How to Integrate Security Updates into Windows Image (ISO/WIM)

In order to ensure that the Windows image that you deploy to computers in your network always has the latest security updates, you can add new update packages to your offline Windows installation image using DISM. In this guide, I’ll show you how to inject security patches into the Windows 11/10 and Windows Server 2022/2019/2016 ISO/WIM installation image.

In this example, we’ll show you how to slipstream the latest cumulative security update (April 2023) to a Windows 11 22H2 install image. We are going to add the cumulative update KB5025239 to the image. Native support for the Local Administrator Password Solution (Windows LAPS) is added to Windows 11 with update KB5025239.

How to Add Windows Updates to an Offline Image?

You will need the following files:

• The installation image of Windows in ISO format or its install.WIM file;
• An .MSU update file that can be downloaded from the Microsoft Update Catalog (How to manually download Windows Update files?). Just download the latest cumulative update for your Windows version and Service Stack Update (SSU).

Create the following directory structure on your computer:

• C:\updates\mnt – is the folder where we will mount the install.wim file containing the Windows installation image;
• C:\updates\msu – is the directory to which you need to copy the update files for your version of Windows in the MSU format;
• C:\updates\WinImage\ – copy the install.wim (or install.esd) file from the Sources directory of your Windows 11 22H2 installation image into this directory. You can also copy the WIM image from a WDS server, MDT, SCCM, or any other OS deployment tool used to install Windows using PXE network boot.
  

Mounting Windows Image File (WIM) with DISM

Modern Windows installation ISO images that are created with the Media Creation Tool use the ESD compressed format instead of the WIM file. You cannot directly modify a Windows image in the ESD format. Therefore, you must first convert the ESD file to WIM format using the DISM tool.

Mount the ISO image to a virtual drive:

Mount-DiskImage –ImagePath "C:\DIstr\iso\Windows1122h2.iso"

List the editions of Windows in the ESD/WIM image file:

DISM /Get-WimInfo /WimFile:"E:\sources\install.esd"

In this example, we will only export a Windows 11 Pro Edition WIM file from the ESD image (its index is 6, so we will specify /SourceIndex:6 in the next command):

dism /export-image /SourceImageFile:"E:\sources\install.esd" /SourceIndex:6 /DestinationImageFile:C:\Updates\WInImage\win11pro.wim /Compress:max /CheckIntegrity

Mount the install.wim file containing the Windows installation image to the C:\updates\mnt directory using DISM:

dism /mount-wim /wimfile:C:\Updates\WinImage\win11pro.wim /index:1 /mountdir:C:\updates\mnt

DISM: Adding MSU and CAB Updates to the Windows WIM Image

You can now begin the process of integrating the suitable MSU updates from the specified source directory into your offline Windows image.

dism /image:C:\updates\mnt /add-package /packagepath:C:\updates\msu

If the DISM detects a wrong update (does not match the OS version, bitness, or if the update is already installed.), it will skip it and write the information to C:\Windows\Logs\DISM\dism.log.

If you don’t want to manually download the MSU update files from the Microsoft Update, you can use a reference computer with the same version of Windows that already has the latest security updates installed as a source, and get all the necessary update files directly from it. Windows saves all patches (CAB files) that it receives from Windows Update servers or the WSUS server to the C:\Windows\SoftwareDistribution\Download directory.

The following command starts the integration of the update files that have already been downloaded and installed on the remote computer (called PC1234) into the install.wim image:

Start /w for /R \\PC1234\C$\Windows\SoftwareDistribution\Download\ %f in (*.cab) do dism /image:C:\updates\mnt /add-package /packagepath:"%f"

In this example, we will access the update directory on the remote computer over the C$ administrative share. A window will appear allowing you to track the update installation process for an offline Windows image. DISM will attempt to add every CAB file it finds on the remote computer to your Windows WIM image.

The last step is to save the changes and unmount the Windows WIM image.

dism /unmount-wim /mountdir:C:\updates\mnt /commit
dism /Cleanup-Wim

After the updates have been installed, you can verify that the updates have been successfully integrated into the Windows image. List the updates that have been installed today on a mounted Windows WIM image

DISM /Image:C:\updates\mnt /Get-Packages /format:table | select-string "4/20/2023"

You can also view a list of installed updates in an offline WIM image:

Dism /image:C:\Updates\WinImage\win11pro.wim /Get-Packages

All that remains is to copy the resulting install.wim image (or SWM files) to the source directory on your media or to a virtual machine, or rebuild the installation ISO image using tools such as oscdimg/UltraISO/Dism++.

A sample command for creating a Windows installation ISO image with UEFI and BIOS support from a local folder (oscdimg.exe is part of the Windows ADK, Assessment and Development Kit):

oscdimg.exe -h -m -o -u2 -udfver102 -bootdata:2#p0,e,bc:\win11\iso\boot\etfsboot.com#pEF,e,bc:\win11\iso\efi\microsoft\boot\efisys.bin -lWin10 c:\iso c:\win11.iso