windows-itpro-docs/windows/deployment/update-boot-image.md

title, description, ms.prod, ms.localizationpriority, author, manager, ms.author, ms.topic, ms.date, ms.technology, appliesto

title	description	ms.prod	ms.localizationpriority	author	manager	ms.author	ms.topic	ms.date	ms.technology	appliesto
Update Windows PE boot image with the latest cumulative updates	This article describes how to update a Windows PE (WinPE) boot image with the latest cumulative update.	windows-client	medium	frankroj	aaroncz	frankroj	article	07/26/2023	itpro-deploy	✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a> ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a> ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a> ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a> ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>

Update Windows PE boot image with the latest cumulative update

Microsoft recommends updating Windows PE (WinPE) boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. This walkthrough describes how to update a WinPE boot image with the latest cumulative update.

Prerequisites

• Windows Assessment and Deployment Kit (Windows ADK) - It's recommended to use the latest version of the ADK.
• Windows PE add-on for the Windows ADK. Make sure the version of Windows PE matches the version of Windows ADK that is being used.
• Windows PE boot image
• Latest cumulative update downloaded from the Microsoft Update Catalog site.

Steps

• Step 1: Download and install ADK
• Step 2: Download cumulative update (CU)
• Step 3: Backup existing boot image
• Step 4: Mount boot image to mount folder
• Step 5: Add drivers to boot image
• Step 6: Add optional components to boot image
• Step 7: Add cumulative update (CU) to boot image
• Step 8: Copy boot files from mounted boot image to ADK installation path
• Step 9: Perform component cleanup
• Step 10: Verify all desired packages have been added to boot image
• Step 11: Unmount boot image and save changes
• Step 12: Export boot image to reduce size
• Step 13: Update boot images in products that utilize the boot images (optional)

Step 1: Download and install ADK

1. Download and install the Windows Assessment and Deployment Kit (Windows ADK) from Download and install the Windows ADK.

   When installing the Windows ADK, for the purpose of this walk-through, it's only necessary to install the Deployment Tools. One of the tools installed will be the Deployment and Imaging Tools Environment command prompt. When using the Command Line option instead of the PowerShell option to run the commands in this walk-through, make sure to run the commands from the Deployment and Imaging Tools Environment command prompt. The Deployment and Imaging Tools Environment command prompt can be found in the Start Menu under Windows Kits > Deployment and Imaging Tools Environment.

   The paths in this article assume the Windows ADK was installed to the default location of C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.

2. Download and install the Windows PE add-on for the Windows ADK from Download and install the Windows ADK. The Windows PE add-on for the Windows ADK is a separate download and install from the Windows Assessment and Deployment Kit (Windows ADK). Make sure to individually download and install both.

Important

It's strongly recommended to download and install the latest version of the Windows ADK and the Windows PE add-on for the Windows ADK.

However, the Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the ADK for Windows 10, version 2004. This version was the last version of the Windows ADK supported by MDT.

Additionally, the latest versions of the Windows PE add-on for the Windows ADK only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the ADK for Windows 10, version 2004. This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.

Step 2: Download cumulative update (CU)

1. Go to the Microsoft Update Catalog site and search for the latest cumulative update for the version of Windows that matches the version of Windows PE that was downloaded in Step 1 or the version of the Windows PE boot image that will be updated.

2. When searching the Microsoft Update Catalog site, use the search term "<year>-<month> cumulative update for windows <x>" where year is the four digit current year, <month> is the two digit current month, and <x> is the version of Windows that Windows PE is based on. Make sure to include the quotes ("). For example, to search for the latest cumulative update for Windows 11 in July 2023, use the search term "2023-07 cumulative update for windows 11", again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month.

3. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the Cumulative Update for Windows 11 Version 22H2 for x64-based Systems version of the update.

4. Store the downloaded cumulative update in a known location for later use, for example C:\Updates.

Tip

It is recommended to use the full cumulative update when updating boot images with a cumulative update. However, instead of downloading the full cumulative update, the cumulative update for SafeOS can be downloaded and used instead. This will reduce the size of the final updated boot image. If any issues occur with a boot image updated with the SafeOS cumulative update, then use the full cumulative update instead.

The SafeOS cumulative update can be found in the Microsoft Update Catalog site by searching on...

Step 3: Backup existing boot image

Before modifying the desired boot image, make a backup copy of the boot image that needs to be updated. For example:

• For the 64-bit boot image included with the Windows PE add-on for the Windows ADK, the boot image is located at C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim.

• For the default 64-bit boot image that is generated by Microsoft Configuration Manager, the boot image is located at <ConfigMgr_Install_Directory>\OSD\boot\x64\boot.wim. For other boot images in Configuration Manager, the path to the boot image will be displayed in the Image path: field under the Data Source tab in the Properties of the boot image.

  However, for Microsoft Configuration Manager it's recommended to modify the winpe.wim boot image included with the Windows PE add-on for the Windows ADK. For more information, see Microsoft Configuration Manager considerations.

• For the default 64-bit boot image that is generated by the Microsoft Deployment Toolkit (MDT), the boot image is located at <Deployment_Share>\Boot\LiteTouchPE_x64.wim.

  However, for Microsoft Deployment Toolkit (MDT) it's recommended to modify the winpe.wim boot image included with the Windows PE add-on for the Windows ADK. For more information, see Microsoft Deployment Toolkit (MDT) considerations.

• For 64-bit boot images in Windows Deployment Services (WDS), the boot images are located at <RemoteInstall>\Boot\x64\Images.

Adjust the above paths for 32-bit boot images (only available in Windows 10 ADKs).

The following commands will backup the 64-bit boot image included with the Windows PE add-on for the Windows ADK:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exists:

Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim"

Adjust paths and file names accordingly to back up other boot images.

To overwrite an existing backed up boot image without confirmation, for example in a script, add the -Force parameter to the end of the command line.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated command prompt, run the following command to create a backup copy of the 64-bit boot image included with the Windows ADK. This commands needs confirmation to overwrite an existing backed up boot image if one already exist:

copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.bak.wim"

Adjust paths and file names accordingly to back up other boot images.

To overwrite an existing backed up boot image without confirmation, for example in a script, add the /Y parameter to the end of the command line.

---

Step 4: Mount boot image to mount folder

1. Create a new empty empty folder to mount the boot image to. For example, C:\Mount.

2. Mount the boot image to the mount folder using one of the following methods:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to mount the boot image to the mount folder:

   Mount-WindowsImage -Path "<Mount_folder_path>" -ImagePath "<Boot_image_path>\<boot_image>.wim" -Index 1 -Verbose
   

   Example:

   Mount-WindowsImage -Path "C:\Mount" -ImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Index 1 -Verbose
   

   For more information, see Mount-WindowsImage.

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to mount the boot image to the mount folder:

   DISM.exe /Mount-image /imagefile:"<Boot_image_path>" /Index:1 /MountDir:"<Mount_folder_path>"
   

   Example:

   DISM.exe /Mount-image /imagefile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Index:1 /MountDir:"C:\Mount"
   

   For more information, see Modify a Windows image using DISM: Mount an image and DISM Image Management Command-Line Options: /Mount-Image.

---

Step 5: Add drivers to boot image

If needed, add any drivers to the boot image:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run one of the following commands to add drivers to the boot image:

Add-WindowsDriver -Path "<Mount_folder_path>" -Driver "<Driver_INF_source_path>\<driver>.inf"

or

Add-WindowsDriver -Path "<Mount_folder_path>" -Driver "<Drivers_source_path>" -Recurse

Examples:

Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers\driver.inf"

or

Add-WindowsDriver -Path "C:\Mount" -Driver "C:\Drivers" -Recurse

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run one of the following commands to add drivers to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Add-Driver /Driver:"<Driver_INF_source_path>\<driver>.inf"

or

DISM.exe /Image:"<Mount_folder_path>" /Add-Driver /Driver:"<Drivers_source_path>" /Recurse

Examples:

DISM.exe /Image:"C:\Mount" /Add-Driver /Driver:"C:\Drivers\driver.inf"

or

DISM.exe /Image:"C:\Mount" /Add-Driver /Driver:"C:\Drivers" /Recurse

For more information, see Add and Remove Driver packages to an offline Windows Image

---

Drivers are not affected by the cumulative update installed later in this walkthrough. Once a driver is added to a boot image, it does not need to be added again if a newer cumulative update is applied to the boot image at a later point in time.

Tip

A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.

Important

For Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT) boot images, don't manually add drivers to the boot image using the above steps. Instead, add drivers to the boot images via Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT):

• In Configuration Manager, via the Drivers tab in the Properties of the boot image.
• In Microsoft Deployment Toolkit (MDT), via the Drivers and Patches tab under the Windows PE tab in the Properties of the deployment share.

This will ensure that the drivers in the boot image can be properly managed through Configuration Manager or Microsoft Deployment Toolkit (MDT).

Step 6: Add optional components to boot image

1. Add any desired optional components to the boot image:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to add optional components to the boot image:

   Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component>.cab" -Path "<Mount_folder_path>" -Verbose
   

   Example:

   Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" -Path "C:\Mount" -Verbose
   

   These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths in the commands accordingly.

   For more information, see Add-WindowsPackage.

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add optional components to the boot image:

   DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component>.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\<Component2>.cab"
   

   Example:

   DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab"
   

   These examples assume a 64-bit boot image image. If a different architecture is being used, then adjust the paths in the commands accordingly.

   You can add as many desired optional components as needed on a single DISM.exe command line.

   For more information, see Add or Remove Packages Offline Using DISM and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package.

   ---

2. Make sure that after adding the optional component to also add the language specific component for that optional component. This needs to be done for every optional component that is added to the boot image.

   For example, for English United States (en-us), add the following:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to add the language components for the optional components to the boot image:

   Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component>_en-us.cab" -Path "<Mount_folder_path>" -Verbose
   

   Example:

    Add-WindowsPackage -PackagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" -Path "C:\Mount" -Verbose   
   

   These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add the language components for the optional components to the boot image:

   DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component>_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\<Component2>_en-us.cab"
   

   Example:

   DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WDS-Tools_en-us.cab" /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab"
   

   These examples assume a 64-bit boot image. If a different architecture is being used, then adjust the paths accordingly.

   You can add as many desired optional components as needed on a single DISM.exe command line.

   ---

Important

When adding optional components, make sure to check if an optional component has a prerequisite for another optional component. When an optional component does have a prerequisite, make sure that the prerequisite component is installed first. For more information on adding optional components, see WinPE Optional Components (OC) Reference: How to add Optional Components.

Important

Both Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT) boot images require certain optional components to work properly. Make sure to add these required components when using either Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT)

Additionally, when adding any optional component for either Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT) boot images, make sure to add the components manually using the above command lines instead of adding them through Configuration Manager or MDT. For more information, see Microsoft Configuration Manager considerations or Microsoft Deployment Toolkit (MDT) considerations.

Popular optional components

The following is a list of popular optional components that are commonly added to boot images:

| Feature | File Name | Dependency | Purpose | Required by ConfigMgr | Required by MDT | | --- | --- | --- | --- | --- | | Scripting/WinPE-Scripting | WinPE-Scripting.cab | NA | Supports running non-PowerShell scripts in WinPE | Yes | Yes | | Network/WinPE-WDS-Tools | WinPE-WDS-Tools.cab | NA | Supports WDS in WinPE, including image capture and multicast | Yes | No | | Scripting/WinPE-WMI | WinPE-WMI.cab | NA | Supports WMI and WMI scripting in WinPE | Yes | Yes | | Startup/WinPE-SecureStartup | WinPE-SecureStartup.cab | Scripting/WinPE-WMI | Supports managing BitLocker and TPMs within WinPE | Yes | Yes| | File management/WinPE-FMAPI | WinPE-FMAPI.cab | NA | Supports access to the Windows PE File Management API | No | Yes | | Windows PowerShell/WinPE-PowerShell | WinPE-PowerShell.cab | Scripting/WinPE-Scripting
Scripting/WinPE-WMI
Microsoft .NET/WinPE-NetFx | Supports running PowerShell commands and scripts in WinPE | No | No | | Microsoft .NET/WinPE-NetFx | WinPE-NetFx.cab | Scripting/WinPE-WMI | Supports .Net applications in WinPE | No | No | | Network/WinPE-Dot3Svc | WinPE-Dot3Svc.cab | NA | Supports the 802.1X network protocol in WinPE | No | No | | HTML/WinPE-HTA | WinPE-HTA.cab | Scripting/WinPE-WMI | Supports running HTML applications in WinPE | No | No | | Database/WinPE-MDAC | WinPE-MDAC.cab | NA | Supports connecting to databases in WinPE | No | No |

For a full list of all available WinPE optional components including descriptions for each component, see WinPE Optional Components (OC) Reference: WinPE Optional Components.

Step 7: Add cumulative update (CU) to boot image

Apply the cumulative update (CU) downloaded earlier in the walkthrough to the boot image:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to add the cumulative update (CU) to the boot image:

Add-WindowsPackage -PackagePath "<Path_to_CU_MSU_update>\<CU>.msu" -Path "<Mount_folder_path>" -Verbose

Example:

Add-WindowsPackage -PackagePath "C:\Updates\windows11.0-kb5028185-x64_c78aa5899ba74efdd0e354dfab80940402b3efa4.msu" -Path "C:\Mount" -Verbose

For more information, see Add-WindowsPackage

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add the cumulative update (CU) to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"<Path_to_CU_MSU_update>\<CU>.msu"

Example:

DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\windows11.0-kb5028185-x64_c78aa5899ba74efdd0e354dfab80940402b3efa4.msu"

For more information, see Add or Remove Packages Offline Using DISM and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Add-Package.

---

Important

Make sure not to apply the cumulative update (CU) until all desired optional components have been installed. This will make sure that the optional components are also properly updated by the cumulative update. If in the future any additional optional components need to be added to the boot image, make sure to reapply the cumulative update.

Servicing stack update (SSU) and error 0x800f0823

Sometimes when applying a cumulative update (CU) to a boot image, you may receive error 0x800f0823:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

VERBOSE: Target Image Version <WinPE version>
WARNING: Failed to add package <Cumulative_Update_Path>\<Cumulative_Update>.msu
WARNING: Add-WindowsPackage failed. Error code = 0x800f0823
Add-WindowsPackage : An error occurred applying the Unattend.xml file from the .msu package.
For more information, review the log file.
At line:1 char:1
+ Add-WindowsPackage -PackagePath "<Cumulative_Update_Path>\<Cumulative_Update> ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-WindowsPackage], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsPackageCommand

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

Error: 0x800f0823

Package <Cumulative_Update_Path>\<Cumulative_Update>.msu may have failed due to pending updates to servicing components in the image. Try the command again.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

---

Inspecting the DISM.log will reveal the following error:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

Package "Package_for_RollupFix~<Cumulative_Update>" requires Servicing Stack v<Required_Servicing_Stack_Version> but current Servicing Stack is v<Current_Servicing_Stack_Version>. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to initialize internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to create internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to create windows update package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
DISM Package Manager: PID=<PID> TID=<TID> Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg
DISM Package Manager: PID=<PID> TID=<TID> Failed to open package at location [<Temp_Path>\<Cumulative_Update>.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage
DISM Package Manager: PID=<PID> TID=<TID> Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to process package at node <package[1]>. - CPackageManagerUnattendHandler::Apply(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823)
DISM Unattend Manager: PID=<PID> TID=<TID> "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823)
API: PID=<PID> TID=<TID> Failed to install msu package <Path_to_CU_MSU_update>\<MSU_Cumulative_Update>.msu - CAddPackageCommandObject::InternalExecute(hr:0x800f0823)
API: PID=<PID> TID=<TID> InternalExecute failed - CBaseCommandObject::Execute(hr:0x800f0823)
API: PID=<PID> TID=<TID> CAddPackageCommandObject internal execution failed - DismAddPackageInternal(hr:0x800f0823)

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

Package "Package_for_RollupFix~<Cumulative_Update>" requires Servicing Stack v<Required_Servicing_Stack_Version> but current Servicing Stack is v<Current_Servicing_Stack_Version>. [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to initialize internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to create internal package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
Failed to create windows update package [HRESULT = 0x800f0823 - CBS_E_NEW_SERVICING_STACK_REQUIRED]
DISM Package Manager: PID=<PID> TID=<TID> Failed opening package. - CDISMPackageManager::Internal_CreatePackageByPath(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> The specified package cannot be added to this Windows Image due to a version mismatch. - GetCbsErrorMsg
DISM Package Manager: PID=<PID> TID=<TID> Failed to open package at location [<Temp_Path>\<Cumulative_Update>.cab]. - CPackageManagerUnattendHandler::Internal_ProcessPackageFromSource(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to install package from source [0] - trying next source location. hr = [0x800F0823] - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage
DISM Package Manager: PID=<PID> TID=<TID> Failed to Install the package [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendInstallPackage(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Package failed to install [Multiple_Packages~~~~0.0.0.0]. - CPackageManagerUnattendHandler::Internal_UnattendProcessPackage(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to process package at node <package[1]>. - CPackageManagerUnattendHandler::Apply(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to Apply the unattend. - CDISMPackageManager::Apply(hr:0x800f0823)
DISM Unattend Manager: PID=<PID> TID=<TID> "Error applying unattend for provider: DISM Package Manager" - CUnattendManager::Apply(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed applying the unattend file from the MSU package. - CMsuPackage::ApplyMsuUnattend(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed to apply the MSU unattend file to the image. - CMsuPackage::Install(hr:0x800f0823)
DISM Package Manager: PID=<PID> TID=<TID> Failed while processing command add-package. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x800f0823)

---

The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE which most likely won't need a servicing stack update (SSU) installed before installing the cumulative update (CU).

For scenarios where an older version of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU).

The following steps outline how to extract and then install the servicing stack update (SSU) to the boot image. Once the before servicing stack update (SSU) has been installed, then the cumulative update (CU) should install to the boot image without error:

Important

These steps are only necessary if error 0x800f0823 occurs when installing the cumulative update (CU) to the boot image. If error 0x800f0823 didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step Step 8: Copy boot files from mounted boot image to ADK installation path

1. Create a folder to extract the servicing stack update (SSU) into. For example, C:\Updates\Extract:

2. Extract the contents of the cumulative update (CU) to the folder created in the previous step using the following command:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   Start-Process "expand.exe" -ArgumentList " -f:* `"<Cumulative_Update_Path>\<Cumulative_Update>.msu`" `"<Extract_Path>`"" -Wait -LoadUserProfile
   

   Example:

   Start-Process "expand.exe" -ArgumentList " -f:* `"C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu`" `"C:\Updates\Extract`"" -Wait -LoadUserProfile
   

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   expand.exe -f:* "<Cumulative_Update_Path>\<Cumulative_Update>.msu" "<Extract_Path>"
   

   Example:

   expand.exe -f:* "C:\Updates\windows10.0-kb5028166-x64_fe3aa2fef685c0e76e1f5d34d529624294273f41.msu" "C:\Updates\Extract"
   

   ---

3. Inspect the contents of the extracted files in the extract folder and identify the servicing stack update (SSU) CAB file. One of the files should be called SSU-<Version>-<Arch>.cab. For example, SSU-19041.3205-x64.cab. Make a note of the name of the servicing stack update (SSU) CAB file.

4. Using the name of the servicing stack update (SSU) CAB file obtained in the previous step, apply the servicing stack update (SSU) CAB file to the boot image using the following command:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to add the cumulative update (CU) to the boot image:

   Add-WindowsPackage -PackagePath "<Path_to_SSU_CAB_update>\<SSU>.cab" -Path "<Mount_folder_path>" -Verbose
   

   Example:

   Add-WindowsPackage -PackagePath "C:\Updates\Extract\SSU-19041.3205-x64.cab" -Path "C:\Mount" -Verbose
   

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to add the cumulative update (CU) to the boot image:

   DISM.exe /Image:"<Mount_folder_path>" /Add-Package /PackagePath:"<Path_to_SSU_CAB_update>\<SSU>.cab"
   

   Example:

   DISM.exe /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Updates\Extract\SSU-19041.3205-x64.cab"
   

   ---

5. Attempt to apply the cumulative update (CU) to the boot image again using the commands from Step 7: Add cumulative update (CU) to boot image.

Step 8: Copy boot files from mounted boot image to ADK installation path

Some cumulative updates will update the bootmgr boot files in the boot image. After these bootmgr boot files have been updated in the boot image, it's recommended to copy these updated bootmgr boot files from the boot image back to the Windows ADK. This will ensure that the Windows ADK has the updated bootmgr boot files.

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following commands to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files:

Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"

Copy-Item "<Mount_folder_path>\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"

Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"

Copy-Item "<Mount_folder_path>\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"

Example:

Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"

Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" -Force

Copy-Item "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi"

Copy-Item "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi" -Force

To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the -Force parameter to the end of the command lines.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands will also back up any existing bootmgr boot files its finds. The commands need confirmation to overwrite the existing bootmgr boot files and if they exist, any backed up bootmgr boot files:

copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"

copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"

copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"

copy "<Mount_folder_path>\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"

Example:

copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"

copy "C:\Mount\Windows\Boot\EFI\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi"

copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.bak.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"

copy "C:\Mount\Windows\Boot\EFI\bootmgfw.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\EFI\Boot\bootx64.efi"

To overwrite the bootmgr boot files and any backed up bootmgr boot file without confirmation, for example in a script, add the /Y parameter to the end of the command lines.

---

This step doesn't update or change the boot image. However, it makes sure that the latest bootmgr boot files are available to the ADK when creating bootable media. This includes any product that uses the ADK to create bootable media.

In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 and CVE-2023-24932.

Note

Both Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT) will automatically extract these bootmgr boot files from the boot images as needed. No additional steps are needed for these products.

Step 9: Perform component cleanup

Run DISM.exe commands that will clean up the mounted boot image and help reduce its size:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to clean up the mounted boot image and help reduce its size:

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile

Example:

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:`"C:\Mount`" /Cleanup-image /StartComponentCleanup /Resetbase /Defer" -Wait -LoadUserProfile

Start-Process "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe" -ArgumentList " /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase" -Wait -LoadUserProfile

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to clean up the mounted boot image and help reduce its size:

DISM.exe /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase /Defer

DISM.exe /Image:"<Mount_folder_path>" /Cleanup-image /StartComponentCleanup /Resetbase

Example:

DISM.exe /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase /Defer

DISM.exe /Image:"C:\Mount" /Cleanup-image /StartComponentCleanup /Resetbase

For more information, see Modify a Windows image using DISM: Reduce the size of an image and DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Cleanup-Image.

---

Step 10: Verify all desired packages have been added to boot image

After the optional components and the cumulative update (CU) have been applied to the boot image, verify that they are showing as installed:

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image:

Get-WindowsPackage -Path "<Mount_folder_path>"

Example:

Get-WindowsPackage -Path "C:\Mount"

For more information, see Get-WindowsPackage.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to verify that all optional components and the cumulative update (CU) have been applied to the boot image:

DISM.exe /Image:"<Mount_folder_path>" /Get-Packages

Example:

DISM.exe /Image:"C:\Mount" /Get-Packages

For more information, see DISM Operating System Package (.cab or .msu) Servicing Command-Line Options: /Get-Packages.

---

Step 11: Unmount boot image and save changes

Once drivers, optional components, and the cumulative update (CU) have been applied to the boot image, unmount the boot image and save changes.

:::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

From an elevated PowerShell command prompt, run the following command to unmount the boot image and save changes:

Dismount-WindowsImage -Path "<Mount_folder_path>" -Save -Verbose

Example:

Dismount-WindowsImage -Path "C:\Mount" -Save -Verbose

For more information, see Dismount-WindowsImage.

:::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to unmount the boot image and save changes:

DISM.exe /Unmount-Image /MountDir:"<Mount_folder_path>" /Commit

Example:

DISM.exe /Unmount-Image /MountDir:"C:\Mount" /Commit

For more information, see Modify a Windows image using DISM: Unmounting an image and DISM Image Management Command-Line Options: /Unmount-Image.

---

Step 12: Export boot image to reduce size

1. Once the boot image has been unmounted and saved, its size can be further reduced by exporting it:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to further reduce the size of the boot image by exporting it:

   Export-WindowsImage -SourceImagePath "<Boot_image_path>\<boot_image>.wim" -SourceIndex 1 -DestinationImagePath "<Boot_image_path>\<boot_image>-export.wim" -CompressionType max -Verbose
   

   Example:

   Export-WindowsImage -SourceImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -SourceIndex 1 -DestinationImagePath "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -CompressionType max -Verbose
   

   For more information, see Export-WindowsImage.

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to further reduce the size of the boot image by exporting it:

   DISM.exe /Export-Image /SourceImageFile:"<Boot_image_path>\<boot_image>.wim" /SourceIndex:1 /DestinationImageFile:"<Boot_image_path>\<boot_image>-export.wim"
   

   Example:

   DISM.exe /Export-Image /SourceImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /SourceIndex:1 /DestinationImageFile:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim"
   

   For more information, see Modify a Windows image using DISM: Reduce the size of an image and DISM Image Management Command-Line Options: /Export-Image.

   ---

2. Once the export has completed:

   1. Delete the original updated boot image:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to delete the original updated boot image:

   Remove-Item -Path "<Boot_image_path>\<boot_image>.wim" -Force
   

   Example:

   Remove-Item - Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" -Force
   

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to delete the original updated boot image:

   del "<Boot_image_path>\<boot_image>.wim" /Y
   

   Example:

   del "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim" /Y
   

   ---

   1. Rename the exported boot image with the name of the original boot image:

   :::image type="icon" source="images/icons/powershell-18.svg"::: PowerShell

   From an elevated PowerShell command prompt, run the following command to rename the exported boot image with the name of the original boot image:

   Rename-Item -Path "<Boot_image_path>\<exported_boot_image>.wim" -NewName "<original_boot_image_name>.wim"
   

   Example:

   Rename-Item -Path "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" -NewName "winpe.wim"
   

   :::image type="icon" source="images/icons/command-line-18.svg"::: Command Line

   From an elevated Deployment and Imaging Tools Environment command prompt, run the following command to rename the exported boot image with the name of the original boot image:

   rename "<Boot_image_path>\<boot_image>-export.wim" "<original_boot_image_name>.wim"
   

   Example:

   rename "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe-export.wim" "winpe.wim"
   

   ---

Step 13: Update boot image in products that utilize the boot image (if applicable)

After the default winpe.wim boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image . The following links contain information on how to update the boot image for several popular products that utilize boot images:

• Microsoft Configuration Manager
• Microsoft Deployment Toolkit (MDT)
• Windows Deployment Services

For any other products that utilize boot images, please consult their documentation on how to finish updating the boot image.

Microsoft Configuration Manager considerations

How Microsoft Configuration Manager creates boot images

Microsoft Configuration Manager creates its own boot images by taking the winpe.wim from the Windows ADK, adding some optional components it requires to function correctly, and then saving the boot image as boot.wim in the directory <ConfigMgr_Install_Directory>\OSD\boot\<architecture>\boot.wim. This boot.wim boot image is considered the pristine authoritative copy of the boot image by Configuration Manager and is never touched, modified, or updated by Configuration Manager except in some very specific scenarios. Instead, when changes such as:

• Adding drivers
• Adding optional components
• Enabling the command prompt

are done in the properties of the boot image in Configuration Manager, Configuration Manager makes a copy of boot.wim, applies the changes to the copy, and then saves the new boot image as boot.<package_id>.wim. If any additional changes are done to the boot image, Configuration Manager discards the previously created boot.<package_id>.wim boot image, makes a new copy of boot.wim, applies the changes to the copy, and then saves the new boot image as boot.<package_id>.wim. In other words, boot.wim is never touched. Any time any changes are made to a boot image, both the new changes and any changes done in the past are all reapplied to a new copy of boot.wim.

This process makes has the following advantages:

1. Keeps boot.wim pristine.

2. Makes sure that when changes are made to a boot image, they are being done to a copy of a pristine version of the boot image that hasn't had been modified in the past. This helps avoid corruption and/or corrects issues with existing boot images.

3. Helps manage components in the boot image. The process doesn't need to know what components it might need to remove from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components to add to the boot image.

4. Reduces the size of the boot image that can occur when components are removed from the boot image.

There are two scenarios when the boot.wim boot image is updated by Configuration Manager:

1. When upgrading between versions of Configuration Manager or when applying hotfix roll ups (HFRUs) to Configuration Manager, boot.wim may be updated as part of the upgrade process.

2. When selecting the option Reload this boot image with the current Windows PE version from the Windows ADK in the Update Distribution Points Wizard.

In theses scenarios, the boot.wim boot image is updated using the winpe.wim boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the boot.wim boot image using the current version of the winpe.wim boot image that is part of the Windows ADK.

Which boot image should be updated with the cumulative update?

When adding a cumulative update to a Configuration Manager boot image, it's recommended to update the winpe.wim boot image from the Windows ADK instead of directly updating the boot.wim boot image generated by Configuration Manager. The winpe.wim boot image from the Windows ADK should be updated instead of the boot.wim boot image generated by Configuration Manager for the following reasons:

1. If boot.wim is updated, then the next time boot.wim is updated via a Configuration Manager upgrade or the Reload this boot image with the current Windows PE version from the Windows ADK option, the changes made to boot.wim including the applied cumulative update will be lost. If the winpe.wim boot image from the Windows ADK is updated instead, then the changes to the Configuration Manager boot image including the applied cumulative update will persist and be preserved when Configuration Manager does update the boot.wim boot image.

2. If boot.<package_id>.wim is updated, then it will not only face the issues when boot.wim is updated, but it will also lose any changes, including the applied cumulative update, when any changes are done to the boot image (e.g. adding drivers, enabling the command prompt, etc.). Additionally, it will change the hash value of the boot image which can lead to download failures when downloading the boot image from a distribution point.

By updating winpe.wim from the Windows ADK, this will ensure that the cumulative update will stay applied regardless of what changes are made to the boot.wim boot image via Configuration Manager.

Updating the boot image in Configuration Manager

After updating the winpe.wim boot image from the Windows ADK, generate a new boot.wim boot image for Configuration Manager that contains the cumulative update by using the following steps:

1. Open the Microsoft Configuration manager console.

2. In the Microsoft Configuration manager console, navigate to Software Library > Overview > Operating Systems > Boot Images.

3. In the Boot Images pane, select the desired boot image.

4. In the toolbar, select Update Distribution Points.

5. In the Update Distribution Points Wizard window that appears:

   1. In the General/Update distribution points with this image page, select the Reload this boot image with the current Windows PE version from the Windows ADK option, and then select the Next > button.

   2. In the Summary page, select the Next > button.

   3. The Progress page will appears while the boot image builds.

   4. Once the boot image finishes building, the Completion/The task "Update Distribution Points Wizard" completed successfully page will appear. Select the Close button.

This process updates the boot image used by Configuration Manager. It will also update the boot image and the boot files used by any PXE enabled distribution points.

Important

If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the latest version of the bootmgr boot files extracted from the boot images (if applicable).

Add optional components manually to Configuration Manager boot images

For Microsoft Configuration Manager boot images, when applying a cumulative update to a boot image, make sure to add any desired optional components manually using the above command lines instead of adding them through Configuration Manager via the Optional Components tab in the Properties of the boot image. Optional components need to be added to the boot image manually instead of via Configuration Manager because:

• When the cumulative update is applied, it will also update any optional components as needed.
• If the optional components are instead added through Configuration Manager after a cumulative update has been applied to the boot image, then the optional components will not be updated with the cumulative update. This could lead to unexpected behaviors and problems.

Once any optional components has been manually added to a boot image, if that optional component is attempted to be added via the Optional Components tab in the Properties of the boot image in Configuration Manager, Configuration Manager will detect that the optional component has already been added and it will not try to add the optional component again.

Configuration Manager boot image required components

The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly:

Feature	File Name	Dependency	Required by ConfigMgr
Scripting/WinPE-Scripting	WinPE-Scripting.cab	NA	Yes
Scripting/WinPE-WMI	WinPE-WMI.cab	NA	Yes
Network/WinPE-WDS-Tools	WinPE-WDS-Tools.cab	NA	Yes
Startup/WinPE-SecureStartup	WinPE-SecureStartup.cab	Scripting/WinPE-WMI	Yes

When adding optional components to any boot image used by Configuration Manager during the Step 6: Add optional components to boot image step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image.

For a list of all available WinPE optional components including descriptions for each component, see WinPE Optional Components (OC) Reference: WinPE Optional Components.

Updating Configuration Manager boot media

After completing the walkthrough, update any Configuration Manager boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files.

Microsoft Deployment Toolkit (MDT) considerations

When adding a cumulative update to a Microsoft Deployment Toolkit (MDT) boot image, it's recommended to update the winpe.wim boot image from the Windows ADK instead of directly updating the LiteTouchPE_<arch>.wim boot image in the MDT Deployment Share. The winpe.wim boot image from the Windows ADK should be updated instead of the LiteTouchPE_<arch>.wim boot image from the MDT Deployment Share because if LiteTouchPE_<arch>.wim is updated, then the next time the MDT Deployment Share is updated, the changes made to LiteTouchPE_<arch>.wim, including the applied cumulative update, may be lost. If the winpe.wim boot image from the Windows ADK is updated instead, then the changes to the MDT boot image including the applied cumulative update will persist and be preserved when the MDT Deployment Share is updated.

Updating the boot image in MDT

After updating the winpe.wim boot image from the Windows ADK, generate a new LiteTouchPE_<arch>.wim boot image for MDT that contains the cumulative update by using the following steps:

1. Open the Microsoft Deployment Toolkit (MDT) Deployment Workbench console.

2. In the Deployment Workbench console, navigate to Deployment Workbench > Deployment Shares > MDT Deployment Share.

3. Right click on MDT Deployment Share and select Update Deployment Share.

4. In the Update Deployment Share Wizard window that appears:

   1. In the Options page, select the Completely regenerate the boot images option, and then select the Next > button.

   2. In the Summary page, select the Next > button.

   3. The Progress page will appears while the boot image and deployment share builds.

   4. Once the boot image and deployment share finishes building, the Confirmation/The process completed successfully page will appear. Select the Finish button.

MDT and Windows ADK versions

Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. When using MDT, the recommendation is to use the ADK for Windows 10, version 2004 instead of the latest version of the Windows ADK. ADK for Windows 10, version 2004 was the last version of the Windows ADK supported by MDT.

MDT boot image required components

The following components are required by Microsoft Configuration Manager boot images for Configuration Manager to function correctly:

Feature	File Name	Dependency	Required by MDT
Scripting/WinPE-Scripting	WinPE-Scripting.cab	NA	Yes
Scripting/WinPE-WMI	WinPE-WMI.cab	NA	Yes
File management/WinPE-FMAPI	WinPE-FMAPI.cab	NA	Yes
Startup/WinPE-SecureStartup	WinPE-SecureStartup.cab	Scripting/WinPE-WMI	Yes
HTML/WinPE-HTA	WinPE-HTA.cab	Scripting/WinPE-WMI	Yes

When adding optional components to any boot image used by MDT during the Step 6: Add optional components to boot image step, make sure to first add the above required components in the above order to the boot image. After adding the required components to the boot image, add any additional desired optional components to the boot image.

For a list of all available WinPE optional components including descriptions for each component, see WinPE Optional Components (OC) Reference: WinPE Optional Components.

Update MDT boot image

After completing the walkthrough, .

Updating MDT boot media

After completing the walkthrough and updating the Deployment Share, update any MDT boot media to ensure that the boot media has both the updated boot image and if applicable, updated boot files.

Windows Deployment Services (WDS) considerations

The boot.wim that is part of Windows installation media isn't supported for deploying Windows 11 with Windows Deployment Services (WDS). Additionally, the boot.wim from Windows 11 installation media isn't supported for deploying any version of Windows with Windows Deployment Services (WDS). For more information, see Windows Deployment Services (WDS) boot.wim support.

Windows Server 2012 R2

This walk-through isn't intended for use with Windows Server 2012 R2. There may be additional steps necessary when using Windows Server 2012 R2, such as also having to apply the latest servicing stack update (SSU) to the WinPE boot image. For server OSes, it's strongly recommended to use Windows Server 2016 or later for this walk-through. For more information see, Windows Server 2012 R2 Lifecycle.