Whenever a new Windows device is booted from an image, there is a period of time when the machine is live and on the network, but it is missing operating system security patches and Microsoft Defender updates.  This new-born system is at its most vulnerable until the missing patches and updates have been applied.  If the reason the system has been booted from a clean image is to recover from a malware incident on the network the new-born system could easily become re-infected.

To help close this vulnerability gap Microsoft has rolled out a new tool that can apply missing Microsoft Defender updates to static operating system images – in vitro updates as it were.

According to Microsoft:

Initial hours of newly installed Windows OS deployments can suffer with Microsoft Defender protection gap, as the installation OS images may contain outdated Anti-Malware Software binaries. These devices will remain under protected until the first Anti-Malware software update finishes. Regular servicing of OS installation images to update Microsoft Defender binaries minimizes this protection gap in new deployments.

The tool can update WIM or VHD operating system images with a PowerShell command and inject up to date anti-malware signatures and even updates to the Microsoft Defender engine itself.

Since the tool updates the Operating System image, you have to pick the right version depending on whether your target is a 32 or 64 bit image.  The tool itself requires a 64 bit Windows 10 environment with Powershell 5.1 installed in order to function.

The feature supports all flavours of Windows 10 plus Server 2019 and Server 2016 images.

Now when planning the monthly patch cycles, system administrators can also patch the systems that aren’t yet born by updating the image files that will be used to create them in the future.