How to integrate security updates into Windows images (ISO/WIM)? ,

To make sure that the Windows image that you deploy to computers in your network always has the latest security updates, you can add new update packages to your offline Windows installation image by using DISM. In this guide, I will show you how to inject security patches into Windows 11/10 and Windows Server 2022/2019/2016 ISO/WIM installation images.

In this example, we’ll show you how to slipstream the latest cumulative security update (April 2023) into a Windows 11 22H2 install image. We’re about to add a cumulative update KB5025239 for image. Native support for Local Administrator Password Resolution (Windows LAPS) has been added to Windows 11 with update KB5025239.

How to add Windows Update to offline image?

You will need the following files:

  • Windows installation image in ISO format or its install.WIM file;
  • An .MSU update file that can be downloaded from the Microsoft Update Catalog (How to manually download Windows update files?). Simply download the latest cumulative update for your Windows version and Service Stack Update (SSU).
Check that the bitness and version of your Windows distribution match the update you downloaded. Otherwise, you will see the following message when you install the update: “The update is not applicable to your computer”.

Create the following directory structure on your computer:

  • C:\updates\mnt – is the folder where we will mount the install.wim file containing the Windows installation image;
  • C:\updates\msu – is the directory in which you need to copy the update files for your version of Windows in MSU format;msu security update for windows 10
  • C:\Update\WinImage\ – Copy the install.wim (or install.esd) file from sources say In this directory the directory of your Windows 11 22H2 installation image. You can copy the WIM image from a WDS server, MDT, SCCM, or any other OS deployment tool used to install Windows using PXE network boot.

Mounting a Windows Image File (WIM) with DISM

Modern Windows installation ISO images created with the Media Creation Tool use the ESD compressed format instead of WIM files. You cannot directly modify a windows image in ESD format. Therefore, you must first convert the ESD file to WIM format using the DISM tool.

Mount the ISO image on the virtual drive:

Mount-DiskImage –ImagePath "C:\DIstr\iso\Windows1122h2.iso"

List the versions of Windows in the ESD/WIM image file:

DISM /Get-WimInfo /WimFile:"E:\sources\install.esd"

DISM Get-WimInfo : List windows version in install.wim or esd file

In this example, we will export only one Windows 11 Pro Edition WIM file from the ESD image (its index 6then we will specify /SourceIndex:6 in the next order):

dism /export-image /SourceImageFile:"E:\sources\install.esd" /SourceIndex:6 /DestinationImageFile:C:\Updates\WInImage\win11pro.wim /Compress:max /CheckIntegrity

dism: export image from esd

Mount the install.wim file containing the Windows installation image in the C:\updates\mnt directory using DISM:

dism /mount-wim /wimfile:C:\Updates\WinImage\win11pro.wim /index:1 /mountdir:C:\updates\mnt

mount -vim dismount image

tip. In this case, we specify /index:1 Because there is only one version of Windows 11 Pro in the WIM image. If your WIM image contains multiple versions of Windows, you must specify the index of the required version, or you must perform update integration on each version in turn.

DISM: Adding MSU and CAB Updates to Windows WIM Images

You can now begin the process of integrating the appropriate MSU updates from the specified source directory into your offline Windows image.

dism /image:C:\updates\mnt /add-package /packagepath:C:\updates\msu

Add Update Packages and Security Patches to the Dism Windows Image

If DISM detects a bad update (OS version, bitness doesn’t match, or if an update is already installed.), it will skip it and overwrite the information C:\Windows\Logs\DISM\dism.log,

If you don’t want to manually download the MSU update files from Microsoft Update, you can use a reference computer with the same version of Windows that already has the latest security updates installed as the source, and all Get the required update files directly from it. Windows saves all patches (CAB files) that it receives from Windows Update servers or WSUS servers C:\Windows\SoftwareDistribution\Download directory.

The following command starts the integration of update files that have already been downloaded and installed on the remote computer (known as PC1234) in the install.wim image:

Start /w for /R \\PC1234\C$\Windows\SoftwareDistribution\Download\ %f in (*.cab) do dism /image:C:\updates\mnt /add-package /packagepath:"%f"

C:\Windows\SoftwareDistribution\Downloads folder with the downloaded update CAB files

In this example, we’ll be accessing the Updates directory on the remote computer on the C$ administrative share. A window will appear that will allow you to track the update installation process for the offline windows image. DISM will attempt to add each CAB file found on the remote computer to your Windows WIM image.

You can reduce the size of a WIM image by deleting unused update files (read the article WinSxS Folder Cleanup in Windows). Run command:

dism /image:C:\updates\mnt /Cleanup-Image /StartComponentCleanup /ResetBase /ScratchDir:C:\Temp

The last step is to save the changes and unmount the Windows WIM image.

dism /unmount-wim /mountdir:C:\updates\mnt /commit
dism /Cleanup-Wim

unmount image with committed changes

After the updates are installed, you can verify that the updates have been successfully integrated into the Windows image. List updates that have been installed today on a mounted Windows WIM image

DISM /Image:C:\updates\mnt /Get-Packages /format:table | select-string "4/20/2023"

dism: list security updates installed in an offline wim image

You can also see a list of installed updates in an offline WIM image:

Dism /image:C:\Updates\WinImage\win11pro.wim /Get-Packages

If the resulting install.wim file is larger than 4GB, you won’t be able to use it to install Windows on a UEFI-based machine. In fact, to install Windows on a UEFI device, you should format your installation media to FAT32. Files larger than 4GB are not supported by the FAT32 file system (How to make a UEFI bootable USB flash drive to install Windows?).

In this case, you’ll need to split the original install.wim into smaller SWM files:

dism /split-Image /imagefile:C:\Update\Winmage\install.wim /swmfile:C:\Update\WinImage\install.swm /filesize:4096

All that remains is to copy the resulting install.wim image (or SWM files) to the source directory on your media or virtual machine, or rebuild the installation ISO image using tools such as oscdimg/UltraISO/Dism++.

A sample command to create a Windows installation ISO image with UEFI and BIOS support from a local folder (oscdimg.exe is part of the Windows ADK, Evaluation and Development Kit):

oscdimg.exe -h -m -o -u2 -udfver102 -bootdata:2#p0,e,bc:\win11\iso\boot\,e,bc:\win11\iso\efi\microsoft\boot\efisys.bin -lWin10 c:\iso c:\win11.iso

Leave a Comment