Secure A Clean Installation Of Windows 11

Some Windows vulnerabilities can be exploited without user interaction as soon as the computer is placed online. Therefore, after performing a clean installation of Windows, it is necessary to resolve the known examples of these vulnerabilities before placing the computer online, including before running Windows Update.

1.1.  Windows Vulnerabilities And Worms

Windows vulnerabilities are flaws in the Windows operating system code that render Windows susceptible to exploitation. The successful exploitation of a Windows vulnerability results in compromise. Toward securing Windows, it is instructive to divide Windows vulnerabilities into two groups: 1.) those that require user interaction to be exploited, and 2.) those that do not require user interaction to be exploited.

For the Windows vulnerabilities that require user interaction to be exploited, compromise requires user interaction on the computer besides placing the vulnerable computer online (i.e., connecting the computer to a network, be it an Intranet and/or the Internet). User interactions that can result in compromise, known as triggers, include attaching external/removable drives or network devices, visiting Web sites, accessing/receiving/opening emails, opening email attachments, creating/accessing/opening/installing/joining/connecting to network resources including but not limited to servers/domains/devices/shares/files/etc. In other words, for the Windows vulnerabilities that require user interaction to be exploited, in the absence of the appropriate user interaction required to trigger exploitation, compromise cannot occur simply by placing the vulnerable computer online.

For the Windows vulnerabilities that do not require user interaction to be exploited, compromise does not require any user interaction on the computer besides placing the vulnerable computer online. In other words, for the Windows vulnerabilities that do not require user interaction to be exploited, there is no trigger and compromise can occur simply by placing the vulnerable computer online.

After installing Windows 11, a common practice is to place the computer online and run Windows Update to install the latest Cumulative Update for Windows 11. Although the intention (to secure Windows) is good, this practice is bad. Why? Because, for the Windows vulnerabilities that do not require user interaction to be exploited, compromise can occur simply by placing the vulnerable computer online, and this includes during the time that Windows Update is running.

Worms are the class of threat that automatically run themselves on, and automatically copy themselves from, computer to computer over a network without user interaction. To accomplishes this, worms exploit vulnerabilities that, themselves, do not require user interaction to be exploited and that allow remote code execution (RCE). First, the worm exploits the vulnerability, then it runs itself on the now compromised computer, including possibly delivering a destructive payload, and then it attempts to propagate itself to other vulnerable computers on the network, again without user interaction.

Worms are extremely dangerous because they can automatically infect a tremendous number of vulnerable networked computers seemingly simultaneously without any user interaction besides placing the vulnerable computers online. Infamous worms that exploit Windows vulnerabilities include:

• Blaster: Discovered 11 Aug 2003. Affects Windows 2000/XP. Resolved by MS03-026 (learn.microsoft.com) published 16 Jul 2003.
• Welchia (a.k.a., Nachi): Discovered 18 Aug 2003. Affects Windows 2000/XP. Resolved by MS03-007 (learn.microsoft.com) published 17 Mar 2003 and MS03-026 (docs.microsoft.com) published 16 Jul 2003.
• Sasser: Discovered 30 Apr 2004. Affects Windows 2000/XP. Resolved by MS04-011 (learn.microsoft.com) published 13 Apr 2004.
• Conficker (a.k.a., Downadup): Discovered 21 Aug 2008. Affects Windows 2000/XP/Vista. Resolved by MS08-067 (learn.microsoft.com) published 23 Oct 2008.
• Wannacry: Discovered 12 May 2017. Affects Windows Vista/7/8.1/10. Resolved by MS17-010 (learn.microsoft.com) published 14 Mar 2017.

Worms Blaster, Welchia, Sasser, Conficker, and Wannacry remain so prevalent that even today - years after they have been discovered - vulnerable Windows computers are still being compromised by these worms as soon as they are placed online, including during the time that Windows Update is running.

Fortunately, most of the Windows vulnerabilities that do not require user interaction to be exploited are not wormable (i.e., do not allow RCE and, therefore, are not suitable for worms). Instead, the impact of most Windows vulnerabilities that do not require user interaction to be exploited is to allow either denial of service, elevation of privilege (EOP), information disclosure, security feature bypass, or spoofing. However, wormable Windows vulnerabilities are found every year. For example, CVE-2022-21907 (cve.mitre.org), released in Jan 2022, describes a wormable Windows 11 vulnerability. Whether or not a worm will be developed to exploit this vulnerability only time will tell.

The exploitability (i.e., the likelihood that a vulnerability will be exploited) of a Windows vulnerability that does not require user interaction to be exploited depends on the computer's network environment. For a computer that is directly connected to the Internet (i.e., for a computer that is assigned a public IP address because it is not behind a gateway/router), the exploitability of a Windows vulnerability that does not require user interaction to be exploited is high. For a computer that is connected to a local network (i.e., for a computer that is assigned a private IP address because it is behind a gateway/router), the exploitability of a Windows vulnerability that does not require user interaction to be exploited is relatively low. Note, however, that some worms (e.g., Downadup (a.k.a., Conficker)) can transfer across (i.e., bridge) gateways/routers. Hence, rather than trying to take network environment, exploitability, severity rating, impact, and other factors into account, thereby, driving oneself mad in the process, a simpler and safer policy has been adopted for this web page: to secure a clean installation of Windows, it is necessary to resolve all known Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online, not after placing the computer online.

1.2.  Windows 11 Servicing Model: Cumulative Updates

Microsoft first released Windows 11 (Windows 11 Version 21H2) in October 2021. Microsoft intends to release a new version of Windows 11 once a year, in the second half of the year.

On the second Tuesday of each month, Microsoft releases a Cumulative Update (a.k.a., Quality Update) for the supported versions of Windows 11. Microsoft intends to support each version of Windows 11 Home and Pro with Cumulative Updates for 24 months:

In the Windows 11 servicing model, a Cumulative Update for Windows 11 is a single file that contains new security and non-security fixes, and all previous security and non-security fixes (if there are any), for a version of Windows 11. In other words, in the Windows 11 servicing model, Cumulative Updates for Windows 11 are cumulative back through the initial release of the version of Windows 11. This means that to obtain the security (and non-security) fixes for Windows 11 from the initial release of the version of Windows 11 through the present, it is only necessary to install the latest Cumulative Update (LCU) for Windows 11 for the supported version of Windows 11.

1.3.  Windows 11 Servicing Stack Updates

Servicing is the process of installing a Cumulative Update, Security Update, Update, fix, component, role, etc. Depending on what is being installed, servicing is performed manually by the user and/or automatically by Windows Update. The Servicing Stack is the component of Windows that performs servicing. Like other Windows components, the Servicing Stack is periodically updated. A Servicing Stack Update (SSU) improves the speed and reliability of servicing.

The Servicing Stack Updates for Windows 11 are included in the Cumulative Updates for Windows 11. Therefore, for Windows 11 there is no need to worry about Servicing Stack Updates.

1.4.  Overview: How To Secure A Clean Installation Of Windows 11

To secure a clean installation of Windows per this web page, it is necessary to resolve all known Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. Rather than read the documentation for the latest Cumulative Update for Windows 11 to try to determine if the Cumulative Update resolves any wormable Windows vulnerabilities, it is far simpler to download the latest Cumulative Update for Windows 11, to copy the Cumulative Update to removable media, and to install the Cumulative Update before placing the computer online. Accordingly, the following is an overview of how to secure a clean installation of Windows 11 per this web page.

• Do the following offline, and before interacting with the computer in any way that could result in compromise:
  1. Perform a default installation of a supported version of Windows 11 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of the supported version of Windows 11 is free from compromise (i.e., is clean).
  2. Install the latest Cumulative Update for the supported version of Windows 11. This resolves all Windows 11 vulnerabilities (that do or do not require user interaction to be exploited) through the present.

To secure a clean installation of Windows per this web page, it is necessary to resolve all known Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. This requires downloading and copying the latest Cumulative Update for Windows 11 to removable media before performing the clean installation of Windows 11. Because files on CDs/DVDs are far more difficult manipulate by malicious software/users than files on external hard disk drives and flash memory drives, CDs/DVDs are the removable media of choice.

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 11:

1. Latest Cumulative Update for Windows 11:
   • If the Windows product DVD is Windows 11 Version 21H2, 22H2, or 23H2:
     • Windows 11 Version 21H2, 22H2, and 23H2 are out of support (above). Do not install an out of support version of Windows 11. Instead, run the Windows 11 Media Creation Tool (microsoft.com) to create a Windows 11 product DVD containing the latest version of Windows 11.
       i

       The Windows 11 product DVD created by the Windows 11 Media Creation Tool automatically contains the latest version of Windows 11.
   • If the Windows product DVD is Windows 11 Version 24H2:
     • Latest Cumulative Update for Windows 11 Version 24H2:
       i

       • Although the Microsoft Update Catalog lists the September 10, 2024 - KB5043080 (OS Build 26100.1742) (support.microsoft.com) file for download, it is not a prerequisite for the latest Cumulative Update for Windows 11 Version 24H2.
       • Yes, the Cumulative Update for Windows 11 Version 24H2 (OS Build 26100) and 25H2 (OS Build 26200) is the same identical file.
       • March 10, 2026 - KB5079473 (OS Builds 26200.8037 And 26100.8037) (support.microsoft.com):
         • 2026-03 Cumulative Update For Windows 11 Version 24H2 For x64-Based Systems (KB5079473) (26100.8037) (catalog.update.microsoft.com).
   • If the Windows product DVD is Windows 11 Version 25H2:
     • Latest Cumulative Update for Windows 11 Version 25H2:
       i

       • Although the Microsoft Update Catalog lists the September 10, 2024 - KB5043080 (OS Build 26100.1742) (support.microsoft.com) file for download, it is not a prerequisite for the latest Cumulative Update for Windows 11 Version 25H2.
       • Yes, the Cumulative Update for Windows 11 Version 24H2 (OS Build 26100) and 25H2 (OS Build 26200) is the same identical file.
       • March 10, 2026 - KB5079473 (OS Builds 26200.8037 And 26100.8037) (support.microsoft.com):
         • 2026-03 Cumulative Update For Windows 11 Version 25H2 For x64-Based Systems (KB5079473) (26200.8037) (catalog.update.microsoft.com).
2. If not located on a disc included with your computer and not installed by Windows 11, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
   1. Perform a default installation of Windows 11 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 11 product DVD and proceed with the installation.
      2. Eventually the Windows Setup: Which type of installation do you want? dialog appears. Click Custom: Install Windows only (advanced).
      3. The Windows Setup: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click New, create one or more drives, select a drive for the installation of Windows 11, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
   2. From CD/DVD, install the latest Cumulative Update for Windows Version 11:
      • If Windows 11 Version 24H2 was installed:
        • Install the latest Cumulative Update for Windows 11 Version 24H2:
          • Install the 2026-03 Cumulative Update For Windows 11 Version 24H2 KB5079473 file.
      • If Windows 11 Version 25H2 was installed:
        • Install the latest Cumulative Update for Windows 11 Version 25H2:
          • Install the 2026-03 Cumulative Update For Windows 11 Version 25H2 KB5079473 file.
   3. If not installed by Windows 11, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
2. Do the following online, and before interacting with the computer in any way that could result in compromise:
   • Run Windows Update and install:
     • Any Security Updates and security fixes for Windows 11.
     • Any non-security updates and non-security fixes for Windows 11.
3. You have secured the clean installation of Windows 11. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

• Description Of The Standard Terminology That Is Used To Describe Microsoft Software Updates (824684) (learn.microsoft.com)
• Update Management Process (learn.microsoft.com)
• Microsoft Security Bulletin Data (microsoft.com)
• Common Vulnerabilities And Exposures (CVE) (cve.mitre.org)
• National Vulnerability Database (NVD) (nvd.nist.gov)
• Win32/Msblast (microsoft.com) (Symantec - Blaster.)
• Win32/Nachi (microsoft.com) (Symantec - Welchia.)
• Win32/Sasser (microsoft.com) (Symantec - Sasser.)
• Win32/Conficker (microsoft.com) (Symantec - Downadup.)
• Ransom:Win32/WannaCrypt (microsoft.com) (Symantec - Wannacry.)
• Quick Guide To Windows As A Service (learn.microsoft.com)
• Overview Of Windows As A Service (learn.microsoft.com)
• Windows 10 Update History (support.microsoft.com)
• Updated Version Of Windows 10 October 2018 Update Released To Windows Insiders (blogs.windows.com)
• Resuming The Rollout Of The Windows 10 October 2018 Update (blogs.windows.com)
• Windows 10 Release Information (learn.microsoft.com)
• Windows Client Roadmap Update (techcommunity.microsoft.com) (Announcement that Windows 10 Version 22H2 is the last version of Windows 10.)
• Download Windows 10 (microsoft.com) (Includes downloading Windows 10 via Windows 10 Media Creation Tool.)
• Windows 11 Release Information (learn.microsoft.com)
• Windows 11, Version 21H2 Update History (support.microsoft.com)
• Windows 11, Version 22H2 Update History (support.microsoft.com)
• Windows 11, Version 23H2 Update History (support.microsoft.com)
• Windows 11, Version 24H2 Update History (support.microsoft.com)
• Windows 11, Version 25H2 Update History (support.microsoft.com)
• Download Windows 11 (microsoft.com) (Includes downloading Windows 11 via Windows 11 Media Creation Tool.)
• Servicing Stack Updates (learn.microsoft.com)
• ADV990001 | Latest Servicing Stack Updates (msrc.microsoft.com)
• 2019 SHA-2 Code Signing Support Requirement For Windows And WSUS (support.microsoft.com)
• Search Product And Services Lifecycle Information (learn.microsoft.com)
• Lifecycle FAQ - Windows (learn.microsoft.com)
• Windows Update: FAQ (support.microsoft.com)
• Lifecycle | Windows 11 Home And Pro (learn.microsoft.com)
• Security Advisories And Bulletins (learn.microsoft.com)
• Microsoft Security Response Center (microsoft.com)
• Security Update Guide (msrc.microsoft.com)
• Microsoft Update Catalog (catalog.update.microsoft.com)