You can use BatchPatch to apply Windows security updates to numerous computers that do not have internet access. Many organizations will have a high-security network where no computer on that network may access the internet. Further, it’s common to have the network so protected that it cannot even house a WSUS for update delivery. If you don’t have a WSUS and you don’t have internet access, how do you keep computers up to date? Below I’ll explain how you can use BatchPatch to fill the void.
On the one hand when you don’t allow the computers to access the internet, you increase their security by making it impossible to remotely access anything on the network, but on the other hand you make it harder to install updates, which is something you generally would want to do in order to improve security of the computers and close vulnerabilities in the operating systems. This is definitely a balancing act, but if you have a simple, straightforward method for applying updates to all of the offline computers, you’re going to be in much better shape than simply leaving the computers as-is, without ever updating them or with having to manually handle the update process on a periodic basis.
How does BatchPatch enable administrators to download and install security updates on an entire air-gapped / segregated network of computers?
BatchPatch actually provides a handful of different modes and methods for getting updates installed on offline computers. The method that you select will be primarily dependent on how strict the security rules and requirements are for the offline network. For example if the offline network is not completely air-gapped, and if you’re able and allowed to put BatchPatch on a computer that has both internet access as well as access to the computers on the offline network, then you’re going to select a different method than if the network is truly air-gapped or at least truly segregated such that no computer that has internet access can ever have direct access to computers on the network. However, even when you’re dealing with a completely segregated network, there might still be different levels of security required for that network. For example, in some cases you might be able and allowed to remove files from the offline network when needed, whereas in other cases the rules might be so strict that you are never allowed to remove anything from the offline network… or perhaps in some cases you are technically allowed to do such a thing, but the bureaucracy involved when it comes to change management processes is so burdensome that it’s barely ever worth actually trying to remove a file. BatchPatch provides different methods for each different scenario. There is always a balance between security and convenience, and BatchPatch attempts to provide the administrator with as much flexibility as possible to choose the least painful, most convenient method for any given offline network environment.
At the following page we go through all of the different scenarios, with detailed explanations. Each different scenario has a tutorial that explains how to download and install updates on your network, depending on the details and rules of your environment.