Robert Hensing's Blog

Software Security . . . and stuff.

Getting Microsoft Updates offline . . .

Getting Microsoft Updates offline . . .

  • Comments 5
  • Likes

So I just got done reading Larry's article on XP SP3 over here: http://www.eweek.com/article2/0,1759,2204198,00.asp
Near the beginning of the article he mentions something about needing an offline / disk based version of the update process for people who can't connect to Microsoft Update each month to get up to date.  I shot him an email but we actually do offer something like this . . . well you have a variety of options for achieving this but probably the easiest is to just download our ISO image of security udpates each month and burn it to CD or DVD (or if you have VPCs you can just mount the ISO image directly in your VPC).

Here's a KB article we use as a place holder that links to each months security udpate ISO image: http://support.microsoft.com/kb/913086

I've heard of other customers who setup WSUS on a laptop and each patch tuesday they sync it with our web site and then take the laptop to the various remote sites that need updating . . . they already have the remote sites configured to point to the laptops WSUS service OR they have a WSUS server at that remote site that is configured to point to the laptop WSUS server and they just sync the remote sites WSUS server with the laptop each month. 

You can learn more about WSUS here: http://technet.microsoft.com/en-us/wsus/default.aspx

Oh and this is all free stuff. :)

Comments
  • Interesting point at blogs.technet.com

  • Man I never knew about this either. I knew about WSUS or WUSS as we name it around the shop here. However having these downloaded to CD would be awesome. As a developer I have a lot of different Virtual Images, all for different servers and desktops my apps go on. Sometimes when working on a project another Virtual Machine may be off for a couple weeks or even months. So when I fire it up the first thing I need to do is patch it up to date. Well we block Windows update on the proxy server here so that way we control push out of updates through WSUS, well the problem with that is only machines on the domain get things pushed this way and none of my VM's are on the domain. So this means I need to take the VM home or go hook up to the contractor network to get updates and then I could be several months behind, which is why I do not use the contractor network as it doesn't have a lot of protection from outside sources so I usually have to wait until I get home.

    This will same me a ton of time and grief. Do you know if there is like an Automatic FTP or something of these ISP images, that way I can just set up a automatic FTP process to just go grab them monthly?

  • Hi Jeff,

    As I understand it, you run WSUS already within your company, in which case, you can use the local group policy editor (available in Windows 2000 and above) to acquire your updates.

    You can start the local group policy editor by either:

    - Start | Programs | Administrative Tools | Local Group Policy editor,

    - Start | Run | gpedit.msc | OK,

    - Command Prompt | gpedit.msc (my preference, since I work from the command line a lot).

    Once you're inside, you can navigate to the Automatic Update options area located at: Computer Configuration | Administrative Templates | Windows Components | Windows Update.

    Depending on which OS your VMs are running, you'll have a variable number of settings, but the two you'd be most interested in are titled "Configure automatic updates" and "Specify intranet Microsoft update service location" (or words to this effect - given the version changes over time).

    The "Configure" option is straight forward. Just pick one of the numerous options that suit your mode of operation, and click the OK button to accept the change.

    The "Specify" option is also quite straight forward. Just specify as reference such as "http://wsusserver.mycorp.com" in both lines, and you're good to go.

    Since the Automatic Updates service is Group Policy aware, the changes should take effect somewhat immediately (there is a caveat to this, but we'll leave that alone). If your image is Windows XP SP2 or Vista, you can force an immediate detection with this command "wuauclt /detectnow".

    Since Automatic Updates is a http-based service, permissions won't typically be an issue, so this solution will work on any of your virtual machines irrespective if whether they're domain joined or not!

    In summary, whilst the CD option is wonderful, if your virtual machines are already network connected and able to ping your WSUS server (as a loose guideline), then with a few quick key/mouseclicks you can configure them to grab updates straight from your corporate WSUS server!

    Hope this helps!

    Cheers,

    Lain

  • Lain,

    This is Brilliant, thanks a million, I got it working on my 2003 r2 server right now, what is even better about doing this, is that it keeps all my Virtual Machines in line and at the correct patch levels with everything else internally. I told our WSUS guy what I was doing, he is working remotely today but when he gets back next week we are going to discuss it some more. For Example he usually doesn't push out Visual Studio updates and things like that through WSUS as there are only a few of us that use that. So we are going to discuss some other options in the setup of this. He didn't know we could do this from our images either. But this is great. Thanks again this saves a lot of time.

  • My pleasure.

    I deliberately didn't touch on it before, as it's an optional configuration item, but with WSUS you can group computers together in a defined manner. This means that all of your machines - be they VMs or otherwise, can be grouped together. Once this is achieved, you can approve patches just for this group.

    This means that your WSUS administrator could approve patches for the corporate environment as per usual, and then a few additional Visual Studio patches for your group of machines. (That said, if nobody else uses the Visual Studio components, then the clients will not pull down the updates - but I can understand your administrator's reluctance to approve them)

    I won't go into detail here on how to do this, as I'm hoping your administrator is familar with the process. Suffice to say that there's more than one way to implement this, and if either yourself or your administrator require assistance or advice, then by all means shoot me an e-mail, as this probably isn't the right avenue for continuing the discussion. You can reach me on Lain_Robertson AT Hotmail.com.

    :)

    Cheers,

    Lain

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment