continue to install updates 3-5 using the DISM commands below:

Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3177467-x64.cab

image7

Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3172605-x64.cab

image8

Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3179573-x64.cab

image9

 

Step 6, which is installing IE11, is optional, in case you have business critical applications that are dependent on an older Internet Explorer version. The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present, so we will install IE11 next, before we apply the monthly rollup.

This will be the IE version installed, if we do not upgrade it:

image10

The last update to install is KB3185330, at the moment of writing this guide, in the future just replace it with the latest monthly/preview rollup, found on the page below:

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3185330-x64.cab

image11

Now we can search online for the remainder of the updates or just capture the image after generalizing it, if we want to finish as fast as possible.

Online search results after the above updates (34/39 optional updates are language packs):

image12

TL;DR version:

Download the updates:
https://www.catalog.update.microsoft.com/Search.aspx?q=3020369 https://www.catalog.update.microsoft.com/Search.aspx?q=3125574 https://www.catalog.update.microsoft.com/Search.aspx?q=3177467 https://www.catalog.update.microsoft.com/Search.aspx?q=3172605 https://www.catalog.update.microsoft.com/Search.aspx?q=3179573 https://www.catalog.update.microsoft.com/Search.aspx?q=2841134 https://www.catalog.update.microsoft.com/Search.aspx?q=3185330

Extract CAB files from MSU:
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3020369-x64_5393066469758e619f21731fc31ff2d109595445.msu C:\files\Window7MediaRefresh\CABs
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu C:\files\Window7MediaRefresh\CABs
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3177467-x64_42467e48b4cfeb44112d819f50b0557d4f9bbb2f.msu C:\files\Window7MediaRefresh\CABs
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3172605-x64_2bb9bc55f347eee34b1454b50c436eb6fd9301fc.msu C:\files\Window7MediaRefresh\CABs
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3179573-x64_0ec541490b3f7b02e41f26cb2c444cbd9e13df4d.msu C:\files\Window7MediaRefresh\CABs
expand -f:* C:\files\Window7MediaRefresh\AMD64-all-windows6.1-kb3185330-x64_8738d0ef3718b8b05659454cff898e8c4f0433d7.msu C:\files\Window7MediaRefresh\CABs

Mount the image:
Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Name:"Windows 7 ENTERPRISE" /MountDir:C:\test\offline

Install the first two updates offline:
Dism /Image:C:\test\offline /Add-Package /PackagePath:C:\files\Window7MediaRefresh\CABs\Windows6.1-KB3020369-x64.cab
Dism /Image:C:\test\offline /Add-Package /PackagePath:C:\files\Window7MediaRefresh\CABs\Windows6.1-KB3125574-v4-x64.cab

Unmount and commit the changes to the install.wim file:
Dism /Unmount-Image /MountDir:C:\test\offline /Commit

Install a reference machine with the above install.wim file and continue to install the updates:
Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3177467-x64.cab
Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3172605-x64.cab
Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3179573-x64.cab
Dism /Online /Add-Package /PackagePath:C:\temp\Windows6.1-KB3185330-x64.cab

Search online to install the remainder of the updates.

Sysprep the newly patched machine and capture an updated wim file.

 

If you have any questions or feedback, please use the comment section.

Thank you and see you next time!

Andrei Stoica, Windows Deployment Engineer

Comments

  • Anonymous
    January 03, 2017
    Useless. How about you guys release a proper Service Pack 2 for Windows 7 or at least do all this work and re release ISO for Windows 7?
    • Anonymous
      January 03, 2017
      Hi Luka,thank you for the comment. As part of the new servicing model we have moved away from the traditional service pack model for a more simplified servicing experience. You can consider the KB3125574 update as a "SP2" and update your Windows 7 image only with it. In the future, specifically later this year, we will have a follow-up update to KB3125574, which will also be a fully cumulative update, and we will only need to update our image with one or two KBs to be fully patched. The current prerequisite for Windows 7 updates is only SP1, when this will change the media will also be refreshed officially, as it was done for Windows 8.1 and Windows Server 2012 R2 to include Update 3 KB3000850 November 2014 Update Rollup.
      • Anonymous
        January 04, 2017
        The comment has been removed
        • Anonymous
          January 04, 2017
          Not that I know of. As written in another comment, I will ask around. Regarding the follow-up update to KB3125574, the initial timeline was the summer of 2017. Thank you.
          • Anonymous
            September 22, 2017
            Got any ETA since then ? (been 8 month now)Andrei:No ETA, this is a complicated matter and we have to wait until something is posted on the Windows IT Pro blog.https://blogs.technet.microsoft.com/windowsitpro/
  • Anonymous
    January 04, 2017
    Good stuff, Andrei!
    • Anonymous
      January 04, 2017
      Thank you :).
  • Anonymous
    January 04, 2017
    Andrei - thanks for taking the time to post that response. Let me more charitably restate Luka's commment...The blog post provides a useable but very long and convoluted process for generating a really great updated Windows 7 WIM. Would it be possible for Microsoft to release an updated ISO which already has the pre-reqs, convenience update, and latest updates? Would it be possible to re-release that ISO once a quarter until Win 7 ends mainstream support in 3 years?We promise we'll keep upgrading systems to Windows 10 even if it isn't insanely painful to get updated Windows 7 media! I say that as someone who has this process pretty well automated through SCCM... There isn't a reason for ever organization to put so much effort into Win 7 media when the problem could be solved once for everyone - but only Microsoft can do that.Thanks for your help!
    • Anonymous
      January 04, 2017
      Thank you for your feedback. We don't have such an aggressive refresh schedule even for Windows 10 (see second to last paragraph). I will start a mail thread with the relevant peeps, no promises. This is unlikely if the prerequisites for installing Windows 7 updates haven't changed. Happy deployment!
      • Anonymous
        January 04, 2017
        As you probably know Andrei, Windows update for Windows 7 is horribly broken, Clean install 7 SP1 > Check for update > Never ending "Searching for updates" and never finds anyWhen is MS going to fix WU for 7? - It has been broken since GWX was released
        • Anonymous
          January 04, 2017
          KB3172605, the July update rollup contains the latest Windows Update Agent version for Windows 7, that fixes the following and is what you are looking for:This update contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the following:- An optimization that addresses long scan time for updates that's reported on some computers.- Fix for a Windows Update error 0x8007000E on some computers while they are updating.- Some reliability improvements.The general principle has been discussed in the blog post below:https://blogs.technet.microsoft.com/mniehaus/2016/02/12/build-windows-7-images-faster-by-patching-them-faster/
          • Anonymous
            January 04, 2017
            Yes thanks, I am aware of how to manually install certain updates to get it working again, but it used to work without doing that, with the exact same install of 7 SP1, why can't it be fixed at Microsoft's end so that we can install 7 SP1 > Check for updates > Install updates?Why does the end user have to apply fixes for something that is obviously wrong server side at Microsoft's end? Nothing changed inside the 7 SP1 ISO/DVD I use to install 7 with.
            • Anonymous
              January 04, 2017
              Since Windows 7 SP1 has been released, the number of available updates grew and grew with time (over 4000 updates). This is why I published this article, to help with avoiding this problem altogether by refreshing the Windows 7 media.
  • Anonymous
    January 04, 2017
    KB3020369 is not needed, because has been replaced by KB3177467.KB3185330 it not needed, because has been replaced by KB3207752.
    • Anonymous
      January 04, 2017
      The comment has been removed
      • Anonymous
        January 05, 2017
        "...and we wouldn’t be able to add KB3125574 offline, if we use KB3177467 instead of KB3020369..."I did a clean install of Windows 7offline and installed KB3177467 and then installed KB3125574 without troubles, so KB3020369 is not needed anymore.
        • Anonymous
          January 06, 2017
          I am referring to offline servicing:https://msdnshared.blob.core.windows.net/media/2017/01/image1310.png0x800f082f -2146498513 CBS_E_EXCLUSIVE_WOULD_MERGE The requested operation would merge exclusive and non-exclusive content
          • Anonymous
            January 06, 2017
            ah, I see... you were talking about DISM process offline, I've not tested that yet.
  • Anonymous
    January 05, 2017
    It would be really nice if Microsoft fixed Windows Update for previous versions of Windows... "aka" Windows Update getting "stuck" and not updating, I have experienced this on Windows 7 and Windows 8.1, this is also a wide spread problem, the issue is not caused by the users side.Or even better, I would like Microsoft to acknowledge they have made Windows Update function incorrectly for Windows 7 and Windows 8.1 on purpose for the sake of making people want to update to Windows 10.
    • Anonymous
      January 05, 2017
      KB3172605, the July update rollup contains the latest Windows Update Agent version for Windows 7, that fixes the following and is what you are looking for:This update contains some improvements to Windows Update Client in Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the following:– An optimization that addresses long scan time for updates that’s reported on some computers.– Fix for a Windows Update error 0x8007000E on some computers while they are updating.– Some reliability improvements.For Windows 8.1 the equivalent update is:KB3172614
    • Anonymous
      January 05, 2017
      Exactly, we shouldn't be having to perform patching and workarounds to fix a problem on Microsoft's side, it's fairly transparent that this is a tactic to push people to Windows 10, break WU on previous Windows releases
  • Anonymous
    January 05, 2017
    The comment has been removed
    • Anonymous
      January 05, 2017
      I care :).
      • Anonymous
        January 05, 2017
        We know, and We really appreciate You are sharing this information with us.
  • Anonymous
    January 05, 2017
    will be good if Microsoft release an updated ISO of Windows 7 with all of this updates integrated, like they did with Windows 10 ISOs.
    • Anonymous
      January 06, 2017
      Will talk with some other peeps, to see if this is doable.
      • Anonymous
        January 06, 2017
        thank you ;)
  • Anonymous
    January 07, 2017
    The comment has been removed
    • Anonymous
      January 07, 2017
      Hi Cliff,thank you for the very detailed suggestions. The problem here is that this does not impact the majority of Win7 users, but it is a problem nonetheless. I also had some difficulties with KB2670838. The main point is, even in this guide, that we do not solely rely on KB3125574 to do everything, with this in mind, I will reach out again to Mike from the other blog and the other owners of KB3125574, to make sure that the entire team is aware of the list of issues from WUC and see what can be done, please don't expect any immediate changes.Thank you and Abbodii, PointZero, Komm for your dedication to this.
  • Anonymous
    January 07, 2017
    Thanks for the wonderful guide Andrei, and it's great to see you blogging these gory details :)
    • Anonymous
      January 08, 2017
      Thank you. :)
  • Anonymous
    January 08, 2017
    Nice but Microsoft should really just create an up to date Windows 7 Installation .iso with the Latest Serial ATA drivers, NVMe support and USB 3.0 support while they are at it they should remove the prompt to input the Windows 7 key on their website so people can Download the .iso.I created a .bat file to do this with written instructions and a tutorial video here:http://en.community.dell.com/support-forums/software-os/f/3524/t/19999620
    • Anonymous
      January 08, 2017
      Windows 7 and 8.1 are in the extended support period, i doubt they would get refreshed installation mediaBTW, CABs can be extracted together with one command :)expand -f:Windows.cab C:\files\Window7MediaRefresh*.msu C:\files\Window7MediaRefresh\CABs
      • Anonymous
        January 09, 2017
        Thank you for the suggestion, will test & write it in.
  • Anonymous
    January 09, 2017
    Really???? How about re-releasing the RU with the changes?
    • Anonymous
      January 13, 2017
      A new cumulative update rollup is expected sometime in the second half of 2017, as part of the new servicing model.
  • Anonymous
    January 10, 2017
    Wondering about KB2775511 "enterprise hotfix rollup", released March 2013? Wouldn't that (and any relevant post KB2775511 hotfixes) be good practice (install first before KB3020369) ? (don't see anywhere that KB3125574 supersedes KB2775511)
    • Anonymous
      January 11, 2017
      The comment has been removed
      • Anonymous
        January 13, 2017
        I have seen the same advice before, but it is reinforcing to see it coming from different expert, not necessary related people."KB2775511 is superseded by KB3125574 by default (not in the exception list documented in KB3125574)"https://blogs.technet.microsoft.com/windowsitpro/2016/05/17/simplifying-updates-for-windows-7-and-8-1/#comment-3016
        • Anonymous
          January 13, 2017
          We (in support) were very happy when KB3125574 was released and could recommend it instead of KB2775511.
  • Anonymous
    January 11, 2017
    Two questions:1. Can I install KB3020369 and KB3125574 on a live system (vm)? Just saying because I see no point to integrate them in an offline fashion and afterwards fire up a vm and continue with the rest of updates.2. Can I use KB3177467 which has superseded KB3020369?
    • Anonymous
      January 11, 2017
    1. Yes. Doing it offline, we save more time, but it might not be such a big difference.2. Yes, recommend rebooting after KB3177467, because of the known issue.
      • Anonymous
        January 11, 2017
        Thank you.
  • Anonymous
    January 18, 2017
    The comment has been removed
    • Anonymous
      January 18, 2017
      I do not recommend switching KB3177467 with KB3020369, see https://blogs.technet.microsoft.com/astoica/2017/01/03/windows-7-refreshed-media-creation/#comment-205 for the reason.If you keep KB3020369 as the first one, then you can import KB3020369 and KB3125574 into the "Packages" node as described below:https://blogs.technet.microsoft.com/mniehaus/2016/02/12/build-windows-7-images-faster-by-patching-them-faster/The rest can be installed afterwards normally.
      • Anonymous
        January 19, 2017
        I looked around but did not find the answer to this; in MDT can you specify the order that packages get installed?How do I ensure that KB3020369 gets installed before KB3125574? I know if they were applications, you can use dependencies...
        • Anonymous
          January 20, 2017
          You can use selection profiles, below an example for drivers, but you can do the same for update package and have two "Install Updates Offline" steps, one with the KB3020369 and one with the rest, mainly KB3125574.http://deploymentresearch.com/Research/Post/325/MDT-2013-Lite-Touch-Driver-Management
  • Anonymous
    January 24, 2017
    The comment has been removed
    • Anonymous
      January 24, 2017
      The comment has been removed
      • Anonymous
        January 25, 2017
        Hi David, this guide is not meant for MDT, it is just to discuss a principle of updating the media. Modify and implement this as you see fit for MDT.
        • Anonymous
          January 25, 2017
          The comment has been removed
          • Anonymous
            January 26, 2017
            The comment has been removed
          • Anonymous
            January 26, 2017
            OK, by switching to the word additive, you mean everything from (October 2016 - Current Month) gets installed by just using Current Month, right? And "later this year" they will transition to truly cumulative update (SP1 - Current Month)?Two other questions that I haven't asked before:September 2016: Is it included in October 2016?Do you have / Can you make update lists for Windows 8.1 and Windows 10? I'm trying to accomplish the same thing with these OS's, and I'm not sure what is cumulative/additive for what.Thanks!!
            • Anonymous
              January 27, 2017
              The comment has been removed
          • Anonymous
            February 15, 2017
            Andrei, Did you ever figure out the "optimal" upgrade path for Windows 8.1?
            • Anonymous
              February 15, 2017
              Hi David, sorry, not yet. Work has been busy. There won't be such a short list, as there the latest CU is from 2014 (KB3000850).
  • Anonymous
    February 06, 2017
    The comment has been removed
    • Anonymous
      February 06, 2017
      Oops, my mistake about the size of that big IE11 exe. I see now that after clicking "download" in the update catalog that it shows me a ton of .exe files and the en-us version to get is only 53 MB. Alright, well, it's still an executable and can't be slipped in with DISM. ;)
      • Anonymous
        February 12, 2017
        No, that is done in the online phase.
      • Anonymous
        February 15, 2017
        The comment has been removed
        • Anonymous
          July 16, 2017
          The comment has been removed
          • Anonymous
            August 02, 2017
            The comment has been removed
          • Anonymous
            August 09, 2017
            The comment has been removed
            • Anonymous
              August 10, 2017
              The comment has been removed
  • Anonymous
    September 08, 2017
    Thanks for your guide. But I feel like missing something.Shouldn't we integrate all of NetFX (.NET Framework runtimes) to this integration ? (latest redistributable, and their patches)If my concern is right, I'd love to know what (if any) order should we integrate those. Kind Regards,~OdR
    • Anonymous
      September 10, 2017
      The comment has been removed
      • Anonymous
        September 22, 2017
        The comment has been removed
        • Anonymous
          February 07, 2018
          Sorry for the late reply, I missed the notifications some how.Cumulative = Fully cumulativeAdditive = Non-fully cumulativeThe Windows 7/8.1 updates at the moment are not cumulative, but additive. This is why we do not have the word cumulative in the title as with Windows 10 updates.To each his own on the last part. The main idea behind this article was to get people to use KB3125574.
  • Anonymous
    December 03, 2017
    Can somebody help me in installing or Slipstreaming SP1 (Windows6.1-KB976932) cab file into Windows7 Iso ?Only this I want to Install
    • Anonymous
      December 04, 2017
      Hi Austin, you should download an updated ISO file that already contains SP1. Every new one after 2011 should be good.