About the software
Introduction
WUOffline is a Powershell module to manage WindowsUpdates. Get-WinUpdate can list installed and/or needed updates,using an offline scan catalog you supply. Output includes the URL for theupdate package file (.CAB) to download from Microsoft'sCDN. Install-WinUpdate can install one or more update packagesyou've downloaded.
Download: WUOffline.psm1
Features
- Can update anything that uses the Windows Update infrastructure —that includes Microsoft Office, SQL Server, and others.
- Updates packages can be downloaded in one environment and thentransferred to another.
- The scan catalog and update packages can be transported using offlineremovable media (sneakernet), suitable for air-gaped deployments.
- Does not download anything itself. File transfer is entirely under yourcontrol.
- The download lists are plain text, easy to review and audit, or evenprint and OCR.
- Entirely self-contained in a single human-readable script module,distributed as source code, for easier review and approval.
- Freely available for any use, without restriction, under a public domaindedication (the Unlicense).
WUOffline vs WSUS Offline Update
WUOffline should not to be confused with WSUS Offline Update (WOU),which is an unrelated project with similar overall goals, but taking adifferent approach.
WUOffline is designed for tightly-managed environments where the softwarebeing introduced is strictly controlled. WUOffline is pure PowerShell, smallenough to easily audit. There are no binaries or third-party utilities. Itdoesn't download anything automatically. Because it generates update listsfor the computer being scanned, only what is needed for that configurationneeds to be downloaded. It is aimed at experienced professionals comfortableworking with the command line.
WSUS Offline Update is a more general-purpose tool. It downloads completepackage sets for all possible configurations, resulting in a more universalinstall kit, but also much larger file transfers. It incorporatesthird-parties utilities and pre-compiled binaries, which are more difficult to audit and approve. It has a friendly GUI.
Pick the tool that is right for you. Most people are likely better servedby WSUS Offline Update.
Using the software
Installation
To use WUOffline, you have to import the module into your runningPowerShell environment. For example:
Import-Module C:\WU\WUOffline.psm1
You may want to put a command in yourPowerShell profile to do so automatically.
The module exports two commands: Get-WinUpdateand Install-WinUpdate. Once the module is imported, you canuse Get-Help to read the documentation. For example:
Get-Help -Full Get-WinUpdate | more
Notes
WUOffline commands generally need to be run by a user with Administratorprivileges, and fully elevated.
It is normal for the scan/search phase of the process to take severalminutes, and for the install phase to take even longer. There will be nofeedback during either of these operations, even with -Verbose.
Workflow
Overall workflow for WUOffline would typically be something likethis:
- Download the offline scan catalog from Microsoft. URL:
http://go.microsoft.com/fwlink/?LinkId=76054 - Copy the scan catalog to target system
- On the target system, run something like this:
Get-WinUpdate C:\WU\WSUSSCN2.CAB | select links > C:\WU\links.txt
- Copy links.txt to Internet-connected system
- Download the files from links.txt, for example:
wget -i links.txt
- Copy results of download to target system
- On the target system, run something like this:
Install-WinUpdate C:\WU\WSUSSCN2.CAB C:\WU\pkgs
Examples
Get-WinUpdate -Installed C:\WU\WSUSSCN2.CAB | Out-GridView
Report installed updates in a GUI table view. This still needs a scancatalog and still performs an update scan.
Get-WinUpdate -All C:\WU\wsusscn2.cab | Export-CSV "C:\WU\$( Get-Date -f "yyyy-MM-dd-HHmm" ).CSV"
Scan for updates, and report all updates (both needed and installed).Store the scan results in a Comma Separated Values (CSV) file, with a filename based on the date and time.
Get-WinUpdate -Catalog C:\WU\wsusscn2.cab -Exclude 890830 | select > links.txt
Scan for updates, and write the URLs that need to be downloaded into atext file. Exclude update 890830 (the Malicious Software Removal Toolincluded every month). The URL list can then be given to downloader programssuch as WGET, CURL, GetRight, etc.
Install-WinUpdate C:\WU\wsusscn2.cab C:\WU\pkgs
Install updates using package files previously placed in theC:\WU\pkgs\ directory. No output will be given, unless a package ismissing, a reboot is required, or a problem is detected.
Install-WinUpdate -Verbose -Catalog C:\WU\wsusscn2.cab -Repo C:\WU\pkgs
Same as the previous, but with reassurance for the operator. Explicitparameter names (switches) are used in the invocation. Major operations arereported as they are performed, and a few simple statistics will begiven.
Install-WinUpdate C:\WU\wsusscn2.cab C:\WU\pkgs -Include 4566424
Install only updates with MSKB matching "4566424". In this case, it is aServicing Stack Update, being installed before other updates.
One-Way Transfers
In certain very high security environments, a common restriction isone-way data flow. That is, files can be copied to the target system, butfiles cannot be copied back out. Like a black hole, things can enter, butnothing can leave. WUOffline was designed for such environments. Thesolution is to build a model system.
The model system should be nearly identical to the target systems, bothhardware and software. Ideally, the model system is the same brand and modelof PC, with the same specs, and the same peripherals (monitor, printer, etc.).The same software should be installed, in the same order. All the samehardening, Group Policies, etc., should be applied. Ideally, the model systemis installed from the same system image ("gold master") as the targetsystems.
The only difference is, the model system has nothing sensitive on it, andthus is not subject to one-way data flow restrictions. It is often entirelyoutside the physical environment of the target systems, in a development labor office.
Virtual machines can be useful for this, but beware of virtual machinesoftware installing dependencies which alter the software environment (andthus change the updates that will be needed). Likewise, VMs will havedifferent drivers, and many drivers include large software suites these days.In my environments, I did testing first in a VM, but then had a model systemon physical hardware in the lab for final test.
Ideally, the model system should not be connected to any external network,as that is a configuration difference that may perturb the update process. Ifthe target environment includes an isolated network (ISOLAN), build a similarconfiguration in the lab, with model server and model client.
With your model system, follow the workflow given above. Copy the scancatalog to the model system using removable media, run Get-WinUpdate with thatscan catalog, and copy the resulting links off using removable media as well.Download the packages, generate media, and then test installation on the modelsystem. Once you're confident it works, generate media for introduction intothe target environments.