Note – If you are viewing this page on a mobile device some embedded code may not display, switch your mobile browser to desktop mode.
Since the release of the cumulative update model, managing Windows updates has become a much simpler process. Updates are typically released broadly to enterprise devices monthly after they have gone through a targeted testing phase. In addition to updating exiting machines, it is just as important to maintain the Windows 10 image file (also known as .WIM) so freshly built machines have the latest updates as soon as they are deployed. Before Windows 10 it was common for companies to utilise a ‘build and capture’ process to create a ‘gold’ reference image containing customisations, applications, middleware and updates. While this scenario is still supported with Windows 10 (and required in some cases, usually due to troublesome applications) it is no longer the preferred method.
Typically, Windows WIM files are updated within ConfigMgr via the ‘Schedule Updates’ wizard. Using this method will ensure the WIM has the latest applicable updates. There are a couple of downsides of using this process.
- Windows 10 (from version 1709) WIM files now have all Windows 10 SKU’s included. Each update must ‘apply’ against each index, this causes the schedule updates process to take a significant amount of time (example below).
- The schedule updates wizard performs no clean-up operations on the serviced image. The lack of clean-up combined with the multi indexed WIM will bloat the size of the WIM. After a few months of servicing this way, its not uncommon for the image to be triple its original size.
The downloaded Windows 10 media from Microsoft (via the Volume Licensing Service Centre) will come as an ISO. This ISO contains Windows 10 setup binaries, including the install.wim file (within sources directory). The setup binaries (including the install.wim) are used during in-place upgrades. Traditional OS deployment (bare-metal/replace) only relies on the install.wim. ConfigMgr references these two methods separately within the console.
OS Deployment Images are found within:
\Software Library\Overview\Operating Systems\Operating System Images
Upgrade packages are found within:
\Software Library\Overview\Operating Systems\Operating System Upgrade Packages
The process outlined below will ensure that the WIM is serviced correctly with monthly updates, all while keeping the size as small as possible. Some steps in the process should be repeated monthly after the business has accepted that months updates into circulation (broad deployment).
In the steps below, you will:
- Download the Windows 10 Media
- Create a folder structure for the master WIM, in-place and bare-metal scenarios for each month
- Export the Enterprise WIM from the install.wim (the stock install.wim contains all SKU’s)
- Mount the Enterprise WIM and update it with monthly updates (May 2018 in this example)
- Clean up the image (removing unnecessary files)
- Import the in-place and bare-metal files to ConfigMgr.
At the end of the process image sizes will vary month to month. Results from May 2018 are listed below.
|Orignial (unmodified) install.wim||3.9GB|
|Patched May 2018 install.wim (enterprise only index)||4.6GB|
|Patched and cleaned image||3.7GB|
In summary, the final patched image size for May 2018 turns out smaller than the stock Windows 10 image downloaded from the VLSC.
Log in to the Volume Licensing Service Centre and download the latest media for Windows 10. This example will refer to Windows 10 1803 released in March 2018 (Mar18).
Create a folder structure.
- March18-Master: Contains the downloaded and extracted Windows 10 media. The install.wim in the sources folder will have its enterprise index exported.
- May18-BareMetal: Contains the patched and cleaned up install.wim for May 2018.
- May18–InPlace: Contains the Windows setup binaries (copied from March18-Master) and a copy of the patched, cleaned up wim. This file will be identical to the one in the *-BareMetal folder.
- Offline: Blank folder to store the mounted image.
Export the Enterprise Image
Launch the Deployment and Imaging Tools Environment on your ConfigMgr server.
This tool is included within the Windows ADK and includes an up to date version of DISM. As always you should be using the latest version of DISM to match the OS version you are servicing.
Export the Windows 10 Enterprise image from the install.wim within the March18-Master\sources folder. The Windows 10 enterprise image is located at Index 3.
|Dism /Export-Image /SourceImageFile:"E:\Source\OS\Windows10\EN 1803\March18-Master\sources\install.wim" /SourceIndex:3 /DestinationImageFile:"E:\Source\OS\Windows10\EN 1803\install.wim|
You can verify that you have the correct index by using the following command.
|Dism /Get-ImageInfo /ImageFile:"E:\Source\OS\Windows10\EN 1803\install.wim|
Once verified make a copy of of the exported install.wim and replace it with the multi-index wim in the March18-Master\Sources folder. This exported enterprise WIM will be referenced each month by the rest of the process. The WIM in the March18-Master folder will not be referenced again in this process.
Mount the Image
Mount the Enterprise WIM. You will notice the command is now referencing index:1 as this is now the only index available. The image will be mounted to the previously created Offline folder.
|Dism /Mount-Image /ImageFile:"E:\Source\OS\Windows10\EN 1803\install.wim" /Index:1 /MountDir:"E:\Source\OS\Windows10\EN 1803\offline" /Optimize|
Updates are now ready to be added to the offline (mounted) image. The update binaries can either be downloaded from the Windows Update catalog online directly or downloaded via ConfigMgr. The updates applied to the image will also be deployed (or should have been already) to existing workstations therefore its more practical to get these updates from your ConfigMgr update deployment package.
Locate your updates applicable to the month you are servicing. The following updates were downloaded for May 2018.
Note – It is important to consider the Windows 10 servicing stack updates. In some cases servicing stack updates must be applied before attempting to install a cumulative update. This post by David Segura outlines servicing stack updates (SSU). Have a read of David’s post and apply the SSU with the below process.
The updates were downloaded to the deployment package located on the site server.
Inject the Updates
Updates can now be injected into the offline image. The following commands show examples of adding a single update or multiple updates. You can also verify the updates have applied successfully.
|Dism /Add-Package /Image:"E:\Source\OS\Windows10\EN 1803\offline" /PackagePath="E:\Source\Updates\Windows 10 1803\937c715f-a49e-4480-8b0c-e8f417e15164\Windows10.0-KB4100347-x64.cab"|
|Dism /Add-Package /Image:"E:\Source\OS\Windows10\EN 1803\offline" /PackagePath="E:\Source\Updates\Windows 10 1803\af8d9d4c-a4e9-4435-b08e-9f93d8d2b2b0\Windows10.0-KB4100403-x64.cab" /PackagePath="E:\Source\Updates\Windows 10 1803\df72c532-6259-4c38-9dba-0d952760b50c\Windows10.0-KB4103729-X64.cab"|
|Dism /Image:"E:\Source\OS\Windows10\EN 1803\Offline" /Get-Packages /Format:Table|
Clean Up Image
It is now time to clean up the image. Using the /ResetBase switch with the /StartComponentCleanup parameter of DISM.exe removes unnecessary files from the component store. The clean up operation will take some time to complete.
|Dism /Image:"E:\Source\OS\Windows10\EN 1803\offline" /Cleanup-Image /StartComponentCleanup /ResetBase|
Unmount the Image
Unmount the image. The process will unmount the image from the Offline folder.
|Dism /Unmount-Image /MountDir:"E:\Source\OS\Windows10\EN 1803\offline" /Commit|
Export the Image
Export the image into either the May18-BareMetal folder. Once exported this file should be copied to the May18-InPlace\sources folder and replace the install.wim within this folder. When you modify an image, DISM stores additional resource files that increase the overall size of the image. Exporting the image will remove unnecessary resource files.
|Dism /Export-Image /SourceImageFile:"E:\Source\OS\Windows10\EN 1803\install.wim" /SourceIndex:1 /DestinationImageFile:"E:\Source\OS\Windows10\EN 1803\May18-BareMetal\install.wim"|
Delete the old image
Delete the image from the root of the ‘EN 1803’ folder.
|del "E:\Source\OS\Windows10\EN 1803\install.wim"|
Import into ConfigMgr
Import the serviced in-place and bare-metal images into ConfigMgr.
Import the bare-metal image.
Name the image with a reference to the patch date.
Import the Operating System Upgrade Package.
After deploying the new serviced image, run the ‘get-hotfix’ PowerShell command to verify updates have applied as expected.
For information on DISM commands available please see the following link.
The process outlined above should be repeated each month after that months updates are accepted into broad deployment. Create the folders to match the month you are servicing and import and distribute in ConfigMgr. After importing make sure you modify your task sequences for bare-metal and in-place to use the new images.
My friend Steve Jones over on the WinAdmins Slack has put together a script to automate some of the process.
If you aren’t a member of our Slack, you really should be, there are thousands of like minded individuals hanging out from all over the world, you may even see some of our friendly MVP’s pop in once in a while. . Head over to https://slofile.com/slack/winadmins to join.Once you have your invite head to the channel – https://winadmins.slack.com