locked
WSUS Offline Installer RRS feed

  • Question

  • Hello,

    due to strickt security rules (bank) it is not allowed to connect the servers to internet. So also no WSUS installation is possible.

    My Idea was, to gather and download all available Updates for OS and IE and so on by PowerShell on a computer that is connected and save it to a memory stick, then transfer this to an shared disk and run a other PowerShell on the servers, that check what updates are missing and install them from Filesystem.

    But there are multiple issues…

    How can i check, what of the Updates in Update Catalog is required by each server? I can check, what is already installed, but i dont see any way how i can find out, what kb is required on what os or related to other installed products like IE or SQL etc.

    Any Ideas are welcome

    thank you very much

    Martin

    Sunday, June 10, 2018 11:54 AM

Answers

  • Hi Martin,
     
    We can use WUA to scan for updates offline. Windows Update Agent (WUA) can be used to scan computers for security updates without connecting to Windows Update or to a Windows Server Update Services (WSUS) server.
     
    Offline scanning for updates requires the download of a signed file, Wsusscn2.cab, from Windows Update.
     
    The Wsusscn2.cab file is a cabinet file that is signed by Microsoft. This file contains info about security-related updates that are published by Microsoft. Computers that aren't connected to the Internet can be scanned to see whether these security-related updates are present or required.
     
    For detailed information, please refer to the following link:
     
     
     
    Hope this helps and feel free to contact me if there is any question.
     
    Best regards,
    Li Jianjie

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Li Jianjie Monday, June 11, 2018 9:32 AM
    • Marked as answer by Martin FFB Monday, June 11, 2018 9:44 AM
    Monday, June 11, 2018 9:32 AM

All replies

  • hi,

    Windows Update Agent (WUA) can be used to scan computers for security updates without connecting to Windows Update or to a Windows Server Update Services (WSUS) server, which enables computers that are not connected to the Internet to be scanned for security updates.

    Please remember to mark the replies as answers if they help.

    Best Regards

    • Proposed as answer by SBIHI Mohamed Monday, June 11, 2018 1:35 PM
    • Unproposed as answer by SBIHI Mohamed Monday, June 11, 2018 11:47 PM
    • Proposed as answer by jessicka maccon Monday, June 11, 2018 11:48 PM
    Sunday, June 10, 2018 11:52 PM
  • Hello Mohamed,

    can you pls Advice how?

    thank you

    Martin

    Monday, June 11, 2018 4:27 AM
  • Hi Martin,
     
    We can use WUA to scan for updates offline. Windows Update Agent (WUA) can be used to scan computers for security updates without connecting to Windows Update or to a Windows Server Update Services (WSUS) server.
     
    Offline scanning for updates requires the download of a signed file, Wsusscn2.cab, from Windows Update.
     
    The Wsusscn2.cab file is a cabinet file that is signed by Microsoft. This file contains info about security-related updates that are published by Microsoft. Computers that aren't connected to the Internet can be scanned to see whether these security-related updates are present or required.
     
    For detailed information, please refer to the following link:
     
     
     
    Hope this helps and feel free to contact me if there is any question.
     
    Best regards,
    Li Jianjie

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    • Edited by Li Jianjie Monday, June 11, 2018 9:32 AM
    • Marked as answer by Martin FFB Monday, June 11, 2018 9:44 AM
    Monday, June 11, 2018 9:32 AM
  • Great. Thank you very much

    Monday, June 11, 2018 9:44 AM
  • Another way would be a 2 server WSUS System. A non-domain joined system, sitting anywhere in your network that has internet access (this would be the Upstream and have no information on it beyond a standard install of Windows and WSUS). This system would be syncing all products and classifications you want to patch and downloading all of the updates for your network.

    The 2nd WSUS server would be an Offline WSUS Server on your secure network (The Offline Downstream). You could use the wsusutil export (https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127360) to export your data from the Upstream to your Offline Downstream server. Your secure network systems would then report to this Offline Downstream WSUS server and your patches and reporting would all be taken care of.

    Please see my 8 part blog series on how to setup, manage, and maintain WSUS

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, June 19, 2018 4:18 AM