Update 16-Jan-20: Fixed typo in WSUS Export Script.
Recently had to perform the exact steps to get an environment patched that did not have an internet connection or could connect to an upstream WSUS server.
The following process will describe downloading and upload patches to a disconnected domain:
-
- WSUS server that has internet connection. For the one I recent did, I created a VM with WSUS and WID database to keep the footprint small.
- Let WSUS sync overnight with all the classifications.
- Once synced, go into WSUS administration.
- Click Options.
- Click Update Files and Languages.
- Confirm that on the Update Files tab, that only update files will download when they are approved. If you click download express installation files this will take forever to complete and download everything.
- Click on the Update Languages tab.
- Select Download updates only in these languages, and select the language that you wish, in my case English.
- The easiest way is to get into the Critical and Security updates under updates. Click Any Except Declined and click Refresh.
- Once the results come back, right click on the column bar and select SuperSedence.
- Now sort by the supersedence column, by clicking on the column.
- Updates that have a blue box at the top mean that this update replaces other updates.
- These ones mean that they are not superseded, but another update replaces them.
- Any updates that have been superseded, select them. You can select many by shift+a on the
- Right click on these updates and select Decline.
- Approve the remaining updates.
- WSUS will then begin to download the physical files.
- Wait till all the downloads have been completed and the download status is idle. This will take sometime to download, i.e 2 days and depending on the number of classifications selected.
- Once completed, copy the entire contents of E:\WSUSContent to a harddrive. You will need at least 1TB of space.
The best way to copy the contents is by using ROBOCOPY.
Example command:
robocopy /MIR
The /MIR switch will copy all the sub folders. The important thing is to copy the files exactly as they are from the source, as the WSUS database has pointers to each of the files. - If your copying to an existing WSUS content on a harddrive then you will want to run an incremental Robocopy, which basically means that any files that have been modified compared to the file in the destination are copied.
Command:
robocopy E:\WSUSContent F:\WSUSContent /E /MIR /R:1 /W:1 - While the copying is happening, open a Command prompt as an administrator on the source WSUS server.
- Navigate to C:\Program Files\Update Services\Tools
- Enter the following command (this will export the metadata of the updates):
exe export D:\wsusexport_20190601.xml.gz D:\wsusexport_20190601.log
NP if you have a large number of updates, you will need to run the .xml.gz extension as the standard WSUS command wont work. - Copy the export files to the harddrive.
- Robocopy the WSUS Content from the harddrive to the WSUS server using the differential robocopy command:
robocopy D:\WSUSContent\WSUSContent \\E$\WSUSContent\WSUSContent /E /MIR /R:1 /W:1 - Verify that the Robocopy has finished.
- Run the following command to import WSUS metadata.
- Navigate to C:\Program Files\Update Services\Tools
- Enter the following command (this will import the metadata of the updates):
wsusutil.exe import
E:\wsusexport_20190601.xml.gz E:\wsusexport_20190601.log
- Confirm the metadata is being imported. Process will take ages depending on the size of the xml.gz file.
- Confirm that metadata is imported.
- Open the SCCM Console.
- Go to Software Library tab.
- Expand Software Updates.
- Right click on All Software Updates and click Synchronize.
- This process will take some time.
- To confirm that the updates have been sync’d with SCCM, go to the All Software Updates page.
- Set the criteria to Date Released is on or after last 1 month.
- Select all the updates that in the Required column is more than 1.
- Now your good to go.
1 Giant Nerd 