A Tool to Automate Offline Windows Updates and Patches

A common issue that a lot of organizations face is how to apply various Windows updates and patches to “offline” computers that do not have internet access. Many companies operate high-security (or at least “higher-security”) networks that are segregated from their regular networks. The higher-security networks often do not have any internet connectivity whatsoever. Sometimes these high-security networks are referred to as “air-gapped” because there is no physical network connection between them and online networks that have internet connectivity, hence there is an “air-gap” in between the networks. While this can absolutely help to prevent malicious software from infecting computers on the network, it also increases the difficulty of administering and updating those computers.

BatchPatch Online Default Mode

**Online Windows updates with no caching**
(This mode is recommended for most environments)

BatchPatch’s default operating mode works for target computers that have access to either the internet for Windows Update and Microsoft Update, or to a locally installed/managed WSUS server. In this configuration, BatchPatch instructs target computers to search for and download their own updates from the configured update service (Windows Update, Microsoft Update, or WSUS). You can read more about that here:

Tutorial: BatchPatch Online Default Mode


BatchPatch Partially Offline Cached Mode

**Offline Windows updates with caching**
(The mode is recommended for restricted environments where target computers do *not* have access to the internet or a local WSUS but *do* have network access to an internet-connected computer running BatchPatch)

In this configuration, even though target computers do not have internet access and do not have a direct connection to a local WSUS server, they do have a direct connection to the computer where BatchPatch is installed/running, and that BatchPatch computer is connected to the internet. In this case the BatchPatch computer is then able to instruct target computers to perform an offline search for applicable/available updates. BatchPatch is then able to use the internet connection on its computer to downloads all of the updates needed by the offline target computers so that it can subsequently distribute them to target computers and initiate the installation process and reboots etc.

Tutorial: BatchPatch Partially Offline Cached Mode


BatchPatch Completely Offline Cached Mode for Lower-Security Networks

**Offline Windows updates with caching**
(The mode is recommended for restricted environments where target computers are on an air-gapped/offline network that does not have connectivity to the internet and does not even have connectivity to the computer where BatchPatch is installed and running. In this situation, the administrator needs to manually copy a text file from the segregated network to an internet-connected computer via an external hard drive or USB flash drive or similar)

In this setup, since target hosts do not have direct access to Windows Update and Microsoft Update via an internet connection, and they also do not have direct network connectivity to an internet-connected computer running BatchPatch, all updating occurs in a completely offline fashion. In this configuration, the search for available updates is performed offline, and then the list of available/needed updates is manually moved to an internet-connected computer running BatchPatch where the updates are downloaded. The entire update cache is then manually moved to the segregated/offline network where BatchPatch is used to distribute them to target computers.

Tutorial: BatchPatch Completely Offline Cached Mode for Lower-Security Networks


BatchPatch Completely Offline Cached Mode for High-Security Networks

**Offline Windows updates with caching**
(The mode is recommended for the most restricted environments where target computers are on a completely segregated, offline network, without access to the internet and without network access to an internet-connected computer running BatchPatch. In this case, the strict rules created to maintain the highest security of the air-gapped network disallow any files from ever being transferred from the high-security offline network to another network. When applying updates with this method, files will only ever be transferred *to* the high-security offline network, but files will never need to be removed *from* the high security offline network)

In this configuration, since target computers do not have internet access and also do not have access to an internet-connected computer running BatchPatch, all updating occurs 100% offline. In this configuration, an internet-connected BatchPatch computer is used to pre-download all Windows updates to its local cache. The administrator then copies/moves the entire BatchPatch cache of updates to the completely offline network where BatchPatch is able to distribute the updates to all the target computers even though they do not have internet or WSUS access.

Tutorial: BatchPatch Completely Offline Cached Mode for High-Security Networks

This entry was posted in Blog, General, Tutorials and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.