Air-gapped Windows Patching ( Servers and PC )
Posted by LunarObsidian@reddit | sysadmin | View on Reddit | 34 comments
I am trying to patch a great number of servers and PC running in an air-gapped environment and low connectivity. So, directly downloading from windows is not possible, as well as intune is not possible, as well as Azure Update Manager is not possible, as it is expensive for us.
We are using WSUS currently, but it is already deprecated, and will be moved out by Server 2025. So, I am looking at an alternative which could patch the servers effortlessly.
heisenbergerwcheese@reddit
Check out IVANTI, not sure of your budget, but it is great for patching isolan environments for windows/cots
BigLeSigh@reddit
I’d avoid I anti, shady business practices and half their products are full of bugs and vulnerabilities from 20 year old code.
oubeav@reddit
We use Chocolatey. Its been working great.
LunarObsidian@reddit (OP)
I knew it was only for packages. It works for windows updates too ? How does one export and import them for different win versions ?
chickibumbum_byomde@reddit
it's always a bit manual by nature, there’s no “fully effortless” solution once you remove internet access.
WSUS still works for now, but long term most setups move to an offline update workflow instead of replacing it 1:1. That usually means syncing updates on a connected system, exporting them, and importing into the air-gapped environment, sometimes combined with scripting or tools like SCCM/MECM if available.
The real challenge isn’t just getting patches in, it’s knowing what’s actually patched and what failed. That’s where many setups struggle.i recommend any form of monitoring, specially log watching with anything windows and preferably counter based monitoring, it'll help you track patch status, failures, and missing updates across systems, so you’re not manually verifying everything. so there’s no perfect replacement for WSUS in air-gapped setups, it’s more about building a reliable offline pipeline and making the results visible.
GeneMoody-Action1@reddit
This has always been an issue with WSUS, it "offers" vs "installs/enforces/validates" then offers little to nothing in the way of validation and or awareness enterprise wide.
It comes from a simpler time where demands and compliance were different creatures entirely.
With limited bandwidth and needing it offline, the options that are dependable and easy to use will be very limited if nonexistent.
I used to stand in the camp of "why are huge companies not investing in a replacement, as the market seems there?" But in reality, the market IS only there because of a bad pattern of behavior. Live/Controlled/Gated/Monitored is far more secure, and accurate when you consider what can and likely does go wrong in WSUS even not under manual sync constraints. And in this day in age, fast/live/accurate is the #1 requirement.
I know why people cling to WSUS, but to claim it as being the best at anything 20y after its original inception is just expecting a donkey to be a race horse.
Inquisitor_ForHire@reddit
So how airgapped are these things? Our "air gapped" systems are actually just on an isolated VLAN. We used to have a workgroup WSUS server that had two nics. one on the production network and one on the restricted network. We kept it on the restricted network most of the time, but at patch time we'd use the hypervisor remote control to change networks, grab all the latest patches from Microsoft, then move it back to the limited network and let everything patch. This was several years ago at a different job, but it worked well. Could probably completely automate the entire process now.
Current job we just have a WSUS box in the limited network with proxy access to the Internet to grab the patches. It's the only thing that can reach outside the vlan and even then can only hit MSUpdate (and anti virus vendor for patches to that).
GeneMoody-Action1@reddit
There is no effortless offline patching. Even with WSUS it was never effortless. Offline sync introduced failure and compromise potential. In reality there is more security in tightly regulated live connection over airgap. But in your case it is bandwidth.
What sort of real bandwidth are we looking at here?
wanderinggoat@reddit
I used to use this which worked really well , I haven't used it in 5 or 6 years though https://download.wsusoffline.net/
LunarObsidian@reddit (OP)
I did see that, but it's development stopped since 2020.
the_wonky_eyed_one@reddit
The offline WSUS scan cab is on version 2.
It a bit of work the first go around but each iteration after is easier.
https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell
The download URL is the same every month for the .cab and it's updated every patch Tuesday.
Download it, sneaker net it, scan an endpoint, download the appropriate KBs based on the output.
Than script the .cab expansions (DISM & PowerShell) and the .msi installs.
For each loop with try and catch and then spot check.
Essentially you script out WSUS in PS.
sdrawkcabineter@reddit
Dubai Chocolatey?
Ma7h1@reddit
Air-gapped patching is always challenging — especially with WSUS going away.
From my experience, the real problem isn’t just deploying updates, but knowing if everything actually worked.
That’s where something like Checkmk helps a lot. You can:
So even if you handle patch distribution offline (WSUS alternative, scripts, internal repos), Checkmk gives you the visibility layer on top.
I’m using a similar approach in my homelab, and it makes a big difference — without that, you’re basically guessing if systems are up to date.
So I’d split it like this:
👉 deployment = separate problem
👉 visibility (Checkmk) = what makes it manageable (at least for me)
Kindly_Revert@reddit
Thanks chatgpt
Ma7h1@reddit
good as starting point
resal1510@reddit
We are using Tanium and it doing a very great job for patching a lot of servers effortlessly. Just takes a bit of time to configure it well at the beginning.
They also provide a solution for air gapped environnements, maybe it may interest you !
FatalSky@reddit
Mostly third party stuff and custom scripts. Microsoft has no official stance on airgapped systems other than offering a up to date full install. RHEL went the same way with sunsetting their offline activation system. So no matter what you’re dealing with third party stuff to create a repo on both ends and sneakernet patches across. Real fun when you have a CVE for virus definitions every 24 hours.
Fun fact, there are no STIGS for disabling COM ports. 1986 ZMODEM protocol and a Data Diode Script that splits a zip across 6 COM ports for bandwidth, and a send and receive task schedule would be some real cowboy shit. You’d have to have a gps or radio based time server for time synchronization on your gapped system and good physical security in place.
SecureNarwhal@reddit
wsus still works in server 2025
does it work well? no and there will be no improvements. but it'll work.
I do not know what Microsoft's recommended solution for air-gapped windows networks will be or if they are even working on one.
LunarObsidian@reddit (OP)
I am using WSUS, and looking for an alternative to sunset it for good. I don't think microsoft is working on anything for air-gapped. They are pushing for cloud based.
SecureNarwhal@reddit
I'm in the same boat, we are exploring ansible but replacing wsus is being treated as a 2035 problem
sudontpls@reddit
I have had pretty good success with BatchPatch for patching my offline Windows machines but it is a paid software
https://batchpatch.com/
ntwrkmstr@reddit
+1 Worked well to handle patching in an airgapped network we had for a while. Worth the money
opsandcoffee@reddit
look at SecOps Solution, there on-premise solution allows you to separately download the patches which you can then deploy to your target machines. for low connectivity environment they also have a distribution server mechanism, wherein a separate host is used to download the patch and then can be deployed to target machines
Sylogz@reddit
We use a Python script to check for new versions and download all programs, updates. Then we transfer the packages internally into the different sites. We have a monitoring server on each site that also act as ansible control node/file repository that we sync with.
Dev gets updated first with ansible. If all is good we update the other sites. The Python script update the variables in our ansible scripts with right KB and such so we dont have to enter things manually.
It works great, maybe someone else have solved it in a better way.
_CyrAz@reddit
Wsus is not deprecated in the way you imply it, it's still supported and perfectly capable of patching ws2025 servers. Read here : https://techcommunity.microsoft.com/blog/windows-itpro-blog/windows-server-update-services-wsus-deprecation/4250436
xxdcmast@reddit
Do you have connectivity to all the systems once inside your air gapped environment? If so you can prob use pdq inventory/deploy.
You would need a server outside the air gapped environment with internet connectivity and another inside the air gap.
https://help.pdq.com/hc/en-us/articles/114094217812-Create-Packages-for-Air-gap-Offline-No-Internet-Networks
LunarObsidian@reddit (OP)
This sounds great and very straightforward. Does it have scope for automation ?
PDQ_Brockstar@reddit
Automations are based on schedules and triggers that you create and customize. Here’s a quick rundown:
https://help.pdq.com/hc/en-us/articles/8464331123483-Creating-Deployment-Schedules
protogenxl@reddit
look at ManageEngine Patch Manager Plus, the on premise control server will download the patches then either push them to clients or send them to a relay server that will then push to the clients.
jclimb94@reddit
We have a few of these about the place. They're covered by N-Central.
If N-Central fails then we us an app called batchpatch, which caches the updates and pushes them across the LAN to the device in question. It can be automated also and run via scheduled tasks.
Bendy_ch@reddit
I'm in a similar situation. There are 3rd Party applications that push the updates, but these need a management agent on the Target machines. Would that be an option?
LunarObsidian@reddit (OP)
I'm looking at those alternatives as well. But, nothing finalized per se.
joeykins82@reddit
Given that the updates themselves have been greatly simplified it really shouldn’t be complicated to just write a PS script to apply these based on the OS build & caption as a scheduled task or during shutdown/restart from a network share.
Just download the .msu files. Is it ideal? No, but realistically it’s unavoidable in an air gapped scenario.
Kruxx269@reddit
https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=vbscript This article will help