Manually Install Patches to WSUS

Question

I currently have a WSUS server on my network to push patches but I am not sure how to get the patches onto my WSUS without internet. We have used the offline updater in the past but that pulls everything and then we will have to go through them all. A lot gets moved into the declined section where I cant delete anything out of so it just fills up. Is there a way I can download the specific updates I need on a system with internet and then upload them into a WSUS server? In the past I have just manually installed the patches without the WSUS so I dont know much about it. If a system is years out of date or create a new 2019 server do I have to install all of the 2019 patches or just the past year or so worth?

Answer 1

You need to run 2 WSUS servers. 1 that is online, 1 that is offline, and then you approve and download the update from the Online system, export the metadata and copy the data over to the offline system via media and then import the metadata on the offline system using WsusUtil.exe import

It's very well documented on Microsoft's site.

Just filling up data is because you've not been running the maintenance that WSUS requires.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

I'd recommend reading the whole blog series as it deals with all aspects of running a WSUS server, from installation, to management, to SSL, etc.

Just to be clear - "WSUS Offline Update" is not a Microsoft product.

Answer 2

All supported OS's (Windows Server 2016+, Windows 10+) are all using cumulative updates for it's main security updates. There are stragglers (.NET, windows defender, and possibly some others) that would have separate updates, but generally it's the current Cumulative Update (CU) and that's it. Sometimes you'll have to install an Servicing Stack Update (SSU) before the CU, but I think 2012 was the last OS that separated the SSU from the CU. Generally the SSU is embedded as part of the CU.