Delivery methods
Delivery refers to how updates reach a device. Delivery strategies include pull methods, in which a device initiates the update process by requesting an update, and push methods, in which a server initiates the update process by delivering an update to a device. Regardless of the method you choose, you can use both Microsoft and non-Microsoft solutions to put it in place. Typically, you must build support for both delivery and implementation into your devices before you deploy them.
The following table lists various update delivery methods available:
Update Delivery method
|
Summary
|
Network – Device Update Agent (DUA) Push
|
DUA is included with Microsoft Standard 2009. You typically copy an update package (*.DUP) to the target device using a network share connection. DUA then senses the arrival of this file, and subsequently processes it then deletes it.
|
Network – DUA Pull
|
DUA looks for the presence of an update package on a server. When it appears, it processes it.
|
Network – file share
|
You develop software that uses a network share connection between a target device and your device update server, in order to update the target device.
|
Network – other
|
Other network-based mechanisms include Remote Procedure Calls (RPC), Telnet, WSUS, SCCM, Remote Registry, Remote Systems Management, etc.
|
Removable storage media - Diskette
|
If the update is small enough (<1.44 MB) you can use diskette media
|
Removable storage media - CDROM
|
This 650+ MB media can be used to deploy entire image updates, or incremental updates.
|
Removable storage media – Compact Flash
|
Compact Flash is commonly used in Standard 2009 devices as the primary boot device (when used with EWF). The easiest way to update these devices is to simply replace the media with an update.
|
Removable storage media – USB or other
|
This could include USB Disk on Key or similar convenient removable storage media. The USB Boot option is now available so you can create a servicing image that boots via USB and then updates the fixed disk in the device via automated script.
|
Manual instructions (a documented procedure)
|
This is perhaps the most expensive update option as it requires manual (human) activity to deploy updates.
| Deploying Microsoft security updates
As an OEM developer, part of your device image servicing plan includes keeping your Standard 2009 target devices current with the latest software updates, obtainable from Microsoft, device manufacturers, your own company and third party companies.
Where to get updates
The OEM obtains the latest updates via an OEM Secure web site. Obtain access to this site through Microsoft Authorized Embedded Distributors.
Structure of the Security Update DVD images
Beginning with the December, 2008 Security updates, you will see a change to the disk structure. At the top level, there will be a directory for each product line. Within that top level directory will be a sub-directory structure for each of that product’s versions currently in support. Here are the relevant folder paths for the component database updates:
\WindowsEmbeddedStandard
\Windows
\WindowsEmbeddedStandard09
\WindowsEmbeddedStandard09_IE7WMP11
\WindowsXPEmbedded
\Windows
\WindowsXPEmbedded_FP2007
\WindowsXPEmbedded_SP2
\WindowsXPEmbedded_SP3
\WindowsXPEmbedded_SP3IE7WMP11
\WindowsXPEmbedded_UPR1
Notice that there are two update directories included for the Windows Embedded Standard 2009 and Windows XP Embedded Service Pack 3 products. If you are working with Internet Explorer 6 and Windows Media Player 10, you only need to install the core package, found in the \WindowsEmbeddedStandard09 folder for Standard 2009 or the WindowsXPEmbedded_SP3 folder for XPe Service Pack 3. If you are working with Internet Explorer 7 and Windows Media Player 11, in addition to installing that core package, you also need to install the package with the IE7 and WMP11 updates. This package is found in the WindowsEmbeddedStandard09_IE7WMP11 folder for Standard 2009 or the WindowsXPEmbedded_SP3IE7WMP11 folder for XPe Service Pack 3.
The December 2008 component database updates for Standard 2009 and for SP3 include all security updates released since those products stopped taking code changes in their development cycle, so you will see a larger than usual list of included updates for those products in the December 2008 release.
Security updates strategy
Microsoft periodically issues minor releases. Each minor release after the original product release is called a Service Pack. Service packs bundle feature updates as well as security updates that were previously released.
Software updates can occur in between Service Packs. For Standard 2009, only the updates related to security are supplied by Microsoft for updates to your component database. You obtain these updates from the OEM secure web site. The updates are cumulative, therefore you only need to obtain the very latest update package, and then execute that package on the computer that contains your component database.
Typically, when Microsoft deploys a new Service Pack, all the updates that were released during the prior release are rolled up into the new release.
Here is a brief history of Windows XP Embedded releases:
The original major release of Windows XP Embedded, released in November 2001, is also referred to as the “Gold” release.
Windows XP Embedded Service Pack 1 (SP1) was released in the fall of 2002.
Windows XP Embedded Service Pack 2 (SP2) was released in December 2004.
Windows XP Embedded Feature Pack 2007 was released in October 2006.
Windows XP Embedded Update Rollup 1.0 was released in May 2007.
Windows Embedded Standard 2009 was released in January 2009.
For the purposes of this document, each of the following is considered to be an “update":
a hotfix. A single cumulative package composed of one or more files used to address a problem in a product. Hotfixes address a specific customer situation and may not be distributed outside the customer organization. The terms QFE, patch, and update have been used in the past as synonyms for hotfix.
a security update (or security bulletin). A broadly released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated based on their severity, which is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
an update rollup. A tested, cumulative set of hotfixes, security updates, critical updates, and updates packaged together for easy deployment. A rollup frequently targets a specific area, such as security, or component of a product, such as Microsoft Internet Information Services (IIS).
Two types of security vulnerabilities that are addressed by updates are bugs in your operating system and bugs in your applications. Bugs in the Standard 2009 operating system can potentially compromise the security of your devices and their data.
Microsoft recognizes different levels of security updates for its operating systems. For more information about these levels, see the "Microsoft Security Response Center Security Bulletin Severity Rating System" on the Microsoft TechNet Web site by clicking on this link:
Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002)
Note that some operating system updates released by Microsoft might include new functionality that is required for your devices to work correctly, but have no security impact. You must also fix bugs in the applications that run on your embedded devices, for security reasons. Like operating system updates, application updates can range from those that address simple "fit and finish" bugs, to more serious functionality bugs, or critical security bugs that require your immediate attention. Application updates can also consist of upgrades that offer new features.
The OEM Secure web site provides monthly CD images containing the desired updates. Click on the Download Center link to locate these.
There are two distinct types of update mechanisms:
Updating the Component Database
Use this technique when you wish to rebuild an existing Standard 2009 design image (SLX) that incorporates the latest updates. To update already-deployed devices you will need to replace the entire image in the deployed device.
In the Windows folder of the monthly CD image, you will find update installer programs that you run in your development system containing your Windows Embedded Database. Running the installer will result in updating your Component Database.
Start Target Designer and load your design.
Any components in your design that require updating will have modified icon that looks like a blue dot with an upward pointing arrow inside it.
From the menu, choose Configuration->Upgrade Configuration.
Run dependency checker, fix any issues, and build your new image, run FBA, etc.
Updating Standard 2009 runtime images after they have been deployed
Use this technique to update devices that are already deployed in the field.
In the DQI folder of the monthly CD image you will find "Desktop QFE Installer" runtime updates. In most cases these are the same runtime updates that are available for updating the desktop XP Professional operating system.
Create a deployment mechanism that packages these updates (executable installer packages) and causes them to execute in the desired target devices. This mechanism could be a script or batch file.
In order to execute XP Professional hot fixes within a Windows XP Embedded system, you must first verify that the components listed below are included in the Windows XP Embedded image; add them if necessary. These are all the components contained in KB 824706. These components are necessary to ensure that the Windows XP Professional hot fixes execute correctly in the Windows XP Embedded environment. Note: in order to obtain full component visibility, set Component Visibility to 200 in the Tools/Options/Advanced dialog box in Target Designer.
Cryptographic Network Services
Cryptographic Service Providers
Administration Support Tools (this component is needed to confirm Crypto service is running)
Common Control Libraries Version 6 [1.0.10.0]
Microsoft Visual C++ Run Time
Primitive: Crypt32
Primitive: Mpr
Primitive: Ntdll
Primitive: Ole32
Primitive:Oleaut32
Primitive: Psapi
Primitive: Setupapi
Primitive: Shell32
Primitive: Userenv
Primitive: Version
Primitive: Winspool
RPC Local Support
Win32 API - Advanced
Win32 API - GDI
Win32 API - Kernel
Win32 API - User
Warning: When deploying hot fixes in this way, you must ensure that the intended target component(s) of each hot fix are also completely included in the runtime image. Since an XP Embedded image contains a subset of the components that constitute the Windows XP desktop operating system, it is possible that a Windows XP Desktop Update may contain file updates for files that are not already present in your XPE runtime image. In this case, you might not get the updated version because some Updates will only copy files that pre-exist on the target.
Regardless of where you get updates, installing them on your devices running Microsoft Standard 2009 in a uniform and scalable manner is becoming increasingly important to your success as an OEM. A solid servicing strategy is a kind of preventive medicine because it saves you a significant amount of time and money that you would otherwise spend to react to a security compromise. This document provides general guidelines on how to create a servicing strategy. Note that these concepts do not pertain to all devices.
Back up your Component Database
Before updating your Component Database, you should perform a backup, so you can revert to a previous version in the event that your device tests fail after applying updates.
Procedure for backing up the SQL database and repositories
Stop the SQL Server by right clicking on the SQL Server icon in the task bar, and choosing the Stop function.
Browse to the Windows Embedded Data folder.
Copy the following files to a backup folder: MantisSQLDB_Data.MDF, and MantisSQLDB_log.LDF.
Copy the Windows Embedded Data\Repositories folder (and all its contents) to a backup folder.
Restart the SQL Server by right clicking on the SQL Server icon in the task bar, and choosing the Start function.
Procedure for restoring the SQL database and repositories
Stop the SQL Server by right clicking on the SQL Server icon in the task bar, and choosing the Stop function.
Copy the following files from your backup folder to the Windows Embedded Data folder. MantisSQLDB_Data.MDF, MantisSQLDB_log.LDF.
Copy the repository files from your backup repository folder to the Windows Embedded Data\Repositories folder.
Restart the SQL Server by right clicking on the SQL Server icon in the task bar, and choosing the Start function.
Another way to restore the SQL database is to remove an update package using Database Manager. However, if the database is corrupted, Database Manager may be unable to perform this function. This is why it is important to use the above file backup procedure as a safety measure.
See Also: Working with SQL Server to Manage your Windows Embedded Standard Database
Close all tools in all computers that access the component database, such as Target Designer and Component Designer. This is necessary because in order to delete a package you must run Component Database Manager in exclusive mode.
Run Component Database Manager found in Microsoft Windows Embedded Studio
Click on the Package tab.
Within the Available packages windows, click on a package that you wish to remove.
Click on the Delete Package button.
Repeat steps 4 and 5 until you have deleted all the packages of interest
Obtaining, Installing and Managing Component Updates
It is important to make sure that your Standard 2009 component database is maintained, keeping it completely up-to-date with the latest SP2 (and newer) security update rollups. Click on the following link for more information:
Deploying Microsoft security updates
This chapter describes how to update your component database. After you update your component database, you must perform the following to update your designs:
Open your Standard 2009 image configuration (design) using Target Designer
Choose Configuration->Upgrade Configuration to force Target Designer to update your image to use the latest updates
Run Configuration->Check Dependencies to ensure that any new dependencies get added to the design.
Rebuild your image.
The above should certainly be done towards the end of your Standard 2009 runtime image development cycle, just before you run a complete functional test pass.
Microsoft Corporation’s support policy is such that we typically only fully support versions of products for 12 months after subsequent SP releases.
This means for example we officially stopped supporting XPe RTM in the Fall of 2003, 12 months after the availability of SP1.
This holds true whether the customer has paid for extended/custom support or not.
Therefore, you should plan to deploy upgrades as they arrive, and then deploy updates until the next upgrade arrives.
It is important that you install and use the latest version of Standard 2009, in order to maximize the image lifecycle support offered by Microsoft.
For information about product lifecycle support, visit the following Microsoft Web site:
Microsoft Support Lifecycle
Licensing considerations
Standard 2009 cannot be used on a PC as an XP Pro replacement. To be clearer, Standard 2009 can only be licensed to run line-of-business applications on fixed function devices. We do however have it written in our licensing that you can have an unlimited number of applications running locally, if the line-of-business application requires them locally. For example, a device that has a retail management application may have a local spreadsheet for the store manager to create daily reports. Running Microsoft Office is usually outside the scope of this definition, as most customers cannot technically justify running Office locally.
|
