Guides / Integrate Windows Updates

Integrate Windows Updates

Slipstream Windows updates into an installation image: use the built-in downloader, review flagged dependencies, and speed up repeat builds with caching and parallel extraction.

Integrate Windows updates directly into an installation image, so every deployment is fully patched from the very first boot. This guide walks the whole workflow: getting updates with the built-in downloader, queuing and analyzing them, and using the caching and parallelism options that make repeated builds fast.

Why Integrate Updates

A freshly installed Windows is at its most vulnerable between first boot and the moment Windows Update finishes patching it. Slipstreaming updates into the image closes that gap entirely - the system comes up already carrying the latest cumulative update and Windows Defender definitions.

  • Secure from first boot - cumulative, security, .NET, and Defender definition updates are already installed before the system ever goes online.
  • Install once, deploy many - one patched image saves every deployed machine the download-and-reboot cycle after setup.
  • Dependency awareness - queued updates are ordered automatically, and missing prerequisites or compatibility issues are flagged directly in the queue, with the affected update marked in red, before you commit to a long apply.
  • Fast repeat builds - downloaded updates are kept in a local cache per Windows version, and extracted contents can be cached too, so rebuilding an image skips both the download and the extraction work.
  • Secure Boot readiness - carrying the latest cumulative update is the prerequisite for staging the UEFI CA 2023 certificate, keeping deployments bootable through the 2011-to-2023 Secure Boot certificate migration.

Load the Image

On the Image page, load the target - either an image edition for offline integration, or the live system to install updates on the current installation. Then open Integrate → Updates. The list on the right shows packages already in the target: updates, language packs, and features.

The Updates page handles integrate-able packages such as MSU and CAB files. For EXE installers like .NET Framework or C++ runtimes, use Automate → Post-Setup instead. Supported EXE exceptions: Win7 SP1, WUAgent, and IE11.

Get Updates with the Downloader

The fastest way to fill the queue is Add → Latest online updates. NTLite detects the loaded image version and lists the newest matching updates - cumulative, servicing stack, security, .NET, and Windows Defender definitions - with recommended ones pre-labeled for easy selection. Use Enqueue to add selections to the integration queue; anything not yet downloaded is fetched automatically when processing starts.

Already have MSU or CAB files? Use Add → Files (or drag and drop) to queue them directly. For .NET Framework 3.5, use Add → Templates → .NET Framework 3.5, which pulls the needed package from the loaded image itself.

The downloader itself - supported Windows versions, download cache folder layout, hash verification, resume, and the Verify, Download, and Trim operations - is covered in the Download Windows Updates guide. It is also reachable standalone from the toolbar under Start → Tools.

Review Dependency Warnings

After queuing everything, check the queue for updates marked in red - the known missing dependency or compatibility issue is attached right on the update. This catches, for example, a cumulative update missing its servicing stack prerequisite before you spend the time on a full apply. On Windows 7 targets, run Analyze from the toolbar to perform this check.

Speed: Caching and Parallelism

Two independent toolbar toggles control extraction performance. Choose based on CPU cores, available disk space, and how often you rebuild with the same updates:

  • Parallel extraction - extracts as many pending updates in parallel as there are CPU cores. Temporarily uses more CPU and disk space, but is much faster than one-by-one extraction. Extracted files are reused within the session and deleted on close unless Smart cache is on.
  • Smart cache - stores extracted files in the update extraction cache (File → Settings) so the same updates skip extraction across sessions. The cache maintains itself: entries not accessed for 7 days are deleted on close.

Note the two separate caches: the Update Cache directory holds downloaded MSU/CAB files organized per Windows version, while the update extraction cache holds their extracted contents for Smart cache reuse. Both locations are configured under File → Settings.

Shrink the Result: Optimize Updates

Integrating updates grows the component store. The Optimize updates toolbar option removes superseded components and compresses retained versions - helping fit an image under the FAT32 4 GB limit, or simply shrinking the installation. Modes range from the DISM-based Normal cleanup to ResetBase (optionally deferred to first boot for a faster apply) and NTLite's own Custom engine for images DISM cannot service.

Mode-by-mode details, the deferred ResetBase mechanics, and the companion Clean apps option are documented on the Updates reference page.

Apply

Queued updates integrate during Apply → Process, alongside any other pending changes. Missing downloads are fetched first, then updates are extracted (in parallel, if enabled) and integrated in dependency order.

Next Steps