Before IE 11, the update process was very simple. You simply download a new installation file and run the installation process. Then you just needed to restart the computer and that’s it.
However, the Internet Explorer 11 (or IE11 in short) requires some other updates as its own prerequisites. If you just try to download and run a basic installation file, it will ask you to download other necessary updates. Many Windows 7 SP1 users knows this already.
This is fine if you are a desktop user. However, if you want to update the server platform, then this can be a problem. Many servers are isolated from the Internet and some of them even from the rest of the internal network.
The new version of our application requires the advanced features and an enhanced security from the IE11. What can we do? There is a procedure for updating IE11 on the Windows Server 2008 R2 SP1 platform, even when the server is isolated from the Internet.
We can do this one of two ways. The first one is simpler and more manual. The second one requires more preparation, but we will have a fully automated process by the end. The benefit of the second process is that we can also prepare everything for an integration of the IE11 in the installation image. However, I will explain this integration process in another post.
The ingredients for our recipe
For today’s trick we need some files. We do not need to search too much. The Microsoft kindly listed all prerequisites for the IE11 installation on their support page. There we can find the list of 6 mandatory and 3 optional, yet highly recommended, updates.
Moreover, we can include the Windows Updates service patch here, although it’s not mandatory. We can perform this whole process without it. You can apply either just the Windows update service or to install the whole Rollup Update (a mini update pack), following the procedures described in the appropriate posts.
We can obtain those 9 updates either from the Microsoft Update site, following the links to download the files, or we can acquire them using some offline updating solution. We must choose appropriate update for our platform. The Windows Server 2008 R2 SP1 is the 64-bit platform. That means that updates for the Windows 7 SP1 x64 will also fit the Window Server 2008 R2 SP1, if there is no special version of the update file. In most cases they are a same.
We can see on this picture all necessary files for this process. I renamed all .msu files from their long name, like Windows6.1-KBnnnnnnn-x64.msu to shorter name with the KB number only. Furthermore, I renamed the cumulative critical security update for the IE11. It’s easier to track all those files here. This is not mandatory.
However, renaming the files can help for writing short installation script and to execute the files in the proper order. For instance, there is no sense to trying to install IE11 cumulative security update before the installation of IE11.
I made the folder IE11_cab manually and I used it to extract the contents of the IE11 installation file. We should do this executing following command from the command prompt:
In this command A_path_to_the_folder is the full path to the folder where we want to extract files from the installation archive, like c:\temp\ie11_cab. When you extract this installation package, you will see these files inside.
The most important file is the IE-Win7.CAB. This one contains the core Internet Explorer 11 files.
We can see also that there are two .msu files. They contains the spellchecker for the US English language. You can download from the Microsoft site and later install the language support files for any other language. You can download those language packs separately for any language you need.
The manual way and the batch file magic
We are ready to install the IE11 manually. We can execute one by one KBnnnnnn.msu file, then IE11 setup file (the one named as IE11-Windows6.1-x64-en-us.exe) and eventually to execute the critical cumulative security update for the IE11 (file named as IE_Cumulative_Security_Update_x64.msu). In this example I didn’t use any other language pack, as in most cases the servers stayed on the English US settings, as required by the application software vendors.
I made a short batch script for this purpose:
@echo off cls set InstDir=%~dp0 set IETempDir=%InstDir%\IE11_cab for %%i in (%InstDir%\KB*.msu) do ( echo Now installing %%i... "%%i" /quiet /norestart ) echo Now installing IE11... dism.exe /online /add-package /packagepath:"%IETempDir%\ie-win7.cab" /norestart echo Now installing IE11 Spelling package... "%IETempDir%\IE-Spelling-en.MSU" /quiet /norestart echo Now installing IE11 Hyphenation package... "%IETempDir%\IE-Hyphenation-en.MSU" /quiet /norestart echo Now installing IE11 Cumulative Security update... %InstDir%\IE_Cumulative_Security_Update_x86.msu /quiet /promptrestart
Let we now discuss the commands that we will execute here. Sure, if you are doing this only once, you will not waste time writing the script. However, when you need to update more than one machine, the script is very useful.
First, we will setup our working directory. We can extract this part with the prefix ~dp before the batch variable containing the filename. In this case we will refer to the variable %0.
If you ever worked with the batch files, you know that you can pass some parameters behind its name. Those parameters will be later used as %1, %2, etc. So, how we can use the variable with the index of zero?
Now, here is one more trick. Whenever you execute any program or the batch script, the parameter passed with the index 0 is the full path to that file. Then all the other parameters that you may added behind the name of the program are passed to the program.
So, our modification will extract the drive letter (~d) and the full path without the drive letter (~p). As those modifiers can be combined together, therefore we will have ~dp as the modifier. We should insert that modifier between the percent sign and the variable name. Eventually, we have %~dp0.
We will assign that to the batch variable InstDir. As we extracted the IE11 files in the subfolder IE11_cab, it will be in the directory inside the InstDir folder. Therefore, we will declare a new variable IETempDir as the new path consist of concatenated values of the main folder InstDIr and the name of the subfolder (\IE11_cab).
I found that this is necessary as we can’t properly execute all other files. If you just run the batch file, it will have the working directory placed inside the System32 folder. As there are no our files to execute, it will throw out errors.
I assume that many of you will prepare this update folder on the USB flash disk (a.k.a a pen drive) with the assigned drive letter F. Now we assume that the folder is named IE11 update. When you run the batch file, variable InstDir will have the calculated value of F:\IE11 updates and the IETempDir will have the value F:\IE11 Updates\IE11_cab.
As you can see, we have the space character (or the blank character) in the folder name. That’s the reason why we need to put apostrophes later in batch file around the names of the files we want to execute. If you omit to do this, the batch execution will fail.
We need to execute all those .msu files that are prerequisites. We can type their names here one by one, but that does not make a sense. It’s a time for more powerful tricks in the batch file. We will use the FOR command and the loop. Our command is this one:
for %%i in (%InstDir%\KB*.msu) do ( echo Now installing %%i... "%%i" /quiet /norestart )
The variables in the FOR loops have double percent sign. We want with the command for %%i in (%InstDir%\KB*.msu) do to find all files that begins with KB and have extension of MSU. When we find any, we will process the commands in the parenthesis. First we will print the line with the file name and then we will run this file with parameters /quiet /norestart.
We need to use the full path only when we need to search for the files. When we find the file, the variable %%i will contain the full path and the filename as its value. Therefore, we do not need to add the path in the third line. If you omit the path in the first line of the loop and try to run this batch file from the command line, it will fail. The FOR loop will search in the working directory which is C:\Windows\System32.
The first parameter will suppress any prompts on the screen and the second will block the system restart after installation of the update. We need to install all updates and IE11 itself before restarting.
All MSU files can be executed directly calling their name. That run the tool named WUSA or Window Update Standalone Installer. However, if we try to run the cab file there will be a problem, as we cannot to do that.
The cab file is the Microsoft Cabinet file or a kind of archive. The Windows Explorer will open it as archive.
We need a new mighty trick here. This trick is named the DISM or the Deployment Image Servicing and Management tool.
You probably know about this tool. It’s widely used in the installation scripts for the applications to automatically enable necessary features. Moreover, if you ever needed to administer the Windows Server 2008 Core edition or the Hyper-V server, then the DISM is one of the tools which you rely on. You can use this tool on every Windows platform from the Windows 7/2008 upward.
However, the DISM tool is not here just to enable or disable some feature. You can do even more. The DISM can work with both online or image of the Windows platform. That means that we can do something either on the running platform or we can change an installation image.
The installation image is a file with the extension .wim. There are at least two such images on the installation disk (actually the DVD disk). The first is the boot.wim and the second is the install.wim. You need to change the second one, as this one will install the Windows platform on the PC. However, this is a huge topic. Therefore, we will talk about it in more detail in the another post.
You can find all possible commands and the options of the DISM tool at the command line. You can type dism /? And you will see all those options. However, we need to do something specific here; we want to install the update in the running platform on this PC. Therefore, we will call the DISM tool with this command line:
dism.exe /online /add-package /packagepath:"%IETempDir%\ie-win7.cab" /norestart
The switch /online tells the DISM tool that we will be working with the current running Windows platform. We want to add a package to that platform. An update is a kind of the package. Therefore, we will use the switch /add-package. We need to point the DISM to the package and we need to use the full path to the file.
Bear in mind that our installation of IE11 is unpacked in the subfolder named IE11_cab. We need to call an essential package here and it’s the ie-win7.cab.
As we do not want to restart the computer immediately after the installation of this update, we will use the option /norestart to indicate this to the Windows update service. If we omit this switch later updates will be interrupted and break the sequence.
The rest of the installation sequence is very straight forward. We need to install the language packs. Although the language packs are not necessary, it’s recommended to install them. Those language packs are used by IE11 (and some other applications that rely on the IE core files) to provide spellchecking. If you do not need them, you can skip that part.
Eventually, we need to install the latest cumulative critical security update for IE11. You must install it to preserve the highest possible level of the security. If you are applying this installation to a Windows 7 SP1 platform, then you will be exposed to the Internet threats and the attacks. When you are updating your Windows Server, it’s as likely that you will expose it to the wide wild world of the Internet. However, we should avoid any chance that our Server platform could be compromised.
In the last step we are changing the /norestart parameter to /promptrestart. I never force an automatic restart of the computer. However, we should immediately offer (to the user) the option to restart, as we need to do so.
Running the update script
We want to update one Windows 7 SP1 machine after installation. It will be the same on the Windows Server 2008 R2 SP1 platform. In this demonstration I worked from the C: drive. As our script uses the file paths it can be run from any drive and any path.
You must run this script with the run as administrator privileges otherwise you cannot access the operating system files and, consequently, you cannot install any updates. It doesn’t matter whether you run the updates from the graphical interface or from the command line, you must run them under the elevated administrator privileges. You have been warned.
In case we are using the command line interface, we should run it as administrator and we should change the directory to the one containing our installation files.
Now we will run the installation script. It’s designed to hide a lot of the messages and to write on the screen only the current step in the process.
After the last step we should restart the computer. Our script is written that way and the last update will prompt for the system restart. It’s highly recommended to do so now. However, if this is the server, then we must wait until maintenance hours. Therefore, it is the best to perform this operation during that time.
During the restart, the Windows Update service will update the necessary files and after the restart we will have IE11 installed on our computer.
As I already mentioned, this script will also update the Windows Update service. It’s recommended that we update this service before we install IE11. However, even if we skip this step, IE11 will be installed on our computer. Moreover, if the cumulative critical security update is not the latest one, you can always update it later either through the Windows updates or manually.
The second way
Although these scripts work, I searched for another way and I was guided by the idea of using only the DISM command. If I can make such a script, then I can later change it and make the offline integration script. After that, all I need is to update the install.wim file once and to have this update for all further installations.
I investigate over the Internet and I found that the msu files are kind of archives. We can open them either with 7-zip or using the internal Windows tool expand.exe.
The expand tool is older and well known to seasoned Windows administrators. It can decompress installation files. Now it can also handle the msu installation files. Syntax is very simple:
expand KBnnnnnn.msu –f:* path_to_the_folder
We can see that on this screenshot:
We used the command parameter –f:* and we indicated that we want to expand (extract) all the files from the archive. In our example there are four files. We can see their names on the screenshot.
If you analyze this screenshot, you can see that the first file is the cab file with the same KB number in the name. We actually need that one file for further steps.
We can even use the wildcards in the name of the source file. Therefore, we can expand all msu files at once. We just need to use KB.msu or .msu as the name of the source file.
If we check our destination folder we can see that there are loads of files in there.
In this case we have 9 prerequisite updates for IE11, one optional update for the Windows Update service, IE11 itself, two language updates from the IE11 package and the IE11 cumulative update pack. That’s some 14 packages in total. If every package has 4 files that will be almost 50 files in one folder.
All those files have specific functions. That sparked an idea; I can make the folders as per their function group. That means that we will have a folder for: the prerequisites, IE, the language pack, the security update, etc.
I made those subfolders. Now I will extract the files in their different folders. It doesn’t matter how you will do this.
I must warn you before you process the language packs. All language packs have the same KB number and all will expand to the same cab file. Therefore, you must expand them in separate folders or one by one and then rename them to reflect the appropriate language pack. Another warning for you.
If you do not need any language pack other than US English, all you need to do is to expand two msu files from the IE11_cab folder, named IE-Hyphenation-en.msu and IE-Spelling-en.msu. We will expand them to the LangPack folder. We only need to keep the cab files there.
The second version of the installation script
We also need the new, updated version of the installation script. We will now utilize only the dism command. Moreover, we will keep the updates in separate folders. All of which will be reflected in the new version of the script.
@echo off cls set InstDir=%~dp0 set PrereqDir=%InstDir%Prereq set LangPackDir=%InstDir%LangPack set IEInstDir=%InstDir%IE11 set UpdateDir=%InstDir%Update for %%i in (%PrereqDir%\*.cab) do ( echo. echo Now installing prerequisite: %%~ni... dism.exe /online /add-package /packagepath:"%%i" /norestart ) echo. echo Now installing IE11... dism.exe /online /add-package /packagepath:"%IEInstDir%\ie-win7.cab" /norestart for %%i in (%LangPackDir%\*.cab) do ( echo. echo Now installing language pack: %%~ni... dism.exe /online /add-package /packagepath:"%%i" /norestart ) echo. echo Now installing IE11 Cumulative Security update... dism.exe /online /add-package /packagepath:"%UpdateDir%\IE11-Windows6.1-KB3175443-x64.cab"
As you can see, this script has a similar structure to the first one. We need to specify 4 folders with the files. All those folders are subfolders to the main installation folder.
Well, the new version of the script should have some improvements, right? I added two more tricks here. The first one is related to the output. I inserted the echo. command to enable the blank line between two command outputs. This dot is not a mistake. If you put dot immediately behind the echo command you will have one empty line on the screen!
The second trick is again related to output and about manipulation of the parameter. We used the ~dp command modifier to extract the full path to our installation folder. I told you that the %%i variable will hold the full path to the file found in the FOR loop.
Now, we will use the command modifier ~n to extract only the filename, without the drive, path or the extension. This trick will shorten the line that needs to be output on the screen and also make it easier for us to read this output. You can apply this trick also to the first script if you want.
The difference between executing an msu file and the cab file is that DISM command doesn’t support the option /promptrestart. Therefore the last line doesn’t have any parameter.
Running the second script
We must run the update script in the same way – with the run as administrator option. The script will begin to work and the output is slightly different.
We should wait a while for the script to finish. It will install same update in the same order as the first script. However, the advantage to this script is that we’re one step closer to the integration of those updates on to the installation image.
When all updates finish, the DISM will sense that the system should be restarted in order to complete the update process, so It will offer to restart system immediately respond with Y on the command prompt.
We should restart the computer now, except that we just updated the server in production. Then we should wait the maintenance hours.
We successfully installed the IE11
After the reboot we should check the version of IE11. As we can see, we have version 11 of IE11 that we wanted.
We can now install other updates or leave the system as is. In the event that we want to update a newly installed Windows computer or the offline Windows Server, we should perform the update of IE11 before installing other updates. We should conduct this procedure before using the Autopatcher for the offline updating.
We have learnt many tricks in this post. Modern IT is far from simple, but it is still possible to make it easy with a couple of tricks up your sleeve.
I demonstrated how to write the batch script that can adapt itself in the runtime. I also demonstrate the variable modifiers in the command line (~d, ~p and ~n) and controlling the output with the command “echo.”.
In my opinion, the most powerful trick is the control of the dism command and its utilization. This is a powerful tool that can help us handle lots of important aspects of any Windows system. Moreover, we unlocked its potentials and now we can investigate the process of updating the installation package.