Step-by-Step Guide on Inserting Offline .MSU Updates into Windows .WIM Images

Before deployment, Microsoft ISO’s install .wim or custom images should be updated. With the DISM module in PowerShell, you can add .msu updates, apps, and drivers to a Windows image offline without the need to boot it up.

In principle, you can roll out outdated WIM archives because Windows Update subsequently downloads the patches to the live system. This occurs by default during installation unless setup.exe is called with the /dynamicupdate disable switch or configured accordingly via setupconfig.ini.

Delaying the update of Windows until after deployment or even later has several drawbacks. It increases the time needed for the OS installation or – if you wait until after the setup is complete – the computers are initially not protected by the latest patches. In addition, users must restart their PCs after applying the updates.

Extracting a WIM archive

We utilize an unaltered install.wim in our example, nonetheless, this process applies to all WIM archives. The file can be located in the sources directory of Microsoft’s ISO. After mounting the ISO as a virtual DVD drive, it’s advisable to copy it to a usable directory:

Mount-DiskImage C:Usersmeen-us_windows_11_business_editions_version_23h2_x64_dvd_a9092734.iso

Read index of images from WIM archive

For offline image servicing, DISM or the cmdlets from the equivalent PowerShell module are suggested. Compared to the legacy utility, with its uneven syntax, the latter is considerably easier to use.

The initial step is to show the contents of the WIM archive. This is important because it can contain multiple images, and you need the index of the image you want to mount:

Get-WindowsImage -ImagePath .install.wim | select ImageName, ImageIndex

Display the contents of a WIM archive with Get-WindowsImage.

Mount image

Once you have determined the index, you can mount the image for offline servicing with this command:

Mount-WindowsImage -Path .image -ImagePath .install.wim -Index 5 -CheckIntegrity

This mounts the image with index 5 (Windows 11 Pro) into the subdirectory .image and checks its integrity. If you have just extracted the WIM file from the installation media, you may encounter the following error message:

Mount-WindowsImage: You do not have permissions to mount and modify this image. Verify that you have Read/Write permissions or mount the image using the /ReadOnly option.

Mounting install.wim fails due to the read-only attribute of the file.

Mounting install.wim fails due to the read-only attribute of the file.

The error message is misleading because insufficient permissions do not cause the issue. Instead, the WIM file’s read-only attribute is the culprit. You can remove this attribute with this command:

attrib -r install.wim

After successfully mounting the image, you can start installing the updates. These are usually downloaded in .msu or .cab format from the Update Catalog.

Download missing patches from the Microsoft Update Catalog.

Integrate updates into the image

Our example deals with the latest cumulative update for Windows 11 x64. Use the following command to add it to the image:

Add-WindowsPackage -PackagePath .windows11.0-kb5031455-x64_[…].msu -Path .image -LogLevel 3

This command incorporates the pathway to the update along with the directory where the image has been mounted. When a directory is specified instead of a file for the PackagePath parameter, it adds all .msu and .cab files stored in that directory to the image.

A LogLevel of 3 logs errors, warnings, and info into the log file which by default is %WINDIR%LogsDismdism.log.

You can also add updates using Add-WindowsCapability and Add-WindowsDriver for the installation of optional features or drivers in the image. Likewise, for adding store apps that will be automatically installed for each new user on the computer, use Add-AppxProvisionedPackage.

To conclude, you can check if all desired packages are included in the image:

Get-WindowsPackage -Path .image | sort InstallTime -Descending | more

This command sorts the installed packages by installation date in descending order, displaying the most recently added packages first.

Unmount the image

Finally, you can save the updated image. To do this, either use Save-WindowsImage before you unmount the image or dismount it immediately and save it at the same time:

Dismount-WindowsImage -Path .image -Save -CheckIntegrity

In both cases, you can use the CheckIntegrity switch to verify the integrity of the image.


The cmdlets from the DISM module make it relatively straightforward to integrate updates, drivers, or apps into an installation image. Hence, it is unnecessary to boot the image, update it, and then generalize it again with Sysprep. Instead, these tasks can be performed offline by mounting the image.