In this guide I’ll show how to integrate new Windows update packages into the offline installation image of Windows 10 or Windows 8.1 using built-in tools. The same way you can slipstream the latest security patches into the Windows Server 2012 R2 / 2016 install ISO images.
In this example, I will show the process of adding the latest cumulative security updates (December 2018) to the installation image of Windows 10 1803. So, we will need:
- Windows 10 ISO installation image in format or its install.wim file;
- Updates in the .MSU format that need to be downloaded from the Microsoft Update Catalog (How to manually download msu update files).
Create the following directory structure on your computer:
- C:\updates\mnt is the folder in which the file install.wim with the Windows installation image will be mounted;
- C:\updates\msu is a folder in which you need to place the MSU updates for your Windows version (in this example, I downloaded 2 security updates for Windows 10 1803, released in December 2018 – KB4471331 and KB4471324);
- C:\updates\Win10Image\ in this folder you need to copy the install.wim file from your Windows 10 install image. In our example, we mounted and unpacked the contents of the original Windows 10 ISO image Windows10x64-1803.iso. However, it can be a wim file from a virtual machine, VM template, WDS image or image stored in another OS automatic deployment software (for example, SCCM), etc.
If your Windows 10 ISO image contains only the file c:\sources\install.esd, you can convert the ESD file to WIM file using the DISM utility:
dism /export-image /SourceImageFile:"C:\updates\Win10Image\install.esd" /SourceIndex:4 /DestinationImageFile:C:\updates\Win10Image\win10pro.wim /Compress:max /CheckIntegrity
Mount the Windows 10 installation image (install.wim) to the C:\updates\mnt folder by running the following command in the command prompt as an administrator:
dism /mount-wim /wimfile:C:\updates\Win10Image\install.wim /index:1 /mountdir:C:\updates\mnt
DISM /Get-WimInfo /WimFile:C:\updates\Win10\install.wim
In our example, the image contains only one OS edition – the Windows 10 Pro with the index 1, therefore in the command we need to specify install.wim /index:1.
Now you can run the integration of suitable MSU updates located in the specified directory into the Windows 10 image:
dism /image:C:\updates\mnt /add-package /packagepath:C:\updates\msu
If the system detects a wrong update (a one that is not suitable for this OS version and bitness, or if the update is already installed), it will be ignored and the corresponding information will be written to C:\Windows\Logs\DISM\dism.log.
To reduce the size of an image by deleting old update files (see the article about the WinSxS folder cleanup), run the command:
dism /image:C:\updates\mnt /Cleanup-Image /StartComponentCleanup /ResetBase /ScratchDir:C:\Temp
If you already have a computer with a similar version of Windows 10 that already has the latest security updates installed, you can get all the necessary update files directly from it. In this case, you don’t need to manually download MSU update files from the Microsoft Update Catalog. The trick is that Windows saves CAB files of the updates that have been downloaded from Windows Update servers or a WSUS server to the C:\Windows\SoftwareDistribution\Download folder.
Using the following command, you will start the integration of update files into the install.wim image that have already been downloaded and installed on another computer via the local network:
Start /w for /R \\Win10x64AlreadyPatchedPC\C$\Windows\SoftwareDistribution\Download\ %f in (*.cab) do dism /image:C:\updates\mnt /add-package /packagepath:”%f”
In this example, Win10x64AlreadPatchedPC is the name of the remote computer on which the necessary updates are already installed (the OS version and bitness must match). Of course, this computer should be accessible over the network, and your account should be added to the local administrators group on it. In the window that opens, you can watch the process of installing updates to the offline Windows image. DISM will try to add to your WIM image each CAB file file that was found on a remote computer.
C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM.And the last step is to save the changes and unmount the Windows 10 image:
dism /unmount-wim /mountdir:C:\updates\mnt /commit
dism /Cleanup-Wim
You only have to copy install.wim to the source directory/virtual machine or rebuild the installation ISO image, e. g., using oscdimg,UltraISO or Dism++.
If the size of your install.wim file is more than 4 GB you may encounter the error “Windows cannot open the required file D:\sources\install.wim. Error code: 0x8007000D” during Windows installation on the UEFI system. In this case, you need to split the source install.wim into smaller files with the command:
dism /split-Image /imagefile:C:\Update\Win10Image\install.wim /swmfile:C:\Update\Win10Image\install.swm /filesize:4096
(see the articles How to create a UEFI bootable Windows 7 installation USB drive and Create Bootable Windows Server 2016 USB Installation Drive).
After that, the original install.wim can be removed.
Now you can deploy your Windows install image with the latest security updates integrated on computers in your network. By regularly integrating the latest security updates into your Windows image deployed on new computers, you increase the security of your infrastructure against the latest vulnerabilities and reduce the risk of infecting new computers until they start updating from WSUS.