How to Patch Air-Gapped Windows Servers using WSUS Offline

Posted on May 5, 2015 Updated on April 14, 2026

Patching servers in an offline or “air-gapped” environment is a common challenge for SysAdmins. While Microsoft’s official WSUS role typically requires a network connection, the third-party tool WSUS Offline Update allows you to “bring the internet to the server” via a USB stick or DVD.

When to use this method?

This is an ideal solution for a one-time update or for small environments where setting up a complex, multi-tier WSUS architecture isn’t practical.

Note: This requires a “bridge” machine—a computer with internet access where you will build the update repository before moving it to the offline server.

---

Phase 1: Creating the Update Media (On the Online Machine)

1. Download the Tool: Head to wsusoffline.net and download the latest version.
2. Extract and Launch: Extract the ZIP file and run UpdateGenerator.exe.
3. Select Your OS: Check the boxes for the operating systems you need to patch (e.g., Windows Server 2016, 2019, or legacy versions like 2008 R2).
4. Download: Click Start. The tool will download all missing patches from Microsoft’s servers into a local folder.
   • Size Tip: Expect downloads to range from 800MB to several GBs depending on the OS version.
5. Transfer: Copy the entire wsusoffline folder to your removable media (USB Drive, External HDD, or burn it to a DVD).

---

Phase 2: Patching the Offline Server

1. Insert Media: Plug your USB drive into the offline server.
2. Navigate to Client: Open the wsusoffline folder, then open the “client” subfolder.
3. Run Installer: Execute UpdateInstaller.exe.
4. Configure & Start: Select your desired options (like “Automatic reboot and recall”) and click Start.

The tool will now simulate a local Windows Update session, installing all the downloaded patches without ever needing a NIC connection.

#WSUS #AirGapped #SysAdmin #WindowsServer #CyberSecurity #ITAdmin #TechTips #OfflinePatching #LazyAdmin #ServerMaintenance