Patch Management

How to Patch Air-Gapped Windows Servers using WSUS Offline

Posted on May 5, 2015 Updated on April 14, 2026

Patching servers in an offline or “air-gapped” environment is a common challenge for SysAdmins. While Microsoft’s official WSUS role typically requires a network connection, the third-party tool WSUS Offline Update allows you to “bring the internet to the server” via a USB stick or DVD.

When to use this method?

This is an ideal solution for a one-time update or for small environments where setting up a complex, multi-tier WSUS architecture isn’t practical.

Note: This requires a “bridge” machine—a computer with internet access where you will build the update repository before moving it to the offline server.

Phase 1: Creating the Update Media (On the Online Machine)

Download the Tool: Head to wsusoffline.net and download the latest version.
Extract and Launch: Extract the ZIP file and run UpdateGenerator.exe.
Select Your OS: Check the boxes for the operating systems you need to patch (e.g., Windows Server 2016, 2019, or legacy versions like 2008 R2).
Download: Click Start. The tool will download all missing patches from Microsoft’s servers into a local folder.
- Size Tip: Expect downloads to range from 800MB to several GBs depending on the OS version.
Transfer: Copy the entire wsusoffline folder to your removable media (USB Drive, External HDD, or burn it to a DVD).

Phase 2: Patching the Offline Server

Insert Media: Plug your USB drive into the offline server.
Navigate to Client: Open the wsusoffline folder, then open the “client” subfolder.
Run Installer: Execute UpdateInstaller.exe.
Configure & Start: Select your desired options (like “Automatic reboot and recall”) and click Start.

The tool will now simulate a local Windows Update session, installing all the downloaded patches without ever needing a NIC connection.

#WSUS #AirGapped #SysAdmin #WindowsServer #CyberSecurity #ITAdmin #TechTips #OfflinePatching #LazyAdmin #ServerMaintenance

This entry was posted in Windows and tagged Air-Gapped Patching, Offline Updates, Patch Management, security, SysAdmin Tools, USB Boot, Windows Server, WSUS Offline.

Reclaiming Space: How to Clean Up WinSxS on Windows Server 2008 R2

Posted on May 4, 2015 Updated on April 15, 2026

The C:\Windows\WinSxS directory is notorious for growing over time as it stores multiple versions of DLLs and backup files for Windows Updates. On a long-running Server 2008 R2 instance, this folder can easily consume 10GB–20GB of precious SSD or SAN storage.

Step 1: Install Disk Cleanup (Without a Reboot)

In Server 2008 R2, the Disk Cleanup utility is technically part of the “Desktop Experience” feature. Usually, installing this requires a reboot—something most admins want to avoid.

Instead, you can install the standalone update package (KB2852386) that specifically adds Disk Cleanup functionality:

For x64 Systems: Download KB2852386 for Windows Server 2008 R2

Step 2: Launching the Cleanup Wizard

Once the update is installed, you won’t find it in the Start Menu immediately. You can launch it via the command line:

Open Run (Win + R).
Type cleanmgr and hit Enter.
Select your C: Drive.

Step 3: Cleaning System Files (The “WinSxS” Secret)

To actually shrink the WinSxS folder, you must target the Windows Update files.

When the wizard opens, click the Clean up system files button (this requires Administrator privileges).
The tool will scan again. Look for the new option: Windows Update Cleanup.
Check this box along with any other items you want to remove (Service Pack Backup files, etc.).
Click OK.

Step 4: Finalizing the Shrink

Unlike standard file deletion, the WinSxS cleanup happens during the next reboot.

When you restart the server, you will see a message: “Configuring Windows updates, X% complete. Do not turn off your computer.” * Do not interrupt this process. This is the system physically removing the redundant files from the WinSxS directory.