WUOffline — Windows Update Offline

About the software

Introduction

WUOffline is a Powershell module to manage Windows Updates. Get-WinUpdate can list installed and/or needed updates, using an offline scan catalog you supply. Output includes the URL for the update package file (.CAB) to download from Microsoft's CDN. Install-WinUpdate can install one or more update packages you've downloaded.

Download: WUOffline.psm1

Features

• Can update anything that uses the Windows Update infrastructure — that includes Microsoft Office, SQL Server, and others.
• Updates packages can be downloaded in one environment and then transferred to another.
• The scan catalog and update packages can be transported using offline removable media (sneakernet), suitable for air-gaped deployments.
• Does not download anything itself. File transfer is entirely under your control.
• The download lists are plain text, easy to review and audit, or even print and OCR.
• Entirely self-contained in a single human-readable script module, distributed as source code, for easier review and approval.
• Freely available for any use, without restriction, under a public domain dedication (the Unlicense).

WUOffline vs WSUS Offline Update

WUOffline should not to be confused with WSUS Offline Update (WOU), which is an unrelated project with similar overall goals, but taking a different approach.

WUOffline is designed for tightly-managed environments where the software being introduced is strictly controlled. WUOffline is pure PowerShell, small enough to easily audit. There are no binaries or third-party utilities. It doesn't download anything automatically. Because it generates update lists for the computer being scanned, only what is needed for that configuration needs to be downloaded. It is aimed at experienced professionals comfortable working with the command line.

WSUS Offline Update is a more general-purpose tool. It downloads complete package sets for all possible configurations, resulting in a more universal install kit, but also much larger file transfers. It incorporates third-parties utilities and pre-compiled binaries, which are more difficult to audit and approve. It has a friendly GUI.

Pick the tool that is right for you. Most people are likely better served by WSUS Offline Update.

Using the software

Installation

To use WUOffline, you have to import the module into your running PowerShell environment. For example:

 Import-Module C:\WU\WUOffline.psm1 

You may want to put a command in your PowerShell profile to do so automatically.

The module exports two commands: Get-WinUpdate and Install-WinUpdate. Once the module is imported, you can use Get-Help to read the documentation. For example:

Get-Help -Full Get-WinUpdate | more

Notes

WUOffline commands generally need to be run by a user with Administrator privileges, and fully elevated.

It is normal for the scan/search phase of the process to take several minutes, and for the install phase to take even longer. There will be no feedback during either of these operations, even with -Verbose.

Workflow

Overall workflow for WUOffline would typically be something like this:

1. Download the offline scan catalog from Microsoft. URL:
   http://go.microsoft.com/fwlink/?LinkId=76054
2. Copy the scan catalog to target system
3. On the target system, run something like this:
   

   Get-WinUpdate C:\WU\WSUSSCN2.CAB | select links > C:\WU\links.txt

4. Copy links.txt to Internet-connected system
5. Download the files from links.txt, for example:
   

   wget -i links.txt

6. Copy results of download to target system
7. On the target system, run something like this:
   

   Install-WinUpdate C:\WU\WSUSSCN2.CAB C:\WU\pkgs

Examples

Get-WinUpdate -Installed C:\WU\WSUSSCN2.CAB | Out-GridView

Report installed updates in a GUI table view. This still needs a scan catalog and still performs an update scan.

Get-WinUpdate -All C:\WU\wsusscn2.cab | Export-CSV "C:\WU\$( Get-Date -f "yyyy-MM-dd-HHmm" ).CSV"

Scan for updates, and report all updates (both needed and installed). Store the scan results in a Comma Separated Values (CSV) file, with a file name based on the date and time.

Get-WinUpdate -Catalog C:\WU\wsusscn2.cab -Exclude 890830 | select > links.txt

Scan for updates, and write the URLs that need to be downloaded into a text file. Exclude update 890830 (the Malicious Software Removal Tool included every month). The URL list can then be given to downloader programs such as WGET, CURL, GetRight, etc.

Install-WinUpdate C:\WU\wsusscn2.cab C:\WU\pkgs

Install updates using package files previously placed in the C:\WU\pkgs\ directory. No output will be given, unless a package is missing, a reboot is required, or a problem is detected.

Install-WinUpdate -Verbose -Catalog C:\WU\wsusscn2.cab -Repo C:\WU\pkgs

Same as the previous, but with reassurance for the operator. Explicit parameter names (switches) are used in the invocation. Major operations are reported as they are performed, and a few simple statistics will be given.

Install-WinUpdate C:\WU\wsusscn2.cab C:\WU\pkgs -Include 4566424

Install only updates with MSKB matching "4566424". In this case, it is a Servicing Stack Update, being installed before other updates.

One-Way Transfers

In certain very high security environments, a common restriction is one-way data flow. That is, files can be copied to the target system, but files cannot be copied back out. Like a black hole, things can enter, but nothing can leave. WUOffline was designed for such environments. The solution is to build a model system.

The model system should be nearly identical to the target systems, both hardware and software. Ideally, the model system is the same brand and model of PC, with the same specs, and the same peripherals (monitor, printer, etc.). The same software should be installed, in the same order. All the same hardening, Group Policies, etc., should be applied. Ideally, the model system is installed from the same system image ("gold master") as the target systems.

The only difference is, the model system has nothing sensitive on it, and thus is not subject to one-way data flow restrictions. It is often entirely outside the physical environment of the target systems, in a development lab or office.

Virtual machines can be useful for this, but beware of virtual machine software installing dependencies which alter the software environment (and thus change the updates that will be needed). Likewise, VMs will have different drivers, and many drivers include large software suites these days. In my environments, I did testing first in a VM, but then had a model system on physical hardware in the lab for final test.

Ideally, the model system should not be connected to any external network, as that is a configuration difference that may perturb the update process. If the target environment includes an isolated network (ISOLAN), build a similar configuration in the lab, with model server and model client.

With your model system, follow the workflow given above. Copy the scan catalog to the model system using removable media, run Get-WinUpdate with that scan catalog, and copy the resulting links off using removable media as well. Download the packages, generate media, and then test installation on the model system. Once you're confident it works, generate media for introduction into the target environments.