To make sure that the Windows image that you deploy to computers in your network always has the latest security updates, you can add new update packages to your offline Windows installation image by using DISM. In this guide, I will show you how to inject security patches into Windows 11/10 and Windows Server 2022/2019/2016 ISO/WIM installation images.
In this example, we’ll show you how to slipstream the latest cumulative security update (April 2023) into a Windows 11 22H2 install image. We’re about to add a cumulative update
KB5025239 for image. Native support for Local Administrator Password Resolution (Windows LAPS) has been added to Windows 11 with update KB5025239.
How to add Windows Update to offline image?
You will need the following files:
- Windows installation image in ISO format or its install.WIM file;
- An .MSU update file that can be downloaded from the Microsoft Update Catalog (How to manually download Windows update files?). Simply download the latest cumulative update for your Windows version and Service Stack Update (SSU).
Create the following directory structure on your computer:
- C:\updates\mnt – is the folder where we will mount the install.wim file containing the Windows installation image;
- C:\updates\msu – is the directory in which you need to copy the update files for your version of Windows in MSU format;
- C:\Update\WinImage\ – Copy the install.wim (or install.esd) file from sources say In this directory the directory of your Windows 11 22H2 installation image. You can copy the WIM image from a WDS server, MDT, SCCM, or any other OS deployment tool used to install Windows using PXE network boot.
Mounting a Windows Image File (WIM) with DISM
Modern Windows installation ISO images created with the Media Creation Tool use the ESD compressed format instead of WIM files. You cannot directly modify a windows image in ESD format. Therefore, you must first convert the ESD file to WIM format using the DISM tool.
Mount the ISO image on the virtual drive:
Mount-DiskImage –ImagePath "C:\DIstr\iso\Windows1122h2.iso"
List the versions of Windows in the ESD/WIM image file:
DISM /Get-WimInfo /WimFile:"E:\sources\install.esd"
In this example, we will export only one Windows 11 Pro Edition WIM file from the ESD image (its index 6then we will specify
/SourceIndex:6 in the next order):
dism /export-image /SourceImageFile:"E:\sources\install.esd" /SourceIndex:6 /DestinationImageFile:C:\Updates\WInImage\win11pro.wim /Compress:max /CheckIntegrity
Mount the install.wim file containing the Windows installation image in the C:\updates\mnt directory using DISM:
dism /mount-wim /wimfile:C:\Updates\WinImage\win11pro.wim /index:1 /mountdir:C:\updates\mnt
tip. In this case, we specify
/index:1 Because there is only one version of Windows 11 Pro in the WIM image. If your WIM image contains multiple versions of Windows, you must specify the index of the required version, or you must perform update integration on each version in turn.
DISM: Adding MSU and CAB Updates to Windows WIM Images
You can now begin the process of integrating the appropriate MSU updates from the specified source directory into your offline Windows image.
dism /image:C:\updates\mnt /add-package /packagepath:C:\updates\msu
If DISM detects a bad update (OS version, bitness doesn’t match, or if an update is already installed.), it will skip it and overwrite the information
If you don’t want to manually download the MSU update files from Microsoft Update, you can use a reference computer with the same version of Windows that already has the latest security updates installed as the source, and all Get the required update files directly from it. Windows saves all patches (CAB files) that it receives from Windows Update servers or WSUS servers
The following command starts the integration of update files that have already been downloaded and installed on the remote computer (known as PC1234) in the install.wim image:
Start /w for /R \\PC1234\C$\Windows\SoftwareDistribution\Download\ %f in (*.cab) do dism /image:C:\updates\mnt /add-package /packagepath:"%f"
In this example, we’ll be accessing the Updates directory on the remote computer on the C$ administrative share. A window will appear that will allow you to track the update installation process for the offline windows image. DISM will attempt to add each CAB file found on the remote computer to your Windows WIM image.
dism /image:C:\updates\mnt /Cleanup-Image /StartComponentCleanup /ResetBase /ScratchDir:C:\Temp
The last step is to save the changes and unmount the Windows WIM image.
dism /unmount-wim /mountdir:C:\updates\mnt /commit
After the updates are installed, you can verify that the updates have been successfully integrated into the Windows image. List updates that have been installed today on a mounted Windows WIM image
DISM /Image:C:\updates\mnt /Get-Packages /format:table | select-string "4/20/2023"
You can also see a list of installed updates in an offline WIM image:
Dism /image:C:\Updates\WinImage\win11pro.wim /Get-Packages
In this case, you’ll need to split the original install.wim into smaller SWM files:
dism /split-Image /imagefile:C:\Update\Winmage\install.wim /swmfile:C:\Update\WinImage\install.swm /filesize:4096
All that remains is to copy the resulting install.wim image (or SWM files) to the source directory on your media or virtual machine, or rebuild the installation ISO image using tools such as oscdimg/UltraISO/Dism++.
A sample command to create a Windows installation ISO image with UEFI and BIOS support from a local folder (oscdimg.exe is part of the Windows ADK, Evaluation and Development Kit):
oscdimg.exe -h -m -o -u2 -udfver102 -bootdata:2#p0,e,bc:\win11\iso\boot\etfsboot.com#pEF,e,bc:\win11\iso\efi\microsoft\boot\efisys.bin -lWin10 c:\iso c:\win11.iso
Leave a Comment