How to do one-off patches without an Internet connection

If you need to patch a small quantity of Windows servers or desktop PCs and don’t want to download four gigabytes of updates, or, worse yet, can’t download updates, WSUS Offline Update is your buddy. Don’t let its name fool you–it doesn’t require a Microsoft WSUS server in order to operate. But if you have a local WSUS server, you can point it at that to download updates, which is faster than downloading from Microsoft.

It’s a script that can download all existing updates for a given operating system, and then, you can run it off a network drive or removable media on individual systems to install missing patches and service packs. It’s a reliable way to quickly patch a small number of systems. I’ve had to use it a few times in my career and it’s worked well for me.

Patching hundreds of systems with it isn’t something I recommend–if you have a lot of machines, you need to stand up an enterprise patching solution–but this tool definitely has its uses, especially in small environments, or even for one-offs in large environments.

I can think of another good use for it: If you have a development network that doesn’t have an Internet connection, this will let you download and apply updates to it so your development network matches production, which is critical for a properly-working environment.

In the bad old days I used to use batch files to apply updates. This is better, because it will apply only the missing updates, and it does a reasonably good job of applying the updates in the proper order. Using batch files, sometimes I would have to run the file, reboot, and repeat a half dozen times to end up with a clean system, which didn’t make the security team happy. When I started using the predecessor to this tool, my security team and boss were a lot happier.

If you found this post informative or helpful, please share it!