How to Patch Offline Computers with the WSUS Offline Update Tool

Published:25 June 2021 - 5 min. read

Bill Kindle Image

Bill Kindle

Read more tutorials by Bill Kindle!

Today’s sponsor is n8n, the AI-native workflow automation tool built for ITOps and DevSecOps. With 100+ templates to get you started quickly and a powerful visual editor, you can automate complex workflows without giving up control. Check it out here.

 

 

 

 

 

Managing Windows Updates is a task every IT pro has probably done in their career. Managing patches is never fun, especially for offline Windows computers. If you have offline Windows computers, it’s time to automate the process as much as possible with the WSUS Offline Update tool!

The WSUS Offline Update tool, or what some call WSUSOffline, is a handy (and free) utility that downloads updates on an Internet-connected computer, packages up all necessary updates, and provides a way to install that package via offline media.

In this tutorial, you’re going to learn how to patch an offline computer with the WSUS Offline Update tool to become an offline-patching master!

Prerequisites

If you’d like to follow along with the steps in this tutorial, be sure you have the following:

  • A Windows 7 SP1+ or Windows Server 2008 R2+ computer preferably that’s way behind on patching. The demos in this guide are going to use Windows Server 2012 R2 virtual machine.
  • A separate Windows PC with Internet access to download updates.

Downloading and Setting up WSUS Offline Update

Before you can become an offline-patching master, you must first get your tool.

1. Open your favorite web browser and navigate to the WSUS Offline Update download page.

2. Click on the Version link shown below to download to your PC. As of this writing, the latest version is 12.03.2020.

WSUS Offline Update download page
WSUS Offline Update download page

WSUS Offline Update comes in two separate versions; the “Most recent version” and the “ESR version.” The “Most recent version” covers all modern Microsoft products. If you have older operating systems like Windows 7 SP1 or Windows Server 2008 R2, you’d have to use the “ESR version.” But note that WSUS Offline Update does not help get you around an extended security updates (ESU) agreement.

3. Once downloaded, extract the ZIP file, find and run the executable called UpdaterGenerator.exe. This EXE is the application that will help you customize offline updates.

WSUS Offline Updater - UpdaterGenerator.exe
WSUS Offline Updater – UpdaterGenerator.exe

When the tool launch, you’ll be in the Windows tab, as shown below, with a lot of options in front of you! Don’t worry, though. In the next section, you’ll learn how to perform each task necessary to download updates and patch that offline Windows computer.

WSUS Offline Update Generator
WSUS Offline Update Generator

Creating an Offline Update Package

Now that you have the WSUS Offline Update tool open let’s see what you can do with it. To demonstrate the tool, let’s assume you have an offline Windows Server 2012 R2 machine that needs all of the Visual C++ Runtime libraries, a version of .NET Framework, and the latest security updates.

Don’t worry if you don’t have Windows Server 2012 R2. The steps in this section apply to all Windows OS and Microsoft Office versions with only minor modifications.

Your first task is creating an offline update package. This offline update package can be created as an ISO image or stored on a USB drive. In this tutorial, you’re going to create the offline update package as an ISO file.

ISOs are easier to work with and can be mounted natively by Windows Server 2012 and newer. That’s why this article focuses on using them.

With the tool open:

1. First, uncheck all Windows 10 updates if you are not updating Windows 10. Failure to do so will cause WSUS Offline Update to download more than you might need, greatly increasing the update download and ISO creation time.

Step 1 - Uncheck Windows 10 updates
Step 1 – Uncheck Windows 10 updates

2. Since the tutorial will be patching a Windows Server 2012 R2 machine, click on the Legacy Windows tab. In this tab, select the OS you’re patching and the architecture. In this case, choose x64 Global (multilingual updates).

And, finally, pick the additional updates you’d like to download, such as C++ Runtime Library and .NET Frameworks, and Use “security-only updates” instead of “quality rollups.” Quality rollups are bundled updates. Security-only updates install faster and typically are smaller in size.

If you have an internal WSUS server with approved updates and would rather not download patches from the Internet, click on the WSUS button.

Step 2 - Select the appropriate options
Step 2 – Select the appropriate options

When you are satisfied with the selections, click on Start to begin the build process. WSUSOffline will open a command prompt window when you do so and will begin to download the required updates and create the ISO file. Be sure to leave this window open. This step takes a few minutes to complete.

If you selected a lot of options and different OS’es, this process could take HOURS! Be warned.

Step 3 - Build
Step 3 – Build

After the updates are finished downloading, and WSUS Offline Update has created the ISO image, you will see the following prompt:

Step 3 - Complete
Step 3 – Complete

3. To view the log file for the entire operation, click Yes. Otherwise, click No.

That’s it! You’ve created your first offline update ISO image that contains the updates you selected for Windows Server 2012 R2.

4. Now, open the folder you started WSUSOffline from and notice two folders called iso and client. These folders contain the updates the tool just downloaded. The Client folder contains all of the updates stored directly into the folder, while the iso folder holds the ISO, which has compressed all of the updates.

Inside of the iso folder, you will see an ISO file called wsusoffline-w63-x64.iso.

WSUS Offline Updater directory structure
WSUS Offline Updater directory structure

If you’d rather use a USB key to transfer the update package to the offline computer, you could also transfer the contents of the client folder directly to the USB key.

Applying an Offline Update Package

You now have an ISO file containing all of the required updates sitting on your local computer. It’s time to get that ISO file’s content to your offline computer!

As you can see below, an unpatched Windows Server 2012 R2 machine is waiting in the tutorial lab environment.

Never Updated Offline Windows 2012 R2 Server
Never Updated Offline Windows 2012 R2 Server

The Last installed updates status will not change after running WSUS Offline Update. This is because these fields are taken from registry keys that are updated only when using WSUS or Microsoft Update. They do not update when installing individual updates, which is what WSUS Offline Updater does.

To install the offline updates via the ISO file:

1. Copy the ISO to the offline computer using either a virtualized DVD drive in VMware or Hyper-V or using a USB key.

2. Connect to the offline computer’s console and log in with an administrative user account.

3. Next, find the ISO, right-click on it and click on Mount.

Mounting the Offline Update ISO
Mounting the Offline Update ISO

4. Now, navigate to the DVD drive that Windows created for the ISO file and run the UpdateInstaller.exe application.

Running Offline Update Installer
Running Offline Update Installer

5. In the installer dialog box, choose any other extra updates you’d like to install and select your required options. For this tutorial, select Update C++ Runtime Libraries, Update Root Certificates, and Install Management Framework 5.1.

When complete, click on Start to begin the installation process.

If WSUSOffline detects any of these updates are already installed, it will simply skip over them.

Running Offline Update Installer
Running Offline Update Installer

If the offline computer is way out of date, updating it may require multiple reboots. To prevent manually rebooting, start the tool again and repeat the process, select Automatic reboot and recall. This option will temporarily disable User Account Control (UAC), create a temporary user account, automatically reboot after installation, and continue patching until complete.

Once you click Start, WSUSOffline will open a command prompt and provide status messages throughout the update process. Do not close this window!

WSUS Offline Update working it's magic
WSUS Offline Update working it’s magic

6. After the updates have been installed, reboot your computer. WSUS Offline Update will prompt you to restart your computer to complete the process if you did not choose the option to do so automatically.

Time to reboot to complete installation
Time to reboot to complete installation

7. If you did not select the Automatic reboot and recall option before starting the update, continue rebooting the computer and performing steps 4-6 again until WSUS Offline Update detects no more updates needed.

You now have a freshly patched and up to date offline Windows computer!

Conclusion

WSUS Offline Update is a tool that every sysadmin should have in their toolbelt. This tool saves so much time patching offline computers by automating most of the process.

If you haven’t been using WSUS Offline Update previously, how were you, and how does that process compare to this tool?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!