One of the challenges that many administrators face is patch management for offline networks. In many cases it can be a bit of a catch-22. On the one hand we are charged with keeping the computers on the offline network 100% patched and up to date, so that they pass any security vulnerability audits. On the other hand, if the computers are so restricted that they cannot even access the internet or an online-network, it can be very difficult to actually keep the computers 100% patched and up to date.
BatchPatch offers functionality that enables you to deploy both third party software as well as Windows Updates to computers that are members of an offline or segregated network.
For standard third-party software deployment on offline networks, please have a look here: Software Deployment.
For offline Windows patch management, BatchPatch has a few different options to consider, depending on the configuration and security requirements of the environment that you need to patch. Let’s look at those in more detail below.
Partially Offline Patch Management
This mode is for computers that have no direct internet access and no direct WSUS access but are still able to communicate over the network with a computer that has internet access and is able to run BatchPatch.
The administrator launches BatchPatch on the internet-connected computer, and then configures BatchPatch to run in ‘offline mode.’ Once in ‘offline mode’ BatchPatch is used to check each target computer for available updates. Any needed updates are then downloaded by BatchPatch and distributed to the offline computers. The full tutorial is available here: Partially Offline Patch Management
Fully Offline Patch Management for Less Stringent High-Security Networks
This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, the administrator will be required to transfer a single text file from the offline network to an online network.
The administrator launches BatchPatch on a computer connected to the offline network. This computer is used to initiate the scan for available updates on all target computers. When all targets have finished checking for available updates, the BatchPatch computer creates a report of all needed updates. This report is exported to a single text file and transferred to an internet-connected computer via a USB flash drive or whatever method is convenient. On the internet-connected computer, the single text file is loaded into BatchPatch so that BatchPatch can download all of the updates included in the file. Once the updates are downloaded they are transferred back to the offline network where BatchPatch is then used to distribute them to all the target computers. The full tutorial is available here: Fully Offline Patch Management for Lower-Security Networks
Fully Offline Patch Management for More Stringent High-Security Networks
This mode is for networks that have no direct internet access and no direct WSUS access and no direct communication with a computer that has internet access. In this mode, no files are ever transferred from the high-security network to another network.
The administrator launches BatchPatch on an internet-connected computer. BatchPatch is then used to download *all* Windows security updates for whichever operating systems are going to be patched. After all of the updates are downloaded, the entire repository is transferred to the offline network. BatchPatch is then launched on a computer in the offline network, and it is used to distribute all of the previously downloaded updates to target computers. The full tutorial is available here: Fully Offline Patch Management for High-Security Networks