WSUS, W10/11 how to install a WSUS Update (KB patch) Manual with DISM from WSUScontent source Directory
This blog entry is about two things.
- How to install a Windows Update from WSUS Source content folder manual by hand with DISM
- Mcafee ENS 10.X, IPS Exploit Rule 6133 may block tiworker.exe with some updates (Mitre T1562)
Here is how to get the info which file is for what KB from WSUS-Server:
Search the file in your WSUSCONTENT folder
UN-7ZIP the cab file
For most Monthly patch day packages you also often need SSU (Servicing Stack Update). In most patches this is included. So you have several CAB files as seen above. Install the SSU first.
Servicing Stack Updates (SSU): Frequently Asked Questions (microsoft.com)
Install 1 the SSU.
dism /Online /Add-Package /PackagePath:”c:\drivers\SSU-19041.1220-x64.cab.cab”
Install 2 patch itself:
dism /Online /Add-Package /PackagePath:”c:\drivers\Windows10.0-KB5005565-x64.cab”
Keep an EYE on complex Antivirus with IPS Modules that do more than pattern scanning.
We have seen some Exploit IPS rules from Mcafee ENS 10.X which are ON by default but should be on to protect from Ransomware. It is good to keep an eye on those rules. Please carefully read the FULL alert in your ENS. Most of the times it says “WOULD BLOCK” if the EPO Admin did activate some rules in monitor mode (To Test new rules).
Exploit Rule 6133, change EPO side in ENS Policy