In principle, you can roll out outdated WIM archives because Windows Update subsequently downloads the patches to the live system. This occurs by default during installation unless setup.exe is called with the /dynamicupdate disable switch or configured accordingly via setupconfig.ini.
Delaying the update of Windows until after deployment or even later has several drawbacks. It increases the time needed for the OS installation or – if you wait until after the setup is complete – the computers are initially not protected by the latest patches. In addition, users must restart their PCs after applying the updates.
Extracting a WIM archive
We utilize an unaltered install.wim in our example, nonetheless, this process applies to all WIM archives. The file can be located in the sources directory of Microsoft’s ISO. After mounting the ISO as a virtual DVD drive, it’s advisable to copy it to a usable directory:
Mount-DiskImage C:Usersmeen-us_windows_11_business_editions_version_23h2_x64_dvd_a9092734.iso
Read index of images from WIM archive
For offline image servicing, DISM or the cmdlets from the equivalent PowerShell module are suggested. Compared to the legacy utility, with its uneven syntax, the latter is considerably easier to use.
The initial step is to show the contents of the WIM archive. This is important because it can contain multiple images, and you need the index of the image you want to mount:
Get-WindowsImage -ImagePath .install.wim | select ImageName, ImageIndex
Display the contents of a WIM archive with Get-WindowsImage.
Mount image
Once you have determined the index, you can mount the image for offline servicing with this command:
Mount-WindowsImage -Path .image -ImagePath .install.wim -Index 5 -CheckIntegrity
This mounts the image with index 5 (Windows 11 Pro) into the subdirectory .image and checks its integrity. If you have just extracted the WIM file from the installation media, you may encounter the following error message:
Mount-WindowsImage: You do not have permissions to mount and modify this image. Verify that you have Read/Write permissions or mount the image using the /ReadOnly option.
The error message is misleading because insufficient permissions do not cause the issue. Instead, the WIM file’s read-only attribute is the culprit. You can remove this attribute with this command:
attrib -r install.wim
After successfully mounting the image, you can start installing the updates. These are usually downloaded in .msu or .cab format from the Update Catalog.
Integrate updates into the image
Our example deals with the latest cumulative update for Windows 11 x64. Use the following command to add it to the image:
Add-WindowsPackage -PackagePath .windows11.0-kb5031455-x64_[…].msu -Path .image -LogLevel 3
This command incorporates the pathway to the update along with the directory where the image has been mounted. When a directory is specified instead of a file for the PackagePath parameter, it adds all .msu and .cab files stored in that directory to the image.
A LogLevel of 3 logs errors, warnings, and info into the log file which by default is %WINDIR%LogsDismdism.log.
You can also add updates using Add-WindowsCapability and Add-WindowsDriver for the installation of optional features or drivers in the image. Likewise, for adding store apps that will be automatically installed for each new user on the computer, use Add-AppxProvisionedPackage.
To conclude, you can check if all desired packages are included in the image:
Get-WindowsPackage -Path .image | sort InstallTime -Descending | more
This command sorts the installed packages by installation date in descending order, displaying the most recently added packages first.
Unmount the image
Finally, you can save the updated image. To do this, either use Save-WindowsImage before you unmount the image or dismount it immediately and save it at the same time:
Dismount-WindowsImage -Path .image -Save -CheckIntegrity
In both cases, you can use the CheckIntegrity switch to verify the integrity of the image.
Summary
The cmdlets from the DISM module make it relatively straightforward to integrate updates, drivers, or apps into an installation image. Hence, it is unnecessary to boot the image, update it, and then generalize it again with Sysprep. Instead, these tasks can be performed offline by mounting the image.