The Best Way to Patch an Isolated Network

One of our goals with BatchPatch is for it to be the best tool for patching isolated networks. We think it provides the simplest method for applying Windows Updates in bulk to computers on segregated and/or offline networks. When dealing with isolated/segregated networks, there are typically some additional challenges involved in keeping computers up to date. The computers typically will not have internet access, and usually the computers will also not have physical connectivity to other networks. This ‘air gap’ presents a significant obstacle for the administrators, especially in cases where the segregated network has very strict rules due to its high-security designation. After all, the purpose for an air-gapped network is usually to increase the overall security of the connected computers. On the one hand, keeping computers patched and up to date is paramount to maintaining security of the network, but other hand, how do you patch the computers if they are not connected to anything?

We describe, in detail, all of the cached mode and offline update options in BatchPatch at this link: Cached Mode and Offline Updates


There are two basic options that BatchPatch provides for patching an air-gapped network of computers

Option A: On an internet-connected computer, pre-download *all* Windows Update security updates for the operating systems that you plan to patch. Then bring all of those updates on a hard drive to the offline network and use BatchPatch to apply them to all of the computers.

The advantage of option A is that files never need to be transferred from the offline network to an online network. In high-security environments this might be particularly useful because change-management requirements might make it very difficult or perhaps impossible to remove files from the offline, high-security network.

The disadvantage of option A is that you have to download *all* available security updates for a given OS, which might take some time.

Step-by-step tutorial for option A: Patching an isolated environment with strict security rules

Option B: First run BatchPatch on the offline network so that it can produce a report of all the security updates that are needed by computers. Take the report to a computer that has internet access, and then use BatchPatch to download the needed updates from the report. Then bring the downloaded updates from the internet-connected computer to the offline network where you can then use BatchPatch to apply those updates to the computers that require them.

The advantage to option B is that you will only need to download the exact/specific security updates that are required by computers on the offline network. This might be a significant time saver over option A.

The disadvantage to option B is that it requires taking a simple BatchPatch text file report from the offline network to an internet-connected computer. Security restrictions and/or change-management protocol may make this a very difficult or impossible task in some environments.

Step-by-step tutorial for option B: Patching an isolated environment with less stringent security rules

This entry was posted in Blog, General, Tutorials and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.