Compartir a través de


How to install patches in an isolated environment

How to install windows updates in isolated environments? (WSUS or Configuration Manager)

All required information is listed in the above two MS pages:

Networks disconnected from the Internet

It is unnecessary for your entire network to be connected to the Internet in order for you to use WSUS . If you have a network segment that is not connected to the Internet, consider deploying WSUS as shown in the "Distributing Updates on an Isolated Segment" illustration below. In this example, you create a WSUS server that is connected to the Internet but isolated from the intranet. After you download updates to this server, you can export the updates to media, hand-carry the media to disconnected WSUS servers, and import the updates.

Exporting and importing is also appropriate for organizations that have high-cost or low-bandwidth links to the Internet. Even with all the bandwidth-saving options described later in this guide, downloading enough updates for all Microsoft products throughout an organization can be bandwidth-intensive. Importing and exporting updates enables organizations to download updates once and distribute by using inexpensive media. See Set Up a Disconnected Network (Import and Export the Updates) for more information about how to export and import updates.

From <https://technet.microsoft.com/en-us/library/cc720448(v=ws.10).aspx>

Configure a Disconnected Network to Receive Updates

You can use Windows Server Update Services (WSUS) to manage updates to computers that are located on a network segment that is not connected to the Internet by following these steps:

  1. Install a WSUS server on the disconnected network segment. This server is known as the WSUS import server.
  2. Synchronize updates and metadata to a WSUS server that is connected to the Internet. This server is known as the WSUS export server.
  3. Transfer the required updates and metadata from the WSUS export server to removable media.
  4. Transport the removable media to the WSUS import server.
  5. Import the updates and metadata to the WSUS import server.
  6. Manage and download updates to client computers on the disconnected network segment by using the WSUS import server.

This topic assumes that you already have installed the WSUS servers.

In this topic:

From <https://technet.microsoft.com/en-us/library/dd939873%28v=ws.10%29.aspx>

As you see above, It requires a WSUS server that does have Internet connectivity (all you have to do is install an Internet facing one – or use an already existed WSUS - standalone WSUS server to do the export from)
and then you use the WSUSUtil command to export and then import to the isolated SUP.
More information you may also find here:

How to Synchronize Updates Using Export and Import   https://technet.microsoft.com/en-us/library/bb680473.aspx

How to move WSUS from one server to another   https://blogs.technet.com/b/sus/archive/2009/07/02/how-to-move-wsus-from-one-server-to-another.aspx

 My colleague wrote also this very detailed blog post, which takes you through the steps and automations:

ConfigMgr Software Updates on an Isolated Network (still valid for ConfMgr12)

https://blogs.technet.com/b/aaronczechowski/archive/2008/11/11/configmgr-software-updates-on-an-isolated-network.aspx

You may also check the below post, which describes an update for the WSUS server; this update removes the 2 GB limitation on the export file size, which can be exceeded if you synchronize updates for a lot of products.

Problem Solved: The WSUS Export Bug https://blogs.technet.com/b/wsus/archive/2013/04/09/problem-solved-the-wsus-export-bug.aspx

Since the Configuration Manager server is completely isolated from the internal network,  it cannot communicate with the upper ConfMgr hierarchy, so cannot be used..