locked
Need to add windows updated to a WSUS that has no internect connection. RRS feed

  • Question

  • I have a network that is isolated from the internet

    Domain controller (Server 2016) and ~ 80 servers  (2012R2,2016) and 250 workstations (Win10, Win 7)

    I need to add selected updated manually to the WSUS.

    Please direct me to the best method.

    Raf

    Monday, June 1, 2020 7:41 AM

Answers

  • Hi Raf Biton,
     
    Thanks for your time.
     
    We could check Windowsupdate.log to see the client update installation status. Open the PowerShell as an administrator and enter the following command: get-windowsupdate.log to check Windowsupdates.log
     
    Regards,
    Rita 

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 22, 2020 3:27 AM
  • Hi Raf,
     
    Thanks for your posting.
     
    Depending on your description, you could refer to the following steps.
     
    1. Install a WSUS server on the disconnected network segment. This server is known as the WSUS import server. 

    2. Synchronize updates and metadata to a WSUS server that is connected to the Internet. This server is known as the WSUS export server.

    3. Transfer the required updates and metadata from the WSUS export server to removable media.

    4. Transport the removable media to the WSUS import server.

    5. Import the updates and metadata to the WSUS import server.

    6. Manage and download updates to client computers on the disconnected network segment by using the WSUS import server.
     
    Please refer to the following link:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v=ws.10)?redirectedfrom=MSDN
     
    If you have any updates, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, June 1, 2020 9:43 AM

All replies

  • Hi Raf,
     
    Thanks for your posting.
     
    Depending on your description, you could refer to the following steps.
     
    1. Install a WSUS server on the disconnected network segment. This server is known as the WSUS import server. 

    2. Synchronize updates and metadata to a WSUS server that is connected to the Internet. This server is known as the WSUS export server.

    3. Transfer the required updates and metadata from the WSUS export server to removable media.

    4. Transport the removable media to the WSUS import server.

    5. Import the updates and metadata to the WSUS import server.

    6. Manage and download updates to client computers on the disconnected network segment by using the WSUS import server.
     
    Please refer to the following link:
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939873(v=ws.10)?redirectedfrom=MSDN
     
    If you have any updates, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, June 1, 2020 9:43 AM
  • Hi Raf,
     
    It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 4, 2020 6:52 AM
  • Hi Raf,
     
    I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum.
     
    Best Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 5, 2020 1:57 AM
  • Hi Rita, 

    Thanks for the help & support.

    Some issues trying to follow the steps you offered:

    1.wsusutil export failes to exoort due to the cab file is to big... try another util 

    2. Windows backup doesn't restore the \WsusContent folder.

    So I kind of "stuck" on this way to move the data ftom the export wsus server to the internal wsus server.

    Raf Biton

    Sunday, June 7, 2020 5:17 AM
  • Hi Raf,
     
    Thanks for your posting.
     
    The exported cab file is too large. 
    If the number of updates approved at one time is too large, it is recommended that you approve them in batches and then import and export. 
     
    The current environment may store too many cab files, it is recommended that you consider deleting the current WSUS server、related binaries and metadata files, and then try to rebuild WSUS. Please refer the following steps:
    To remove WSUS completely, you need to:
    1. Remove the following server roles and features through Server Manager:
    Roles: Windows Server Update Server
    features: Windows Server Update Services Tools(at Remote Server Administration Tools -> Role Administration Tools)
    Follow the wizard prompts to complete the deletion. Then restart the server.

    2. After the server is restarted, manually delete the folder or file of the following path:
    - C:\WSUS (this depends on where you choose to install WSUS)
    - C:\Program Files\Update Services

    3. Delete database files
    If you use SQL Server Management Studio to delete a database, you can try as follow.
    In Object Explorer, connect to an instance of the SQL Server Database Engine, and then expand that instance.Expand Databases, right-click the database to delete, and then click Delete.Confirm the correct database is selected, and then click OK.

    If you use a WID database, it is recommended to delete the following path folders:
    C:\Windows\WID

    4. In the IIS Information Services (IIS) Manager, manually remove the WSUS Administration site. Then restart the server. 
     
    If you have any updates, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 9, 2020 2:43 AM
  • Hi Raf Biton,

    Thanks for your time.

    May we know the current status of the problem? Due to the internal limit of CAB files is 2 GB included files. Because the process of rebuilding the WSUS server is cumbersome, it is recommended that you consider changing the export file format.

    Please consider importing and exporting metadata with the following command:
    wsusutil.exe export export.xml.gz export.log
    wsusutil.exe import import.xml.gz import.log

    Here is a link just for your reference:

    https://docs.microsoft.com/en-us/archive/blogs/wsus/problem-solved-the-wsus-export-bug


    If you have any updates about this issue, please let me know.

    Regards,
    Rita 


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 10, 2020 6:45 AM
  • Hi Rita,

    1. The cab file that I tried to export with wsusutil.exe was 25 KB , and yet I got the file to big failure.

    2. The command "wsusutil.exe export export.xml.gz export.log " exports all WSUS updates.

    Since not all updates that were published will be installed on my private servers and workstation, I need a way to selectively export updates (one at a time) - like the wsusutil.exe %updatename%.cab logfile.log

    Raf Biton

    Wednesday, June 10, 2020 7:19 AM
  • Hi Raf Biton,
     
    Thanks for your posting.
     
    In my opinion, the WSUS does not seem to be able to filter and export some specific updates. Because the WSUS server is in the form of a package when importing and exporting, there may be no way to filter. If WSUS has any updates to this feature, I will notify you the first time.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 10, 2020 7:31 AM
  • Hi Raf Biton,
     
    It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?
     
    If you have any questions, please keep us in touch.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 16, 2020 2:29 AM
  • Hi,

    I've installed a WSUS Export Server (connected to the Internet) and marked "Windows 10" for updates download.

    878 updates were added to the WSUS Export server.

    I choose a critical update (KB3125217) and approved it for installtion. The \WSUSContent library was added 3 more folders.

    I've backed-up the \wsuscontent and restored to the Imort WSUS server.

    Also I used wsutiles to export and import METADATA.

    Now' I've approved the same update (KB3125217), and created a GPO in my DC to direct ro updated to the import server.

    The update was not installed.

    Can you help on this ? Is there a log to understand what is wrong ?

    I can see that from ActiveDirectory point of view the GPO was asimilated. 

    But trying to manually start windows updates from "Settings" writes that "You're up tp date"

    Sunday, June 21, 2020 8:38 AM
  • Hi Raf Biton,
     
    Thanks for your time.
     
    We could check Windowsupdate.log to see the client update installation status. Open the PowerShell as an administrator and enter the following command: get-windowsupdate.log to check Windowsupdates.log
     
    Regards,
    Rita 

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 22, 2020 3:27 AM
  • Hi,

    Some good news.

    The updates for WINDOWS 10 clients were installed via the Groupolicy I've created.

    Updates for Server2016 are nhot being installed, It looks like that the GPO is not "working" on machins with Server 2016.

    The GPO has a Link Enabled under the root domain object.

    Any hints why ? 

    How how to debug the issue ?

    Raf Biton



    Raf Biton CNE|MCSE

    Sunday, July 5, 2020 9:10 AM
  • Hi Raf,
     
    Thanks for your response.
     
    What is the meaning of "Updates for Server2016 are nhot being installed, It looks like that the GPO is not "working" on machins with Server 2016"? Windows server 2016 client does not detect updates or updates but cannot install. Open CMD as an administrator and enter the "rsop" command to check the Windows Server 2016 Client Group Policy settings. If there is no problem with Group Policy settings, consider checking the Windowsupdate.log in the Windows Server 2016 client.
     
    If you have any updates about this issues, please keep us in touch. I will try my best to help.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 6, 2020 2:47 AM
  • Hi Rita

    After waiting a while it looks like the updates were installed both on WIN10 and Server2016 machines.

    I wonder why I can't see the "Some Settings are managed by your organization" message in the windows update screen on Server 2016 machines. That what led me thinking that the group policy is not working on  those machines.

    Raf


    Raf Biton CNE|MCSE

    Monday, July 6, 2020 1:24 PM
  • Hi Raf,
     
    Tanks for your response.
     
    It is glad to hear that your issue was successfully resolved. As for the Windows Server 2016 client you mentioned above can't see the "Some Settings are managed by your organization" message. This is a different system version that causes. Windows Server 2016 clients do have this phenomenon. However, you could check client group policy settings in the following ways:
    Open CMD as an administrator and enter "rsop" to check group policies setting.
     
    Thanks for your time.
     
    Regards,
    Rita

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 7, 2020 5:30 AM