For environments with high-security networks that not only have NO access to the internet or a WSUS but also disallow copying any data from the high-security network to any other lower-security network, BatchPatch has a feature for pre-downloading some or all of the Windows Updates security updates repository from Microsoft on a computer that has internet access, so that the repository can be transferred to the high-security offline network, where updates can then be distributed to computers. This process can be performed without ever having to remove any files/data from the secure network. Files are only ever transferred from the low-security network to the high-security network.
Note, BatchPatch offers multiple methods for deploying security updates to offline computers. For more on the various ways you can use ‘cached mode’ and ‘offline mode’ please see: Cached Mode and Offline Updates
- Enable cached mode first in order to activate the required menu item that will be used in the next step. Go to ‘Tools > Settings > Windows Update’ and then tick the ‘Enable cached mode’ checkbox near the bottom.
- Now select ‘Tools > Download offline updates repository’
- Select the products for which you would like to download updates, and select at least one language preference, and then click OK.
The WsusScn2.cab file will be downloaded from Microsoft and then parsed and filtered based on your selections.
- A list of Urls for the products that you selected will be displayed in a new window. At this point you can optionally delete rows for any updates that you are not interested in downloading. Click “Download files to local cache” when you’re ready to begin the download process.
- A new window will appear where you can monitor and control the download process.
- Now that you have downloaded all the updates, the next step is to move the populated cache directory to a computer on the high-security offline network. Please use whatever method is appropriate for your environment in order to transfer the files from the online network to the offline network, such as a USB drive.
- At this point the setup process is complete. You should have a folder full of update files on a computer that is attached to the offline network. BatchPatch should be launched with cached mode and offline mode enabled. The local update cache directory specified in Tools > Settings > Windows Update must point to the directory that contains all of the update files that you just moved. You may now proceed to update your computers. Highlight your hosts in the grid and select Actions > Windows Updates > Download and install updates + reboot if required. The target computers will now all “download” their updates from the BatchPatch computer’s local cache. I use quotation marks around “download” because what actually happens is the BatchPatch computer copies the appropriate update files to the target computers. The target computers then add these files to their Windows Update cache, and then the updates are installed.
- I have included a series of screenshots below to show the whole the process. Upon completion we have the overall content logged to the ‘All Messages’ column, with detailed information in the ‘Local Agent’ and ‘Remote Agent’ logs.
The computer that is running BatchPatch will copy the most recently published WsusScn2.cab offline scan file that was downloaded in an earlier step to the target host.
BatchPatch instructs the target host to perform a search for available updates against the WsusScn2.cab file, which is why the target host does not require internet access to perform its search.
The list of available updates on the target host is copied back to the BatchPatch console. Since the updates were all previously downloaded to BatchPatch’s local cache directory, BatchPatch proceeds to copy the required updates to the target host.
After the updates have been copied to the target host, the target host must move the files to its Windows Update cache.
When the caching process completes, the installation is finally ready to be executed.
After installation, the target host is rebooted and the process is complete.
