Applying Updates to Run-time Images and the Component Database (Standard 2009)


Microsoft Corporation

November 2009

This technical article contains information about how to update the Windows Embedded Standard 2009 component database and how to apply updates to run-time images.

As with any operating system (OS) or application, it is necessary to periodically update Windows Embedded Standard 2009. Updating a product or image is often referred to as "servicing" or "maintenance". Because Windows Embedded Standard 2009 is a suite of tools that enables customers to build customized OS images, there are two avenues for updating the product: one for updating the component database that is part of the suite of tools, and one for updating OS images deployed to devices.

It is the responsibility of OEMs to determine how their devices are updated, how frequently they are updated, and what updates are applicable to each type of device. In some cases, OEMs might choose to never update their devices, and in other device categories there might be requirements that every security update be applied to a device in order for it to remain certified.

There are a number of types of updates, each with their own terminology, which are discussed in the following list.

  • Security updates — security updates fix critical and important vulnerabilities in Windows products. The Windows Sustained Engineering team creates these updates and the Windows Embedded team implements them. The Windows Embedded team only releases critical security updates for Windows Embedded Standard. It is highly recommended that security updates be applied to embedded devices in a networked environment because they might be vulnerable to the same exploits as the full Windows OS.
All security updates are cumulative, meaning that all previous updates are rolled into the latest update package. In addition, every new product version includes all the security updates released for the previous product version, up until the date that the new product is released to manufacturing (RTM). The RTM date is not the same date that the product gets into the customer's hands. There is always a delay as the product works its way through the distribution channels. This means another set of security updates might be released while a new product version is still in the distribution channels. These new updates are usually included with the first security update package targeted at the new product version.
  • Optional updates — optional updates are authored and released by the Windows Embedded Standard team to fix bugs in the files the team owns (Embedded Enabling Features, and .sld files). These have also been referred to as hotfixes or QFEs (Quick Fix Engineering).
  • Out-of-band features — these are new features that might ship for Windows Embedded Standard 2009 in the future.
  • Service Packs and Feature Packs — these are periodic releases outside of the core ship cycle (out-of-band) of features and security updates combined in one package. Sometimes new functionality and/or features have also been added.
  • Application updates — these are updates for applications running on an embedded device. These updates are released by the manufacturer of the application or driver.

Updates for the component database and for applying to run-time images are only available from a secure website available to OEMs. This site is the Embedded Communications Extranet (ECE) site. Here downloads for all the products in the embedded family of products are available under the Embedded > Products > Download > Windows Embedded section. The ECE site is only accessible to users who have a valid OEM ID (which comes from your distributor when you purchase Windows Embedded Standard 2009) after they register. Updates are not available at the Microsoft Download Center or through Windows Update.

Updates are released every month, but not every type of update is released every month. In even-numbered months (February, April, June, and so on) componentized new critical security updates are released. These are applied to the component database and are made available approximately 2 weeks after the security updates for the desktop OS are released on Patch Tuesday (the second Tuesday of every month). In odd-numbered months (January, March, July, and so on) new critical security updates are released for the run-time image. These are updates that you can run directly on a run-time image and are available about one week after Patch Tuesday.

The security updates are cumulative, which means that all previous security updates are rolled into the most current update.

The updates are delivered as an ISO image that you should burn to DVD to unpack the contents and apply the updates. The ISO folder structure is as follows:

    \<Month year> (for each current and previous month of updates)
    \<Month year>
      \FP2007 (and so forth)
Security update ISOs contain a file at the root called <month year Embedded_Critical_Update_Catalog.xls> that lists the updates.
  • The document files for each update are found in the Documents folder, under the appropriate product version.
  • The update .exe file to be applied to a run-time image is found in the DQI folder under the month and the appropriate product version folder.
  • The update .exe file to be applied to the database is found in the Windows folder under the appropriate product-version folder.
Some security updates offered out-of-band might have a different folder structure from the regular, monthly security updates. These security updates include any previous security updates for the feature being updated. Out-of-band security updates will be rolled into the next regular monthly security update.

Optional updates follow a similar folder structure, but some are provided as Desktop QFE Installer (DQI) updates, and must be applied to the image itself; others are component database updates, and are applied to the component database prior to building an image. Each update’s description provides folder information, and a description of the update, so that OEMs can determine if they must install the optional update. Optional updates are cumulative for that particular component. In other words, any prior fix (security or hotfix) made to a feature component will be rolled into the latest fix. However, optional updates will not roll up all previous component updates.

To create an up-to-date Component database, so that the image you build has all the latest security updates, install Windows Embedded Standard 2009 or upgrade to Windows Embedded Standard 2009 from an XP Embedded installation. Go to the ECE and download the latest monthly embedded security updates and install the component database update found in the Windows folder on the DVD for whichever system you have: Windows Embedded Standard 2009, or Windows Embedded Standard 2009 with IE7 and WMP11. After doing this your component database will be completely up to date with security updates, as will any images you build using that database.

The component database updates are cumulative, however, be aware that they are updated in even-numbered months only. Therefore, if you install the July 09 update you will be current with component database updates through the June 09 security release.

Ideally, you should follow this scenario, using the component database updates, to ensure you have the latest security fixes prior to building and deploying your image.

To apply optional updates in addition to security updates you must install each monthly optional update in succession.

To check your database to see which updates have been installed, do one or all of the following:

  1. Open Component Database Manager and check the list of packages on the Packages tab: most updates have their own package appended with the KB number of the update. You can easily see if expected KBs are in the list.
  2. Run MBSA on the resulting image: all missing packages will be reported.
MBSA was not designed for Windows Embedded Standard 2009 and might generate a few false positives.
  1. Check the QFE repository folder for Windows Embedded Standard 2009 (\Repositories\{25C88912-9870-4686-97CE-8244CA1B0DAB}) for files pre-pended with the new update’s numbers. This check can be scripted depending on your needs.
The list of security updates included can be found in the KB Number column of the [Month] [Year] Embedded_Critical_Update_Catalog.xls file in the root of the DVD.

Windows Embedded Standard 2009 does not support updating through Windows Update. This is because each image is a custom OS image developed by an OEM, who then has ownership of the image. Windows Update has no knowledge of Windows Embedded Standard 2009 and its componentized design. Because of this it might apply updates to an image unnecessarily, which could break the image. OEMs own their images and are therefore responsible for determining what updates and changes can be applied.

Updates found in the DQI folder of the update CD can be applied directly to a run-time image, provided the image contains the following components:

  • Client / Server Runtime (Console)
  • RPC Local Support
  • Microsoft Visual C++ Run Time
  • Win32 API – User
  • Win32 API – Kernel
  • Win32 API – GDI
  • Primitive: Winspool
  • Primitive: Version
  • Primitive: Userenv
  • Primitive: Shell32
  • Primitive: Setupapi
  • Primitive: Psapi
  • Primitive: Oleaut32
  • Primitive: Ole32
  • Primitive: Ntdll
  • Primitive: Mpr
  • Primitive: Crypt32
  • Common Control Libraries Version 6 []
  • Win32 API - Advanced

If you choose to update your run-time image with the DQI updates, you must install each DQI set from each month since the release of the product you installed. Because each security update release contains all previous updates you can download the latest security update from the ECE site, burn a CD, and then apply each self-extracting .exe file found in each monthly folder under the \DQI folder for your product version (WindowsEmbeddedStandard09 or WindowsEmbeddedStandard09_IE7WMP11).

What you have learned

To summarize, here are the most common scenarios for updating Windows Embedded Standard 2009:

If you are servicing your existing development environment:

On the Embedded Security Supplement Update CD in the \Windows folder, there is a Component Database Update available for each supported embedded product version (Windows Embedded Standard 2009, or Windows Embedded Standard 2009 with IE7 and WMP11). If you install the component database update applicable to the product version you are using, your database will be current with security updates up to and including the most current even-month’s security updates.

If you are servicing deployed images:

Assuming you have the cumulative component database updates applied to your development environment on your image creation date, you need only deliver the DQI updates for each month following your release date and have them applied directly to the image. Alternatively, you can update your development environment as described above, and deliver a new image for re-deployment. There might be other custom methods you can use for servicing your images, such as System Center Configuration Manager, Device Update Agent, or Windows Server Update Services, but these are beyond the scope of this article.

If you are a new developer installing Windows Embedded Standard 2009 for the first time:

Install Windows Embedded Standard 2009, then install the cumulative database component updates provided for that version from the latest Security Supplement Update CD. This will bring your database up to date with all security updates up to the most recent even-numbered month.

Miscellaneous Optional updates:

You will also see other updates available on the ECE, which are Optional Updates. These might be applicable to your image. You can review the release notes for applicability to determine if you want to implement them. These updates might be provided in DQI format, component database update format, or both.