While everyone can agree that keeping on top of updates is of paramount importance to keeping devices protected, there are several alternatives that exist to the method of downloading updates directly from each client and server device. Among these include Microsoft’s own enterprise solution, Systems Center Configuration Manager (SCCM) and Windows Server Update Services (WSUS), the component that downloads patches centrally and deploys them across the network.
These often come with expensive licensing fees or require extensive hardware requirements that may make it difficult to manage and/or seek purchase approval from management. Adding to the complexity is the fact that updates are released at an alarming rate, with dozens of new patches being released weekly (i.e., Patch Tuesday) multiplied by the number of different operating systems supported times the number of devices in the organization, and it’s easy to see how the patch management process slips under the radar of even the largest IT departments.
WSUS Offline Update is a simple, lightweight, elegant solution, released free to use under the GNU GPL license. Its tagline is, «…since security, time, and bandwidth are money.» It’s aimed at streamlining the process of updating your clients and servers through an innovative use of powerful, intelligently-written scripts to download updates directly from Microsoft’s public catalog servers and deploy them. When you’re ready. Since the process stores updates locally, updates may be deployed offline, ensuring that your devices get inoculated against known threats and do not become compromised during a lengthy online update process.
SEE: IT leader’s guide to edge computing (Tech Pro Research)
Before we dive into the crux of setting this up, there are a few requirements we’ll need before starting:
- Windows PC with Windows 7 or later (Optional) or Windows Server with Windows Server 2008 or later (Recommended)
- WSUS Offline Update software extracted to directory on storage drive
- Broadband Internet Access
- Internal storage device with available space
- Optical storage device with writable DVD media (Optional)
- Switched Network Infrastructure (Optional; yet Highly Recommended)
With the minimum requirements out of the way, let’s look at how to run WSUS Offline Update to create our update repository.
1. Launch the UpdateGenerator.exe extracted from the WSUS Offline Update ZIP file (Figure A).
2. Notice there are two tabs: Windows and Office. Each one toggles the supported versions of both Windows and Office respectively (Figure B).
3. Begin by placing a check in in the box for each version of Windows you wish to download catalog updates for. Take notice that some OSes are divided into two categories based on x86 and x64 architectures. Once complete, there are additional selections in the Options section that may be optionally enabled, such as .NET Framework, Runtimes, and Windows Defender definitions for newer systems with built-in malware protection. Additionally, the ability to create ISO images or USB/external media directories may be selected on this page as well by ticking the boxes under Create ISO images… or USB medium sections. When you’re ready to begin, click the Start button to proceed.
4. The process will launch a command line window that download the catalog file for each OS version and type, and compare it to what is currently available in the repo. If it’s the first time running WSUS Offline Update then the repo will be empty and all missing updates will be downloaded (Figure C).
5. The process will download all the Microsoft updates for the selected versions of Windows client and server OSes. Depending on the number of items selected and the speed of your internet connection, the initial process could take several hours to complete. Additional options such as downloading optional components and creating ISOs of the updates (more on that later) will extend the completion time. Once done, a notification will appear asking for confirmation to check the log file. Clicking Yes will open the log, while clicking No will close the app (Figure D).
6. Navigating to the Client folder located within the root of the WSUSOffline folder, you will notice the addition of several folders, each holding the updates respective of each version of Windows selected in step 3 (Figure E)(Figure F).
7. When you’re ready to deploy the updates to a device — either online or offline — simply connect to the server share or external media that stores the repository created in steps 4-5. Navigate to the root folder | Client, and execute UpdateInstaller.exe. Similar to the selection screen in step 3 above, place a check next to each optional entry you wish to install alongside the updates (by default, the updates are always installed). Click Start when you are ready to begin deploying (Figure G).
8. The command line will launch and examine your device to determine what updates are currently installed. Those present will be skipped, while those pending will be added to a dynamically generated list and installed sequentially. In the case of certain updates or optional components that require a reboot, the process will halt and prompt you to restart. After rebooting, rerun the .exe and it will continue from where it left off (Figure H)(Figure I).
9. When the updates have finished installing, the process will end informing you that it is complete or prompting you to reboot (Figure J)(Figure K).
Generating ISO images:
In step 3, under the section titled Create ISO image(s)…, users have the ability to create ISO image(s) of the updates they’ve downloaded. When this box is checked, the process will create an ISO image for each version of Windows client and server selected. This can be extremely useful as the ISO file may be mounted, burned to a DVD, or copied to a USB Flash Drive for deployment to systems that have been compromised, have a poor network connection, or are otherwise inaccessible, like air gapped devices, for example (Figure L).
As the process completes downloading updates for a particular version of Windows, the script will run a subcommand to create the ISO (Figure M).
These ISO files will be written to the ISO folder located at the root of the extracted WSUSOffline directory. As an additional security precaution, hash files will also be generated for each ISO to verify the integrity of each file and protect against tampering (Figure N).
Optional Controls and Automation:
When running the UpdateInstaller.exe file to kick-off the installation of updates in step 7, there are some optional settings that may be enabled under the Control section to perform specific functions, such as verification of installation packages to ensure that the packages installed correctly and are not corrupt or broken, which could lead to system instability (Figure O).
By selecting the Automatic reboot and recall feature, you will be prompted to confirm the use of the option, as well as be informed of a few changes that are made by WSUS Offline Update to ensure that automation will occur without a hitch (Figure P).
Below is a list of changes that must be made in order for automate and recall to work as intended and pick up where it left off in the event of a system required reboot:
- The WSUS Offline Update folder where the files are extracted to must be configured as a shared folder with read permissions granted to the Anonymous security group. (This is the only change that must be made manually, all others below will be made automatically by WSUS Offline Update).
- A temporary admin account will be created and set to autologon to continue running the process with admin rights to install the updates.
- The WSUS Offline shared folder will be configured as a mapped drive to the local device, since UNC paths are not supported by the CLI.
- User Access Control (UAC) will be disabled until the update process has completed successfully.