deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/deployment/update-boot-image.md
Frank Rojas c6b5a101dd Update Boot Image with CU Article 31
2023-07-28 20:09:53 -04:00

27 KiB
Raw Blame History

title, description, ms.prod, ms.localizationpriority, author, manager, ms.author, ms.topic, ms.date, ms.technology, appliesto
title description ms.prod ms.localizationpriority author manager ms.author ms.topic ms.date ms.technology appliesto
Update Windows PE boot image with the latest cumulative updates This article describes how to update a Windows PE (WinPE) boot image with the latest cumulative update. windows-client medium frankroj aaroncz frankroj article 07/26/2023 itpro-deploy
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
<a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>

Update Windows PE boot image with the latest cumulative update

Microsoft recommends updating Windows PE (WinPE) boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. This walkthrough describes how to update a WinPE boot image with the latest cumulative update.

Prerequisites

Steps

Step 1: Download and install ADK

  1. Download and install the Windows Assessment and Deployment Kit (Windows ADK) from Download and install the Windows ADK.

    When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the Deployment Tools. One of the tools installed will be the Deployment and Imaging Tools Environment command prompt. When using the Command Line option instead of the PowerShell option to run the commands in this walk-through, make sure to run the commands from the Deployment and Imaging Tools Environment command prompt. The Deployment and Imaging Tools Environment command prompt can be found in the Start Menu under Windows Kits > Deployment and Imaging Tools Environment.

  2. Download and install the Windows PE add-on for the Windows ADK from Download and install the Windows ADK. The Windows PE add-on for the Windows ADK is a separate download and install from the Windows Assessment and Deployment Kit (Windows ADK). Make sure to individually download and install both.

Important

It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK.

However, since the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10, the recommendation is to instead use the ADK for Windows 10, version 2004. This version was the last version of the Windows ADK supported by MDT.

Additionally, the latest versions of the Windows PE add-on for the Windows ADK only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the ADK for Windows 10, version 2004. This version was the last version of the Windows ADK to include both 32-bit and 64-bit boot images.

The paths in this article assume the Windows ADK was installed to the default location of C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.

Step 2: Download cumulative update (CU)

  1. Go to the Microsoft Update Catalog site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in Step 1 or the version of the Windows PE boot image that will be updated.

  2. When searching the Microsoft Update Catalog site, use the search term "<year>-<month> cumulative update for windows <x>" where year is the four digit current year, <month> is the two digit current month, and <x> is the version of Windows that Windows PE is based on. For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term "2023-07 cumulative update for windows 11". If the cumulative update hasn't been released yet for the current month, then search on the previous month.

  3. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the Cumulative Update for Windows 11 Version 22H2 for x64-based Systems version of the update.

  4. Store the downloaded cumulative update in a known location for later use.

Tip

It is recommended to use the full cumulative update when updating boot images with a cumulative update. However, instead of downloading the full cumulative update, the cumulative update for SafeOS can be downloaded and used instead. This will reduce the size of the final updated boot image. If any issues occur with a boot image updated with the SafeOS cumulative update, then use the full cumulative update instead.

The SafeOS cumulative update can be found in the Microsoft Update Catalog site by searching on...

Step 3: Backup existing boot image

Before modifying the desired boot image, make a backup copy of the boot image that needs to be updated. For example:

  • For the 64-bit boot image included with the Windows PE add-on for the Windows ADK, the boot image is located at C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim.

  • For the default 64-bit boot image that is generated by Microsoft Configuration Manager, the boot image is located at <ConfigMgr_Install_Directory>\OSD\boot\x64\boot.wim. However, for Microsoft Configuration Manager it's recommended to modify the boot image included with the Windows PE add-on for the Windows ADK. For more information, see Microsoft Configuration Manager considerations.

  • For the default 64-bit boot image that is generated by the Microsoft Deployment Toolkit (MDT), the boot image is located at <Deployment_Share>\Boot\LiteTouchPE_x64.wim. However, for Microsoft Deployment Toolkit (MDT) it's recommended to modify the boot image included with the Windows PE add-on for the Windows ADK. For more information, see Microsoft Deployment Toolkit (MDT) considerations.

  • For 64-bit boot images in Windows Deployment Services (WDS), the boot images are located at <RemoteInstall>\Boot\x64\Images.

Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs).

Step 4: Mount boot image to mount folder

  1. Create a new empty empty folder to mount the boot image to. For example, C:\Mount.

  2. Mount the boot image to the mount folder using one of the following methods:

    :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

    From an elevated PowerShell command prompt, run the following command to mount the boot image to the mount folder:

    Mount-WindowsImage -Path "<Mount_folder_path>" -ImagePath "<Boot_image_path>\<boot_image>.wim" -Index 1 -Verbose

    For more information, see Mount-WindowsImage.

    :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

    From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to mount the boot image to the mount folder:

    DISM.exe /Mount-image /imagefile:"<Boot_image_path>" /Index:1 /MountDir:"<Mount_folder_path>"

    For more information, see Modify a Windows image using DISM: Mount an image and DISM Image Management Command-Line Options: /Mount-Image.

Step 5: Add drivers to boot image

If needed, add any drivers to the boot image:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to add drivers to the boot image:

Command to be determined

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run one of the following command to add drivers to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Add-Driver /Driver:"<Driver_INF_source_path>\<driver>.inf"

or

DISM.exe /Image:"<Mount_folder_path>" /Add-Driver /Driver:"<Drivers_source_path" /Recurse

For more information, see Add and Remove Driver packages to an offline Windows Image

Important

For Microsoft Configuration Manager boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers through Configuration Manager via the Drivers tab in the Properties of the boot image. This will ensure that the drivers in the boot image can be properly managed through Configuration Manager. Drivers are not affected by the cumulative update installed later in this walkthrough.

Step 6: Add optional components to boot image

  1. Add any desired optional components to the boot image:

    :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

    From an elevated PowerShell command prompt, run the following command to add optional components to the boot image:

    Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component>.cab" -Path "<Mount_folder_path>" -Verbose

    This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly.

    For more information, see Add-WindowsPackage.

    :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

    From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add optional components to the boot image:

    DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component>.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component2>.cab"

    This example assumes an x64 boot image. If a different architecture is being used, then adjust the commands accordingly.

    You can add as many desired optional components as needed on a single DISM.exe command line.

    For more information, see Add or Remove Packages Offline Using DISM and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package.

  2. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image.

    For example, for English United States (en-us), add the following:

    :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

    From an elevated PowerShell command prompt, run the following command to add the language components for the optional components to the boot image:

    Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component>_en-us.cab" -Path "<Mount_folder_path>" -Verbose

    This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.

    :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

    From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add the language components for the optional components to the boot image:

    DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component>_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component2>_en-us.cab"

    This example assumes a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.

    You can add as many desired optional components as needed on a single DISM.exe command line.

Important

For Microsoft Configuration Manager boot images, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the Optional Components tab in the Properties of the boot image. This is because the cumulative update being applied at the next step will also update any optional components as needed. If the optional components are instead added through Configuration Manager, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems.

For this reason, make sure to add the following required optional components need by Configuration Manager:

  • Scripting (WinPE-Scripting)
  • Startup (WinPE-SecureStartup)
  • Network (WinPE-WDS-Tools)
  • WMI (WinPE-WMI)

Once any optional components has been manually added to a boot image, Configuration Manager will detect that the optional component has already been added. It will not try to add the optional component again whenever it is updating the boot image.

List of optional components

Step 7: Add cumulative update (CU) to boot image

Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to add the cumulative update (CU) to the boot image:

Add-WindowsPackage -PackagePath "<Path_to_CU_MSU_update>" -Path "<Mount_folder_path>" -Verbose

For more information, see Add-WindowsPackage

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add the cumulative update (CU) to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"<Path_to_CU_MSU_update>"

For more information, see Add or Remove Packages Offline Using DISM and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package.

Important

Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update.

Step 8: Copy boot files from mounted boot image to ADK installation path

Copy the updated bootmgr files from the updated boot image to the ADK installation path:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path:

Copy-Item "<Mount_folder_path>\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force

Copy-Item "<Mount_folder_path>\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to copy the boot files from the mounted boot image to the ADK installation path:

Command to be determined

This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr files are available to the ADK when creating bootable media. In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 and CVE-2023-24932.

Step 9: Perform component cleanup

Run DISM.exe commands that will clean up the mounted boot image and help reduce its size:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to clean up the mounted boot image and help reduce its size:

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to clean up the mounted boot image and help reduce its size:

DISM.exe /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase /Defer

DISM.exe /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase

For more information, see Modify a Windows image using DISM: Reduce the size of an image and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image.

Step 10: Verify all desired packages have been added to boot image

After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image:

Get-WindowsPackage -Path "<Mount_folder_path>"

For more information, see Get-WindowsPackage.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Get-Packages

For more information, see DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages.

Step 11: Unmount boot image and save changes

Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes.

From an elevated PowerShell command prompt, run the following command to unmount the boot image and save changes:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

Dismount-WindowsImage -Path "<Mount_folder_path>" -Save -Verbose

For more information, see Dismount-WindowsImage.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to unmount the boot image and save changes:

DISM.exe /Unmount-Image /MountDir:"<Mount_folder_path>" /Commit

For more information, see Modify a Windows image using DISM: Unmounting an image and DISM Image Management Command-Line Options: /Unmount-Image.

Step 12: Export boot image to reduce size

  1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it:

    :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

    From an elevated PowerShell command prompt, run the following command to further reduce the size of the boot image by exporting it:

    Export-WindowsImage -SourceImagePath "<Boot_image_path>\<boot_image>.wim" -SourceIndex 1 -DestinationImagePath "<Boot_image_path>\<boot_image>-export.wim" -CompressionType max -Verbose

    For more information, see Export-WindowsImage.

    :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

    From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to further reduce the size of the boot image by exporting it:

    DISM.exe /Export-Image /SourceImageFile:"<Boot_image_path>\<boot_image>.wim" /SourceIndex:1 /DestinationImageFile:"<Boot_image_path>\<boot_image>-export.wim"

    For more information, see Modify a Windows image using DISM: Reduce the size of an image and DISM Image Management Command-Line Options: /Export-Image.

  2. Once the export has completed:

    1. Delete the original updated boot image.
    2. Rename the exported boot image with the name of the original updated boot image.

Microsoft Configuration Manager considerations

Microsoft Deployment Toolkit (MDT) considerations

Windows Deployment Services (WDS) considerations

The boot.wim that is part of Windows installation media isn't supported for use for deploying Windows 11 with Windows Deployment Services (WDS). For more information, see Windows Deployment Services (WDS) boot.wim support

Windows Server 2012 R2

This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's strongly recommended to use Windows Server 2016 or later for this walk-through. For more information see, Windows Server 2012 R2 Lifecycle.