To patch Windows servers on an air-gapped network, you run a connected WSUS server to download and approve updates, then transfer the metadata and content files to an offline WSUS server using removable media. The offline WSUS then serves those updates to your isolated endpoints. The catch most guides miss: the export moves metadata only, not the update files or your approvals.
We have set this up for offline environments in banks and manufacturing plants. The mechanics are not hard. The traps are what cost teams days.
This guide walks through the full process and the mistakes that break it.
Contents
- 1 Why Air-Gapped Patching Is Different
- 2 WSUS, WSUS Offline Updater, or SCCM — Which One?
- 3 What You Need Before Starting
- 4 How Far Back Do You Need to Go?
- 5 Step-by-Step: Patching With WSUS Export and Import
- 6 Patching Third-Party Apps Offline (Chrome, Adobe, Java)
- 7 Common Mistakes That Break Offline Patching
- 8 Why Offline Teams Stay on WSUS
- 9 How Long Air-Gapped Patching Takes
- 10 Reducing the Manual Burden
- 11 Frequently Asked Questions
Why Air-Gapped Patching Is Different
Air-gapped network — a network physically isolated from the internet and all external connections.
A normal Windows server pulls updates straight from Microsoft. An air-gapped server cannot reach Microsoft at all. So the updates have to be carried in by hand.
That hand-carry process is called sneakernet. You download on a connected machine, copy to a USB drive or one-way gateway, and import on the offline side.
Skipping patches is not an option. Insider threats, infected USB drives, and zero-day bugs still hit isolated networks. Compliance rules like RBI, ISO 27001, and NIST all expect current systems.
WSUS, WSUS Offline Updater, or SCCM — Which One?
People mix these three up constantly. They are not the same tool.
WSUS (Windows Server Update Services) — Microsoft’s server role for approving and distributing updates from a local server.
WSUS Offline Updater is a separate free community tool, now continued as “UpdateGenerator.” It downloads updates into a portable repository you run from a USB drive or share. It suits small or standalone setups with no WSUS server.
SCCM (now Configuration Manager) is Microsoft’s full enterprise suite. It runs WSUS under the hood for the update role and adds inventory, deployment, and reporting. It is heavier and licensed.
For most air-gapped server environments, two WSUS servers with export and import is the standard approach. This guide focuses on that method.
What You Need Before Starting
You need two WSUS servers. One connected to the internet, one inside the air gap.
You also need removable media large enough for the content, and a malware-scanning step in between. Many teams scan the drive on a tool like OPSWAT before it touches the offline side.
One important note on WSUS itself. Microsoft deprecated WSUS in September 2024. Deprecation means no new features, but existing functionality stays and updates keep flowing through the WSUS channel. Microsoft has committed to support it for the duration of the Windows Server 2025 lifecycle, which runs to around 2035. For offline networks it remains the standard tool, because the recommended cloud replacements cannot reach an air gap.
How Far Back Do You Need to Go?
A common worry: systems have not been patched in months, so which updates do you actually need?
You do not guess, and you do not download the entire catalog blindly. Let the clients tell you what they need.
First, get update metadata onto the offline WSUS. Then point clients at it and let them scan. Each client reports exactly which approved updates it is missing.
You then pull only those specific update files on the connected side and carry them over. This is far smaller than mirroring Microsoft’s whole catalog.
Step-by-Step: Patching With WSUS Export and Import
Here is the full workflow from the connected side to the offline endpoints.
Step 1 — Sync and Approve on the Connected WSUS
On your internet-connected WSUS, sync updates from Microsoft as normal. Then approve only the updates you actually want.
Approving selectively matters. Approving everything pulls a giant content folder you will have to carry every month. Curate first.
Step 2 — Export the Metadata
Open a command prompt as administrator on the connected WSUS. Navigate to the tools folder.
cd "C:\Program Files\Update Services\Tools"
wsusutil.exe export C:\WSUSExport\export.xml.gz C:\WSUSExport\export.logThis creates a metadata package. Here is the trap: this export contains metadata only. It does not include the actual update files, and it does not include your approvals.
Step 3 — Copy the Content Files Separately
The real update binaries live in the WsusContent folder. You must copy them by hand
Source: D:\WSUS\WsusContent\
Target: same path on the offline WSUSCopy this folder to your removable media alongside the metadata package. Without it, your offline WSUS will know about updates it cannot actually deliver.
Step 4 — Scan the Media
Before the drive touches the air gap, scan it for malware. This is your one bridge between two worlds, so treat it as the highest-risk step.
A failed scan stops here. Do not carry an unscanned drive into an isolated network.
Step 5 — Import on the Offline WSUS
Carry the media to the offline WSUS. Copy the WsusContent files into the same path first. Then import the metadata.
cd "C:\Program Files\Update Services\Tools"
wsusutil.exe import C:\WSUSImport\export.xml.gz C:\WSUSImport\import.logCopy content before you import metadata. If you import first and approve updates whose files are missing, WSUS gets stuck showing thousands of updates “needing files.”
Step 6 — Re-Apply Your Approvals
Your approvals did not travel with the export. You have to reproduce them on the offline side.
The cleanest way is to export approved update IDs from the connected WSUS using PowerShell, carry that list over, and re-approve by ID.
Import-Module UpdateServices
Get-WsusUpdate -Approval Approved -Status Any |
Select-Object UpdateId, Title |
Export-Csv "E:\WSUS\approved.csv"This single step is what most teams forget. It is the difference between a working offline WSUS and a console full of unapproved updates.
Step 7 — Point Clients and Deploy
Configure your offline servers to use the local WSUS through Group Policy. Set the WSUS server URL and let clients scan against it.
Clients then report what they need, pull approved updates, and install on your schedule.
Patching Third-Party Apps Offline (Chrome, Adobe, Java)
Most attacks target third-party apps, not Windows itself. Chrome, Adobe Reader, Java, and Zoom are common entry points.
Plain WSUS does not patch these. It handles Microsoft products only. This is the single biggest gap teams hit on offline networks.
The fix is third-party patching tools that publish updates into WSUS using your local signing certificate. You publish on the connected WSUS first, then export and import like any other update.
One key detail: the WsusContent folder must travel to the offline side. Third-party updates are signed with your WSUS certificate, so the offline clients need that content to install them.
If you skip third-party patching, you leave your most-exploited software unpatched. Plan for it from the start.
Common Mistakes That Break Offline Patching
A few errors come up again and again. Knowing them saves days.
The first is the metadata-only trap. Teams export, import, and assume they are done, then find no update files arrived.
The second is missing approvals. The export never carried them, so the offline console looks empty.
The third is the “needing files” lockup. This happens when you approve updates before their content is in place.
The fourth is carrying everything monthly. Without curation, the content folder grows huge and the sneakernet routine becomes unmanageable.
Why Offline Teams Stay on WSUS
Microsoft now points users to cloud tools: Windows Autopatch and Intune for clients, and Azure Update Manager for servers. None of these work on a true air gap, because they all need a connection to Azure.
There is also a cost angle. Azure Update Manager runs around $5 per server each month, which adds up fast across hundreds of servers. For offline, cost-sensitive environments, WSUS plus sneakernet remains the practical path.
How Long Air-Gapped Patching Takes
Expect real time investment, especially the first cycle. The initial content sync and transfer can run several hours depending on how many updates you approve and your media speed.
Monthly cycles are faster once you only carry new approved content. For a network under 500 endpoints, a practiced team can run a monthly cycle in a few hours of active work.
The manual steps are where time and risk pile up. Each transfer is a chance for human error.
Reducing the Manual Burden
The WSUS method works, but it is heavy on manual steps. Every export, copy, scan, and re-approval is done by hand each cycle.
Some teams reduce this with managed offline patch tools that automate the transfer, approval syncing, and reporting inside the air gap. Anakage is one option worth considering here, built for offline and air-gapped enterprise networks where manual sneakernet does not scale. It suits compliance-heavy Indian environments, though smaller teams comfortable with manual WSUS may not need it.
Whatever you choose, the goal is the same: current systems, clean audit reports, and fewer chances for human error.
Frequently Asked Questions
Q: How do you patch Windows servers without internet?
A: Use two WSUS servers, one connected and one offline. Download and approve updates on the connected server, then transfer the metadata and content files to the offline server by removable media. The offline WSUS serves updates to your isolated endpoints.
Q: How far back do I need to go if systems are months behind?
A: Do not download the whole catalog. Load update metadata onto the offline WSUS, point clients at it, and let them scan. Each client reports the exact updates it needs, so you only carry those files across.
Q: Does wsusutil export include update files?
A: No. The wsusutil export creates a metadata package only. You must copy the WsusContent folder separately, and your approvals do not transfer either. This is the most common reason offline patching fails.
Q: Can WSUS patch third-party apps like Chrome and Adobe offline?
A: Not on its own. WSUS handles Microsoft products only. You need a third-party patching tool that publishes updates into WSUS with your signing certificate, then export and import them with the WsusContent folder like any other update.
Q: What is the difference between WSUS and WSUS Offline Updater?
A: WSUS is a Microsoft server role for approving and serving updates. WSUS Offline Updater is a separate free community tool that builds a portable update repository you run from a drive or share. The community tool suits small or standalone setups without a WSUS server.
Q: Why does my offline WSUS show updates “needing files”?
A: This happens when you approve updates before their content files are in place. WSUS expects to download missing content from Microsoft, which it cannot do offline. Copy the WsusContent folder before approving updates.
Q: Is WSUS still supported for air-gapped patching?
A: Microsoft deprecated WSUS in September 2024, but it still works and still receives updates through its channel. Support runs through the Windows Server 2025 lifecycle, to around 2035. It remains the standard tool for offline Windows patching today.
Q: How do you transfer update approvals to an offline WSUS?
A: Approvals do not move with the export. Export the approved update IDs from the connected WSUS using the UpdateServices PowerShell module, carry the list across, and re-approve by ID on the offline side.
Patching an air-gapped network comes down to moving two things correctly: the metadata and the content, in the right order, with approvals rebuilt on the offline side. Get that sequence right and the rest is routine.
If your team runs a large or compliance-heavy offline network and the manual cycle is wearing thin, Anakage offers a demo of its offline patch and asset management approach at anakage.com/book-a-demo — worth a look if manual WSUS no longer scales for you.