locked
WSUS Server Configuration in Server 2016 in an isolated internet i.e. Org LAN without connectivity to civil internet RRS feed

  • Question

  • Hi,

    I am working in an organisation having total PCs of around 100. All PCs are connected to internal network which is completely isolated from civil internet, i.e. NO CONNECTIVITY TO INTERNET BY ANY MEANS.

    It is a great task to install windows update patches in all 100 PCs.

    An external server is providing windows update patches standalone installer, and we write the data and install it in every PC.

    My question is that If WSUS can be configured for updating all windows PCs in intranet, where I can copy the windows update standalone installer in the WSUS Server, from which all PCs can be updated

    Waiting for reply.....

    Thursday, April 16, 2020 3:02 PM

Answers

  • Hi,
     
    Depending on your description, you can refer to the following steps.
     
    1. Build a WSUS server in an environment that can connect to the Internet.
     
    2. Approve the required updates on a WSUS server that can connect to the Internet.
     
    3. Export updates on a  exported Server.
     
    4. Build a WSUS in an internal environment that is disconnected to the Internet.
     
    5. Import updates on the internal WSUS server.
     
    The following links are for your reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v=ws.10)?redirectedfrom=MSDN
     
    Here are two things you need to pay attention to. 
     
    1. Export and import WSUS server to quickly install files and language settings to be consistent. 
     
    2. Copy binary update files to imported WSUS server first, and then export and import the metadata.
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 17, 2020 8:53 AM

All replies

  • Hi,

    You don't want to copy updates to WSUS. WSUS sync with Microsoft update servers and automatically get updates into it. These are the update server list,(https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting)

    • http://windowsupdate.microsoft.com
    • http://*.windowsupdate.microsoft.com
    • https://*.windowsupdate.microsoft.com
    • http://*.update.microsoft.com
    • https://*.update.microsoft.com
    • http://*.windowsupdate.com
    • http://download.windowsupdate.com
    • https://download.microsoft.com
    • http://*.download.windowsupdate.com
    • http://wustat.windows.com
    • http://ntservicepack.microsoft.com

    If you want to get some updates manually, you can do it through the update catalog site below,

    https://www.catalog.update.microsoft.com/Home.aspx

    As well as you can import standalone updates into WSUS as below,

    http://woshub.com/manually-import-updates-wsus-microsoft-update-catalog/
    http://www.localupdatepublisher.com/

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939825(v=ws.10)?redirectedfrom=MSDN

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/manage/wsus-and-the-catalog-site

    If you need to know more about WSUS, please refer official document here,

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

    Thursday, April 16, 2020 5:37 PM
  • Hi,
     
    Depending on your description, you can refer to the following steps.
     
    1. Build a WSUS server in an environment that can connect to the Internet.
     
    2. Approve the required updates on a WSUS server that can connect to the Internet.
     
    3. Export updates on a  exported Server.
     
    4. Build a WSUS in an internal environment that is disconnected to the Internet.
     
    5. Import updates on the internal WSUS server.
     
    The following links are for your reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v=ws.10)?redirectedfrom=MSDN
     
    Here are two things you need to pay attention to. 
     
    1. Export and import WSUS server to quickly install files and language settings to be consistent. 
     
    2. Copy binary update files to imported WSUS server first, and then export and import the metadata.
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 17, 2020 8:53 AM
  • Hi,

    It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?

    If you have any questions, please keep us in touch.

    Regards,
    Rita

       

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 23, 2020 3:20 AM
  • Hi,,,,

    As said earlier that we cannot connect any Windows PC to Internet. As per our policy any PC which is connected to Internet, should be having Linux Operating System.

    So, Can I download msu updates and put it in defined folder of Isolated Internet WSUS Server.

    Or we can create any batch file for updating the same.

    Please suggest

    Thanks in Advance

    Thursday, April 23, 2020 1:10 PM
  • Hi,,,

    The configuration which you are summarizing above is working fine. But can I copy the msu files to the WSUS folder.

    Thursday, April 23, 2020 1:13 PM
  • Hi,
     
    In my experience, this can be difficult to achieve. If your clients want to get updates through WSUS in a disconnected environment, I'm afraid you may only implement client updates through the above actions.
     
    If you have any further questions, please contact me.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, April 24, 2020 10:33 AM
  • Hi,
     
    In my experience, this can be difficult to achieve. If your clients want to get updates through WSUS in a disconnected environment, I'm afraid you may only implement client updates through the above actions.
     
    If you have any further questions, please contact me.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.

    Thanks Rita Ma'am......

    But, we want only windows updates to push to all clients connected in LAN.

    Simply saying... the scenario which i am finding is not configurable by any chance. From above discussions, I conclude in my opinion that we must have two WSUS servers one connected to Internet and another one connected to Intranet isolated from internet. This would enable to update all windows clients through WSUS servers.

    Friday, April 24, 2020 3:04 PM
  • Hi,
     
    Thank you for posting.Depending on your needs, you may refer to my reply above.
     
    If you have any other questions, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 27, 2020 9:46 AM
  • Hi,
     
    I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum.
     
    Best Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 29, 2020 2:35 AM
  • Hi, 
     
    Thank you very much for the update. I'm glad the problem is solved now. Here's a short summary for the problem. 
     
    Thank you very much for the update and sharing the solution here. I believe this should be useful for someone who has similar issue in the future. Here's a short summary for the problem. 
     
    Problem/Symptom: 
    Configure a Disconnected Network to Receive Updates 
     
    Possible Cause: 
    The internal environment is disconnected to the internet.
     
    Solution:
    Import export metadata using wsusutil.exe management tools 
     
    Reference Links: 
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v=ws.10)?redirectedfrom=MSDN
     
    Regards, 
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 12, 2020 9:41 AM
  • Hi,
     
    In my experience, this can be difficult to achieve. If your clients want to get updates through WSUS in a disconnected environment, I'm afraid you may only implement client updates through the above actions.
     
    If you have any further questions, please contact me.
     
    Regards,
    Rita


    Please remember to mark as answers if they help.

    Thanks Rita Ma'am......

    But, we want only windows updates to push to all clients connected in LAN.

    Simply saying... the scenario which i am finding is not configurable by any chance. From above discussions, I conclude in my opinion that we must have two WSUS servers one connected to Internet and another one connected to Intranet isolated from internet. This would enable to update all windows clients through WSUS servers.

    We have had a disconnect LAN environment for a certain application for ~ 1.5 years.  We use the method proposed by Rita and it works fine.  Just need a removeable large enough to hold the files.  Depending on the Products and Classifications you have selected, they can be quite large.

    Friday, May 15, 2020 7:52 PM