Install latest Software Updates during OSD using Config Manager and Automatic Deployment Rules

You have a couple of options here. Automatic Deployment Rules (ADRs) are able to deploy approve and deploy updates, but often customers choose to phase this rollout to validate the patches dont clash with any apps or utilities you may have "out in the wild". 

https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

You can also look at offline servicing for images so that the patches are included in the image before it's even transmitted to the device and applied. this has the benefit of being both the most secure AND quick as there is likely no increase in build time. It also means you dont have to recapture your WIM as often.