JSI Tip 7365. How can I integrate security patches, critical updates, and hotfixes that use Update.exe into their Windows installation source files?

NOTE: Also see Windows Compact Disk Management Script (WINCDMAN).

Microsoft Knowledge Base Article 828930 contains the following summary:

This article discusses how an administrator can integrate Windows software updates that use Update.exe with their Windows installation source files. (Software updates include critical updates, feature packs, hotfixes, security updates, service packs, updates, and update rollups.) These procedures may be useful when an administrator must apply one or more software updates during installations from a Windows distribution folder that the administrator creates. These procedures are also useful if you want to integrate a security update so that a new installation does not become infected by a virus when it is set up.


1. These procedures do not work for software updates that do not use Update.exe as the installation program. For example, some Microsoft Internet Explorer updates for Microsoft Windows 2000 and Microsoft Windows XP use an INF-based installation instead of Update.exe. As a result, you cannot use these procedures to integrate these Internet Explorer updates for Windows 2000 or Windows XP.
2. Filelist registry keys are not created correctly when you use these procedures to integrate software updates. For example, if you integrate the 824146 security patch into your Microsoft Windows Server 2003 installation source files, the following registry key is not created correctly:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB824146\Filelist
3. When you use either of these this procedures to integrate updates, an entry is added for each update in the Add or Remove Programs control panel. However, the Remove button is not available because there is no earlier version of the updated files to restore if you remove the updates.
4. Administrators may also have to apply software updates to the Microsoft Windows Preinstallation Environment (Windows PE) if the following conditions are true:
The administrator uses the Windows PE to run Windows Setup.
The administrator uses an operating system that has integrated software updates on a network share.

For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

828217 How to apply the 824146 Security Patch to your Windows Preinstallation Environment

5. The instructions in this article can be used for Remote Installation Services (RIS) RISETUP based images also. The I386 directory structure for a RISETUP image is the same as a network distribution folder. For RIPREP images, pull the image down to a client computer, install the software update, and then RIPREP the image back to the server.
6. When you use these procedures to prevent a virus infection, we recommend that you integrate only software updates that require no action by the user. If you integrate software updates that do not prevent the Windows installation program from completing, use a "\[guirunonce\]" section in the Unattend.txt file, or use Software Update Services (SUS) to deploy the updates after the installation is completed.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.