About Updates, Packages, DISM Cleanup and ResetBase

[InnerBrat]

Hi!

I used MSMG Toolkit for a while, got problems with 24H2 so I switched to DISMTools, the developer is lovely but it's still very beta in some things, so I finally found NTLite.
In the while actually I had discovered UUP and created an ISO of Win11 Pro Build number: 26100.3194 with updates and resetbase.
So, I've learned a bit but I'm still not an expert.


I had a look at the updates offered in NTLte right now for the build 26100.3194 and I have questions:

• why is there a CU from Sept. 2024 in a build from Feb. 2025 which includes a CU also from Feb. 2025?
  It says it's a requirement for this latest CU, but how can this be? Shouldn't CUs, and more so builds, include the past CUs?
• Similarly, it shows an update for Microsoft Defender (Platform) from Oct. 2024?

I see that on the right panel of the Updates tab it shows included packages, and I had an epiphany:

• Do all these packages also get "sealed" with a resetbase, becoming unremovable? I had understood that only updates are affected by resetbase, while apps, features and packages aren't.
• If packages are indeed affected by resetbase, can I safely assume that the reason why I get an "Error [5] Access is denied" when I try to remove ANY of these packages in NTLite is because I had used resetbase with UUP
• I had never heard that removing packages from an image can be problematic "due to package handling complexity on Windows side". Anyway, what is to be intended as "fresh image where to add the desired packages"? This image is fresh from Microsoft. Could it be that this is a generic warning message which is rather meant for live images but appears also when you're working on a downloaded one? Can I simply ignore in this case?

About Cleanup and Resetbase:

• In the help file of UUP I read that Cleanup will remove the base RTM Edition packages in newer builds, possibly causing future CUs to fail. Is this so in NTLite too?
• How many GB +/- could one free by using Cleanup, and how many with Resetbase (specifically Win11 Pro 24H2 in case it matters)?
• Would the saving of space, and the compatibility with future CU etc, be different if Resetbase is done with NTLite prior to lean install, or with a DISM command right after the clean install?
• Apart for freeing some space (which with how cheaper the SSDs are getting, I'm not sure I want to care about it) would there be other advantages in using Resetbase?

I actually fell asleep while writing this yesterday.
Thanks to whoever invented the automatic saving in browsers.
I still remember the dark times when this wasn't the case.

 

[garlin]

I had a look at the updates offered in NTLte right now for the build 26100.3194 and I have questions:

• why is there a CU from Sept. 2024 in a build from Feb. 2025 which includes a CU also from Feb. 2025?
  It says it's a requirement for this latest CU, but how can this be? Shouldn't CUs, and more so builds, include the past CUs?
• Similarly, it shows an update for Microsoft Defender (Platform) from Oct. 2024?

W11 24H2 introduced a requirement for keeping Checkpoint CU's, where in order to reduce the size of later Cumulative Updates over time, you must first apply a full baseline CU and afterwards integrate the latest differential CU over it.

MS has not announced how often the Checkpoint CU will be refreshed. The most current (and only) checkpoint remains Sep 2024. NTLite wants to keep a copy around just in case it's needed (smart detection).

Defender platform engine hasn't been updated since Oct 2024. Normally it follows a (mostly) monthly schedule, but hasn't resumed.
September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)

I see that on the right panel of the Updates tab it shows included packages, and I had an epiphany:

• Do all these packages also get "sealed" with a resetbase, becoming unremovable? I had understood that only updates are affected by resetbase, while apps, features and packages aren't.

Yes. The "base" for any release is the lowest numbered version of each component. ResetBase simply removes all previous versions, so you cannot uninstall any updates that were applied to the image or system. The latest versions become the new baseline. When performing a clean install, rolling back isn't really a concern because if there's something wrong with your image – you switch it to another build.

Features on Demand (FOD) packages don't follow the same Resetbase rules, it must keep the lowest (Staged) version at all times.

There are two distinct types of Appx packages:
- Default (or "in box") Apps which are considered permanent Windows features and are treated as Components. As such, they're patched through the Monthly CU.

- "Store" apps which can be downloaded or removed by the user, are serviced as standalone Appx packages. WU will update them individually, whenever a new version is released. If you disable automatic WU updates for apps, you can integrate a specific older version of the app.

• If packages are indeed affected by resetbase, can I safely assume that the reason why I get an "Error [5] Access is denied" when I try to remove ANY of these packages in NTLite is because I had used resetbase with UUP

"Error [5] Access is denied" is a generic class of DISM errors. There are many reasons why you may see it. Report these errors whenever you see them.

• I had never heard that removing packages from an image can be problematic "due to package handling complexity on Windows side". Anyway, what is to be intended as "fresh image where to add the desired packages"? This image is fresh from Microsoft. Could it be that this is a generic warning message which is rather meant for live images but appears also when you're working on a downloaded one? Can I simply ignore in this case?

More of a generic warning that some combinations of removals, or modding a previously modded image/system may lead to trouble.

About Cleanup and Resetbase:

• In the help file of UUP I read that Cleanup will remove the base RTM Edition packages in newer builds, possibly causing future CUs to fail. Is this so in NTLite too?
• How many GB +/- could one free by using Cleanup, and how many with Resetbase (specifically Win11 Pro 24H2 in case it matters)?

DISM cleanup size is a function of what is there to clean up. When any Windows release is first shipped, the initial CU's are relatively small. Over long, like 2-4 years of servicing, the size of the superseded components can dramatically increase.

What space you get in return from DISM cleanup depends on how much space was taken up by the superseded components. If you cleaned up W11 21H2 (now an old OS) vs. 24H2 (relatively new), it wouldn't be an apples to apples comparison.

• Would the saving of space, and the compatibility with future CU etc, be different if Resetbase is done with NTLite prior to lean install, or with a DISM command right after the clean install?
• Apart for freeing some space (which with how cheaper the SSDs are getting, I'm not sure I want to care about it) would there be other advantages in using Resetbase?

The end result of having NTLite do the cleanup before the install, or afterwards on the live system should be about the same.

What NTLite does offer is a custom DISM mode which attempts to clean even more files but doesn't promise to be 100% compatible with DISM or other DISM-based tools. In that case, you can continue to use NTLite to custom clean it again.

I actually fell asleep while writing this yesterday.
Thanks to whoever invented the automatic saving in browsers.
I still remember the dark times when this wasn't the case.

Red Bull gives you wiiings.

 

[InnerBrat]

Oh, thanks Garlin, I see that you're one of the most active here, much appreciated.

Let me kill all possible doubts while they're little, that when they're adult they're Orange Duck level of danger (ah, I made a veiled international politic satiric joke).

Defender platform engine hasn't been updated since Oct 2024. Normally it follows a (mostly) monthly schedule, but hasn't resumed.
September-2024 (Platform: 4.18.24090.11 | Engine 1.1.24090.11)

Ok, but why is it missing? It's so old, why isn't it already integrated in the CU or in the build?

Features on Demand (FOD) packages don't follow the same Resetbase rules, it must keep the lowest (Staged) version at all times.

Could you explain what a staged package is? Copilot says it means it's going to be installed after I do the clean install.
And online I find confusing info.
You're good at explaining

"Error [5] Access is denied" is a generic class of DISM errors. There are many reasons why you may see it. Report these errors whenever you see them.

So, it's not normal that pretty much all those packages in the list on the right of the Updates section give me error 5 when I try to uninstall them?
I could uninstall the staged Exchange ActiveSync but not the installed. And then all what I've tried gave me that error.
Do you maybe have any idea why this might be happening?

If you cleaned up W11 21H2 (now an old OS) vs. 24H2 (relatively new), it wouldn't be an apples to apples comparison.

And can you give me an approximate idea of what could be the saved space by cleaning a current 24H2, or by resetting its base?
I'm trying to understand if it's worth the hassle. I mean, if it's going to give me issues it's not worth no matter how much space it saves.
But if it's just a generic "who knows, maybe something some day could not update properly" or whatever, and in change I get 30GB free, could be worth.

Red Bull gives you wiiings.

Tastes horrible, dude, really? I never understood people who manage to drink that.
Tea. Tea, Mate, evtl Cola.
But I should just have a more regular rhythm. I'm not good at should though.

Hey, you kind of forgot two questions:
- In the help file of UUP I read that Cleanup will remove the base RTM Edition packages in newer builds, possibly causing future CUs to fail. Is this so in NTLite too?
THAT is a perfect example of "not worth, no matter how many GB I get back".
- Apart for freeing some more space compared to normal cleanup, would there be other advantages in using Resetbase?


Thanks again

 

[garlin]

Ok, but why is it missing? It's so old, why isn't it already integrated in the CU or in the build?

Windows Dev is only responsible for Windows itself.

Products or services from other MS teams are "packed in", but the unstated policy is that Windows team has no obligation to refresh those packages provided by other groups. This includes Defender, Edge, OneDrive, Teams, Xbox (Gaming), etc.

Each product group has their own method for self-updating the ISO's stale apps. ie. EdgeUpdater, OneDrive update task, Windows Update for Defender and Store apps. You get a starting (but functional) copy of these apps as a placeholder.

Could you explain what a staged package is? Copilot says it means it's going to be installed after I do the clean install.

Staged simply means there's a stub package which describes the Feature itself. Some Features are pre-installed (integrated) into the image, others must be downloaded from the network using WU. For Windows to know what FOD's exist, a Staged package must be present so you can select from the Optional Features control panel.

Features (which are pre-installed) have a DISM state of enabled (activated during install) or disabled. That current state is displayed in the FOD section.

So, it's not normal that pretty much all those packages in the list on the right of the Updates section give me error 5 when I try to uninstall them?
I could uninstall the staged Exchange ActiveSync but not the installed. And then all what I've tried gave me that error.
Do you maybe have any idea why this might be happening?

This more a current design flaw. "Updates" is a generic term which includes both KB updates, and Feature packages which are referred to as updates. You're not supposed to remove them from the Updates screen, but instead by removing the matching Component. Once the Component is removed, whatever Feature it maps to is naturally gone.

And can you give me an approximate idea of what could be the saved space by cleaning a current 24H2, or by resetting its base?
I'm trying to understand if it's worth the hassle. I mean, if it's going to give me issues it's not worth no matter how much space it saves.
But if it's just a generic "who knows, maybe something some day could not update properly" or whatever, and in change I get 30GB free, could be worth.

Look at the size of the current Checkpoint CU as a rough estimate of space savings. You're not getting 30GB back because Windows won't change 30GB of files over that lifetime. At that point, MS would just re-release Windows again.

Hey, you kind of forgot two questions:
- In the help file of UUP I read that Cleanup will remove the base RTM Edition packages in newer builds, possibly causing future CUs to fail. Is this so in NTLite too?

Prolly a question for abbodi86.

THAT is a perfect example of "not worth, no matter how many GB I get back".
- Apart for freeing some more space compared to normal cleanup, would there be other advantages in using Resetbase?

None, it's purely done to reclaim disk space.

 

[InnerBrat]

Then I'd wait for the answer of abbodi86 to see if there are known bugs/issues with the Cleanup and/or the Resetbase function in the current version of NTLite with Win11 24H2.

Thanks again for the clear explanations

 

[abbodi86]

Win11 24H2 servicing stack is a complete mess

if the size is not an issue, don't cleanup

 

[InnerBrat]

Win11 24H2 servicing stack is a complete mess

if the size is not an issue, don't cleanup

Ok, I will do that.
I can always cleanup later from what I understand, if this issue will be solved with a CU or whatever.
So, unless someone tell me to do otherwise, I would now download the last available release build from UUP Dump, plain and simple, no updates, no adding drivers or removing apps, which I will do in NTLite.

Agreed?

1, 2, 3, sold?

Ah, EDIT: I see that with UUP I can either download the whole ISO or just the install.wim.
What's better for NTLite?

 

[garlin]

Ah, EDIT: I see that with UUP I can either download the whole ISO or just the install.wim.
What's better for NTLite?

NTLite doesn't care, it can load the install.wim from an ISO folder, as a standalone file. Obviously, it won't create an ISO or do any unattended or Post-Setup work when there isn't an ISO folder present.

 

[InnerBrat]

NTLite doesn't care, it can load the install.wim from an ISO folder, as a standalone file. Obviously, it won't create an ISO or do any unattended or Post-Setup work when there isn't an ISO folder present.

I see. So, if my ultimate goal is to create a bootable USB with Rufus to do a clean install I need to download the ISO from UUP and work on that in NTLite?

Now that I think about it, when I used MSMG Toolkit I did put the whole content of the Win11 ISO in the DVD folder of MSMG, not just the install.wim.
But when I switched to DISMTools, that one only cares about install.wim.
Indeed I could and still can not understand how it can create an ISO from a wim which was taken from an ISO, it feels like if something would be missing. I should ask the dev, I'm helping him with tests of bugs.

And, apart for being able to created an ISO, is there any other advantage in loading an ISO instead of a wim in NTLite?
Like, would it be able to do more things? I'm thinking at things like how in MSMG I can add drivers to the boot and the recovery wims. I suppose that's only possible if you load the whole ISO.

 

[garlin]

UUP dump creates a perfectly good ISO for you. Why not use it?

Some expert users follow a practice where they keep an ISO folder as a "host", and replace the boot.wim & install.wim files on the inside. While this works to support creating a bootable ISO, you may miss out on other ISO-based changes.

For example, the boot loader files (for use on the USB) are contained in the ISO. They're also available from the Windows ADK, but most users don't want to bother downloading the ADK.

If the boot loader files get updated, and you're using an older ISO, then you will miss the boot file refresh. This is becoming more important as MS intends to finally roll out the Black Lotus UEFI fixes as mandatory. Not everyone will be impacted, but you might as well be prepared.

Driver setup is done by two different methods.
1. Direct integration (via DISM) into the boot.wim & install.wim.
2. Provided as driver files on the ISO media, and dynamically loaded by adding driver search paths at different points of the install.

Direct integration is preferred because it guarantees WinPE will number the drives, based on an expected order instead of being out of sequence because a driver was loaded later in memory.

 

[InnerBrat]

The drivers thing was an example. My question was more general about if loading an ISO in NTLite gives you access to more tweaks.
Anyway, you already convinced me to go for the ISO, so, I guess I'll find out, hopefully before I fall asleep.
Cheers and thanks again.

 

[garlin]

Tweaks are a function of what's inside the install image, through explicit Settings (reg-based changes). What's more important is if you need to perform Unattended or Post-Setup tasks to have an ISO folder to stage all those files. You can't do that in a vacuum with an install.wim.

Enough talk. Just play with NTLite.