If the file does not changed the digest value should be also not changed. I think you also changed the 26100.1 files with new 28001.1 files and updated digest values? It is so much work to do. I was planning to keep 26100.1 files at the end it will update files to newer ones. Does your package updateable? You have missing files and folders for EnterpriseS package but you keep all mums and manifest so it should be updateable i hope. I keep taking cyrpt_not_found errors. What i understand it complains about some catalog files missing hash values of some manifests. I will try to use another way then signcheck and export all mum packes to different folders and look for which files it copied. Will be more easy way for me i hope.
The security catalog of Microsoft-Windows-EnterpriseSEdition~31bf3856ad364e35~amd64~~10.0.xxxxx.1.cat only contains Windows-EnterpriseSEdition~31bf3856ad364e35~amd64~~10.0.28000.1.mum sha256 Its sizes are different, which is related to the size of the certificate.
Although I used 26100.1 Enterprise S as the base, many still use 28001.1 files, except for what 28001.1 doesn't have. For example: Microsoft-Windows-Editions-EnterpriseS Microsoft-Windows-Security-SPP-Component-SKU-csvlk-pack-License Microsoft-Windows-Security-SPP-Component-Legacy-Licenses Microsoft-Windows-Security-SPP-Pkeyconfig Interestingly, Microsoft-Windows-Editions-EnterpriseS works better with a slightly modified name of 28001.1. Spoiler These are all 28001 files. Add an 'S' to the corresponding name. Using 26100 will cause a get-targeteditions error.
Actually, there is a simple method. For example, all the files under Windows\System32\spp\tokens, if you haven't modified the files, there’s no need to add them to a secure directory. The digest value is calculated using the file's SHA256; as long as the digest value is correct, the installation will have no issues.
What about ppdlic.xrm-ms? e.g. [19041.1 EnterpriseG-ppdlic.xrm-ms] from zh-CN;en-US Code: <sl:policyStr attributes="reboot-required, override-only" name="Kernel-MUI-Language-Allowed">zh-CN;en-US</sl:policyStr> to EMPTY Code: <sl:policyStr attributes="reboot-required, override-only" name="Kernel-MUI-Language-Allowed">EMPTY</sl:policyStr> [19041.6575 core-ppdlic.xrm-ms] from 1 Code: <sl:policyInt attributes="override-only" name="Win10-ClipESU-Enabled">1</sl:policyInt> to 0 Code: <sl:policyInt attributes="override-only" name="Win10-ClipESU-Enabled">0</sl:policyInt>
[28000.4 Enterprise arm64 en-US] Code: Deployment Image Servicing and Management tool Version: 10.0.19041.844 Image Version: 10.0.28000.4 Processing 1 of 1 - Adding package Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~arm64~en-US~10.0.28000.4 [==========================100.0%==========================] The operation completed successfully. Code: Deployment Image Servicing and Management tool Version: 10.0.19041.844 Image Version: 10.0.28000.4 Current edition is: Current Edition : Enterprise The operation completed successfully.
It is controlled by Product policy. So I use 19041.5131-Last-CU-without-ESU License. e.g. Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Package~31bf3856ad364e35~amd64~~10.0.19041.5072. ---> Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Package~31bf3856ad364e35~amd64~~10.0.19041.6456.mum Code: <?xml version="1.0" encoding="utf-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0" copyright="Copyright (c) Microsoft Corporation. All Rights Reserved."> <assemblyIdentity name="Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Package" version="10.0.19041.6456" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" /> <package identifier="Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Package" releaseType="Feature Pack"> <update name="Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Deployment"> <component> <assemblyIdentity name="Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Deployment" version="10.0.19041.6456" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" /> </component> </update> </package> </assembly> ---> Code: <component> <assemblyIdentity name="Microsoft-Windows-Security-SPP-Component-SKU-Professional-License-Deployment" version="10.0.19041.5072" processorArchitecture="amd64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" /> </component> The modified CUs have to be installed ONLine.
I'm managing to use modded ssu to skip this advanced installer check ExtentedSecurityUpdatesAI.dll: NTSTATUS Windows::WCP::ExtendedSecurityUpdatesAI::ExtendedSecurityUpdates::Install( CLicenseCheck **this, DWORD a2, struct IStore *a3, struct ICSIInstallerServices *a4, const struct _CSI_INSTALLER_COMPONENT_INFO *a5, const struct _CSI_INSTALLER_COMPONENT_INFO *a6, unsigned int a7, int *a8) { *a8 = 1; return 0; }