Patching with WSUS Offline Open Source Project

I'm constantly spinning lab VMs for testing and validating ideas, also to cinstatly practicing basics of system administration. Sadly there might be periods where I will forget to update my teamplate images I use to clone and sysprep Windows machines. I started playing with a solution called WSUS Offline from an open source project that aids in building several automated ways to install critical patches on a machine making it safe to connect that machine to the web for downloading none critical or security patches. This is not only great for virtual labs but when participating on Red vs Blue challenges and you are in the blue team looking for a quick way to apply security patches.

The tool allows creating collections of patches for:

  • Windows 2003
  • Windows 2008/2008 R2
  • Windows 7
  • Windows 8/8.1
  • Windows 2012/2012 R2
  • Office 2007/2010/2013
  • Microsoft Security Essentials
  • Visual Studion C++ Runtime
  • Microsoft .Net Framework
  • Windows Defender Signatures
  • Windows Essentials 2012

The program allows one to create a patch respository for use as:

  • Folder in a Hard Drive, Network Share or USB Stick.
  • ISO Image per OS, Lamguage and Architecture.

To start using the solution we only need to download the latest build from , unblock the zip file from file explorer or PowerShell and decompress its content in the location you want to run and save all of the temporary data. Make sure you have 10GB of free space or more since depending on the option selected it is a large amound of files that will be downloaded.

When we run the Update Generator we get a Window that lets us select what updates we want to download, location, if we want to create ISO images or not. We can even point it to a WSUS Server on the network to download its updates from.

Some things to keep in mind are: * It already has selected x86 updates and you need to select x64 ones. * If ISO creation is selected it will occupy more space since a copy of the updates is done for each ISO.

Once we have selected the updates we want and how we want them stored for use we simply click on Start and it will start the process of downloading, validating and configuring the updates for deployment.

The process can take several minutes to hours depending on the speed of the internet connection, CPU and storage used by the system running the Update Generator.

Once finished we will see a scree that gives us the option to look at the logs of the process so we can identify any warnings that may impact us if any.

After it is finished if you selected for the creation of ISO images you can go in to the iso folder of where you selected the location for the final files and yu should see ISO images per platorm and architecture as well as a text file with file hashes for each ISO. It will generate hashes using MD5, SHA1 and SHA2.

In the following image I mounted the ISO on a freshly installed Windows 7 virtual machine. To start the process we only need to run UpdateInstaller.exe on the root of the update location and we will be presented with a window to select what updates we want to install and upgrades to components if any.

If you do not want to be running the application after each reboot by hand select "Automatic Reboot and Recall" option. It will disable UAC during the process and it will auto logon the current user. It will revert the settings to their orifinal stated when finished.

When the options have been selected just click on Start and let it start installing all critical and security patches.


One thing to remind you off is that this will only install Critical and Security Patches. After the process finished on this machine there where still 62 none critical patches left to install. You can read more on this at if you want to add additional updates you can and it is a manual process described here