locked
Offline updates - Microsoft Baseline Security Analyzer RRS feed

  • Question

  • Hello,

    Here is my problem: i have several Windows server 2012R2 computers (without Active Directory) which are not connected to Internet. For security reasons, i would like to update each computer on a regular basis. I think this is a common problem.

    I already read several topics on this subject. Here is a list of possible free solutions i found:

    -Manually download each update from the catalogue and install them. This is not applicable because of pratical limit.

    -Setting a WSUS Server from where each computer can grab necessary updates. This does not work in my configuration as none of the computer are and won't be connected to internet.

    -Use Wsusoffline, which is third party tools to download all updates for a specific OS and install them: it is a bit overkill but seems good. One drawback is that it seems i cannot get the list of "missing only" updates for a computer before applying the whole updates.

    -Use Microsoft Baseline Security Analyzer, which can locally scan a computer and output a list of missing updates (with link to download file and bulletin). One drawback is that it needs several scans to ensure that all missing updates are applied. Because if KB2 need KB1 to be installed, MBSA scan will only list KB1 on first scan. After installing KB1, and scanning again, it will list KB2 as missing update. Can someone confirm this?

    In my situation, MBSA seems to be the better solution. Do you have some advices on how to use MBSA? Or any detail on how it works: is there any order that i need to respect on update installation?

    And do you know another way to do offline update?

    If you need some details or have any question, just ask me.

    Thank you,

    Thursday, March 30, 2017 3:29 PM

All replies

  • Hi Palaksa,

    You may refer to the following link to learn wsusscn2.cab, check if it could meet your requirement:

    https://support.microsoft.com/en-sg/help/926464/a-new-version-of-the-windows-update-offline-scan-file,-wsusscn2.cab,-is-available-for-advanced-users

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Palaksa Thursday, April 6, 2017 9:00 AM
    • Unmarked as answer by Palaksa Thursday, April 6, 2017 9:00 AM
    Friday, March 31, 2017 9:05 AM
  • Hello,

    Here is my problem: i have several Windows server 2012R2 computers (without Active Directory) which are not connected to Internet. For security reasons, i would like to update each computer on a regular basis. I think this is a common problem.

    I already read several topics on this subject. Here is a list of possible free solutions i found:

    -Manually download each update from the catalogue and install them. This is not applicable because of pratical limit.

    -Setting a WSUS Server from where each computer can grab necessary updates. This does not work in my configuration as none of the computer are and won't be connected to internet.

    -Use Wsusoffline, which is third party tools to download all updates for a specific OS and install them: it is a bit overkill but seems good. One drawback is that it seems i cannot get the list of "missing only" updates for a computer before applying the whole updates.

    -Use Microsoft Baseline Security Analyzer, which can locally scan a computer and output a list of missing updates (with link to download file and bulletin). One drawback is that it needs several scans to ensure that all missing updates are applied. Because if KB2 need KB1 to be installed, MBSA scan will only list KB1 on first scan. After installing KB1, and scanning again, it will list KB2 as missing update. Can someone confirm this?

    In my situation, MBSA seems to be the better solution. Do you have some advices on how to use MBSA? Or any detail on how it works: is there any order that i need to respect on update installation?

    And do you know another way to do offline update?

    If you need some details or have any question, just ask me.

    Thank you,

    What about the WSUS deployment for disconnected networks 

    from this document :

    https://technet.microsoft.com/en-us/library/dd939820(v=ws.10).aspx

    Would that help you? Kind of a sneaker net approach, but I have known a couple of businesses where that deployment strategy did work for disconnected networks.

    Friday, March 31, 2017 5:11 PM
  • Thank you for your answers.

    I did not know about System Management Server Inventory Tool for Microsoft Updates. It seems to have a lot of features, one of them being offlines updates. I'll look into it.

    About WSUS, the system only contains few computers, less than 15. So patching each computer manually is possible. But none of them can be connected to Internet then i cannot deploy a WSUS.

    Palaksa.

    Monday, April 3, 2017 1:49 PM
  • Hi Palaksa,

    If the above reply could be of help, you may mark useful reply as answer, if you have other questions, feel free to ask.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 6:35 AM