DISM hang on Safe OS Dynamic Update for Windows 11: October 2025 (KB5067040)

[ChAn]

Direct servicing of `winre.wim` with the `KB5067040.cab` package is failing due to a core servicing stack (DISM) hang. This is characteristic of an unresolved dependency or component mismatch between the preview update's payload and the minimal WinRE environment. The standard indirect workaround—rebuilding WinRE from a fully patched `install.wim`—is obstructed by the save-commit limitations of the NTLite Free Edition. The definitive solution is to bypass both issues by performing this rebuild process manually via the command line, using Microsoft's native DISM toolset.

The Core Failure: DISM Hang on `winre.wim`. The process freeze is not an NTLite application bug but a stall in the underlying `dism.exe` process. This occurs when DISM attempts to apply the update to the mounted `winre.wim`. The root cause is a fundamental incompatibility: `winre.wim` is a specialized, stripped-down Windows PE image with an incomplete component store. The KB5067040 preview update likely attempts to patch binaries or registry keys that are either absent or architecturally different in WinRE, leading to an unrecoverable state in the servicing stack.

The Tool Limitation: NTLite Free Edition. The most robust workaround for such servicing failures is to patch the full OS source image (`install.wim`), which contains all necessary dependencies, and then extract the newly generated `winre.wim` from it. However, the NTLite Free Edition prevents committing complex changes to a parent image like `install.wim`, effectively blocking this GUI-based workflow.

The Viable Path Forward: Manual Rebuild via DISM. Since the direct servicing path is blocked by a technical incompatibility and the intuitive GUI workaround is blocked by a software limitation, the only reliable method is a manual, command-line-driven process. The strategy is as follows:

Service the Parent Image: Use `dism.exe` to mount the full `install.wim`. Because this image contains the complete OS component store, injecting the `KB5067040.cab` will succeed as all dependencies are met. The changes are then committed, creating a fully patched source WIM.

Extract the Patched Artifact: The newly patched `install.wim` now contains an implicitly updated `winre.wim` located at `\Windows\System32\Recovery\`. By re-mounting the patched `install.wim`, this updated `winre.wim` can be copied out.

This manual process successfully bypasses both the core DISM servicing hang and the NTLite Free Edition's restrictions, yielding the desired patched `winre.wim` artifact.

 

[nuhi]

Hi,

do you have a preset demonstrating that?
I have now tested it, loaded install.wim edition, applied CU + SafeOS update, there were no hangups.
But I did get a similar report on the email today, if it wasn't you, would be important to replicate this so it can be fixed fast.

Thank you.

 

[ChAn]

yes i did send you email today that cover this matter yes

this is the log NTLite.log files

as as the NTLite is stil mount and freeze notings happends and never complete there shuld bee preset yes


imported to NTLite and first loaded to boot.wim
Auto-saved_e7a7c94d_4_6_4.xml boot.wim first load
Auto-saved_e7a7c94d_4_6_5.xml boot.wim secend for also apply the first KB5068516.cab into boot.wim

imported to NTLite and first loaded to install.wim and with KB5067040.cab to winre.wim
Auto-saved_1f0ffc80_4_6_3_NR2.xml first load
Auto-saved_1f0ffc80_4_6_3_NR1.xml secend load
Auto-saved_ce6c7f99_4_6_3_NR3.xml last load but with also KB5067040.cab

the affected PC or system is not restart get

this affected PC is not on WiFI or RJ45 cabel

will test again with fresh iso 25H2 from Microsoft website

 

[nuhi]

Hi,

did you reboot and clean the ISO files to the fresh ones?

Also there are 5 presets in this zip, please pick one demonstrating the issue, and ntlite.log is better than ntlite_dism.log if the issue repeats with clean ISO files.

 

[phAWPuGXBS]

Hi,

did you reboot and clean the ISO files to the fresh ones?

Also there are 5 presets in this zip, please pick one demonstrating the issue, and ntlite.log is better than ntlite_dism.log if the issue repeats with clean ISO files.

hello, i have a similar issue, i can't update WinRE in some cases (NTLite hangs and do nothing until i cancel it manually)

Mod note: Redacted URL from non-official MS site.
User note: my bad for the link, didn't know.

here are the steps to reproduce :
- download Windows 11 IoT Enterprise LTSC 2024 from [redacted]
- add it into NTLite (home license)
- load the 2nd edition (IoT Entreprise LTSC)
- select "remove nonessential editions" and apply
- load the "windows setup" and apply the update "dynamic update for Windows setup"
- load the IoT Enterprise LTSC edition and apply the update "Safe OS Dynamic Update for WinRE (kb5070186)"

NTLite will not proceed and will hang until i cancel it manually.

That process worked fine in the past, i'm not sure why it doesn't now.

Update 1: same if i skip the "remove nonessential editions" step
Update 2: if i add more updates allong with WinRE it goes through but results in in a broken iso :/
Update 3: i added the log file from update 1

 

[ChAn]

A workarund out side of NTLite

Detailed Service Strategy: Manual WinRE Patching

It is crucial to gain a holistic understanding of this process before initiating the deployment. This guide outlines the manual DISM servicing workaround required to bypass the known Servicing Stack hang experienced during the integration of updates (such as KB5070186) into minimal WinRE environments.

PREREQUISITE: All commands detailed below must be executed within an elevated Command Prompt or PowerShell session (Run as Administrator).

Step 0: Pre-Deployment and Path Definition

Before executing any commands, establish and verify the necessary file system hierarchy:

1. Create Mount Point: Establish an empty directory, e.g., C:\Mount, which will serve as the temporary mount point for the WIM image.

2. Define Artifact Destination: Create a dedicated output folder, e.g., C:\WinRE_Patched, to store the final patched winre.wim artifact.

3. Validate Source Paths: Record the exact file paths for your sources:
* C:\Path\to\install.wim (Your Host Image / Windows Source)
* C:\Path\to\KB5070186.cab (Your Update Package)

Step 1: Query the Image Index Metadata

Confirm the index number corresponding to your desired Windows edition (e.g., Professional, Enterprise).

Syntax:

Dism /Get-ImageInfo /ImageFile:"C:\Path\to\install.wim"

Execution: Review the output and note the specific Index Number (e.g., 1, 2, or 3). This value will replace X in Step 2.

Step 2: Mount the Host Image (Parent WIM)

Mount the entire install.wim to expose the full Component Store, which is essential for successful patch integration.

Syntax:

Dism /Mount-Image /ImageFile:"C:\Path\to\install.wim" /Index:X /MountDir:"C:\Mount"

(Replace X with the Index Number identified in Step 1.)
Execution: Wait for the command line to return input, indicating the mount operation is complete.

### Step 3: Inject the Package (Resolves the Servicing Hang)

Now, inject the update package into the mounted host image. Since the full image provides all dependencies, the Servicing Stack hang will be bypassed.

Syntax:

Dism /Image:"C:\Mount" /Add-Package /PackagePath:"C:\Path\to\KB5070186.cab"

Execution: Allow the command to run. It will display a progress percentage. This is the critical, time-consuming operation that failed when targeting winre.wim directly.

### Step 4: Commit Changes and Unmount

Once the package injection is complete, commit all changes back to the install.wim and release the mount point.

Syntax:

Dism /Unmount-Image /MountDir:"C:\Mount" /Commit"

Execution: The commit phase is I/O intensive and may take the longest time. Wait until the operation is reported as complete. Your install.wim is now patched.

Step 5: Artifact Extraction of the Patched WinRE

Remount the install.wim in read-only mode to safely extract the now-updated winre.wim file.

Syntax (Read-Only Mount):

Dism /Mount-Image /ImageFile:"C:\Path\to\install.wim" /Index:X /MountDir:"C:\Mount" /ReadOnly

Syntax (Artifact Extraction):

Copy-Item C:\Mount\Windows\System32\Recovery\winre.wim C:\WinRE_Patched\winre_patched.wim

Syntax (Unmount, Discarding Mount Point):

Dism /Unmount-Image /MountDir:"C:\Mount" /Discard

(The /Discard parameter is used as no changes were made to the image during this read-only mount.)

This process yields a fully patched winre_patched.wim artifact in your C:\WinRE_Patched directory.

 

[nuhi]

Update 2: if i add more updates allong with WinRE it goes through but results in in a broken iso :/
Update 3: i added the log file from update 1

Thank you, that helped replicating it.
Issue was visible if no Cumulative update, tool was waiting on servicing stack extraction.

Fix uploaded, let me know if you both see any issues.

For Windows 10 make sure not to integrate ESU update, only last non-ESU.
For ESU it's a separate topic, not related to NTLite.