How does one set up a WSUS server for an air-gapped system on Windows Server 2022?

Question

How does one set up a WSUS server for an air-gapped system on Windows Server 2022?

Daniel Miller 0

I am attempting to stand up a WSUS installation to support an air-gapped network. I am setting up two VMs for Windows Server 2022 (8 core, 16GB RAM, 384GB storage), one inside the air-gapped network and one that can connect to the general internet. The intent is to use wsusutil to export the updates to some removable media for the trip across the gap.

After installing Server 2022 with OSD media and updating the Internet connected VM (no security policies applied or other software installed), I installed the WSUS role and required features, ran the post installation tasks, and altered IIS settings for unlimited private memory limit. When doing the initial synchronization in the WSUS Configuration Wizard, the application crashes with:
System.FormatException -- The specified text did not contain a token for the specified linkIndex.

Source

Microsoft.UpdateServices.UI.SnapIn

Stack Trace:

at Microsoft.UpdateServices.UI.SnapIn.Controls.CustomControls.FormatLinkText(String text, Int32 linkIndex, LinkArea& linkArea, Object[] formatters)

at Microsoft.UpdateServices.UI.SnapIn.Wizards.OOBE.BaseOOBEContentPane.ShowError(ExtendedTableLayoutPanel notificationArea, String errorText, String linkText, LinkLabelLinkClickedEventHandler linkClickedEventHandler)

at Microsoft.UpdateServices.UI.SnapIn.Wizards.OOBE.ConnectToUSSContentPane.OnSyncCompleted(Object sender, GetSyncStatusCompletedEventArgs e)

While the error indicates that the process did complete the initial sync, the MMC panel indicates that configuration has not been completed. I have found references to someone encountering this error when configuring a WSUS replicant and they reported the issue fixed after synchronizing to a peer node then switching it back to the intended upstream node, but there is no peer node to switch things to in this case (the organization I work for has yet to deign to implement WSUS for the general machine population). I have attempted to go through all the configuration points in the options, but the panel still prompts to run the configuration wizard.

I have tried both WID and MSSQL for the WSUS data with no avail. I have also tried to set things up with powershell scripts with the same end. I have also run into the same issue on another bare-metal installation of Server 2022.

Further for the VM in the air-gapped network, it is not clear from the documentation how one completes the post-installation configuration to get to the point you can import the data from the Internet connected WSUS instance.

I have successfully set up WSUS before, so running into these showstoppers on a vanilla installation is a bit vexing. I am looking for a means to get the GUI setup to work or guidance to complete the setup via some scripting, preferably in Powershell. Suggestions would be appreciated.

Adam J. Marshall 10,356 Reputation points

2024-12-11T20:04:27.6066667+00:00

Before installing WSUS, is your server fully up to date with patches from online? Or are you doing this on a RTM copy of server 2022? Are there any policies in play that may disable TLS or muck with other settings?

As for the air-gapped one - run the postinstall and then, you just copy the WsusContent folder from your media and then import the metadata with wsusutil.
Daniel Miller 0 Reputation points

2024-12-12T19:55:13.78+00:00

As described, the VM was installed with OSD media from MS (SW_DVD9_Win_Server_STD_CORE_2022_2108.35_64Bit_English_DC_STD_MLF_X23-78027.ISO) acquired from what used to be called VLSC and updated until no more updates were offered to manual update checks. The server is not domain joined and had no local security policies changed.

I have since taken a step back and tried the setup on a freshly installed but unpatched system adapting a old script from https://smsagent.blog/2014/02/07/installing-and-configuring-wsus-with-powershell/ for configuration with the addition of modifying the IIS private memory limit to for the site to unlimited. After installing an SQLEXPRESS instance and configuring the script to use such, the script completed the initial synchronization and the update files are trickling in. This should get me functional.Out of curiosity, I spun up another fresh VM with the same install media and again forgoing updates and attempted a bare minimum GUI install following the steps at https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/1-install-the-wsus-server-role and https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus with the addition of setting the IIS private Memory limit to unlimited. Again, the server completed the initial connection and synchronization.

As my last successful WSUS setup was done 6-8 months ago, I am suspicious there is something in one of the recent updates to Server 2022 causing issues. After the servers finish their downloads I'll see about updating them to see if they still function afterwards.

2 answers

Your answer

Adam J. Marshall 10,356 Reputation points

2024-12-11T20:04:27.6066667+00:00

Before installing WSUS, is your server fully up to date with patches from online? Or are you doing this on a RTM copy of server 2022? Are there any policies in play that may disable TLS or muck with other settings?

As for the air-gapped one - run the postinstall and then, you just copy the WsusContent folder from your media and then import the metadata with wsusutil.
Daniel Miller 0 Reputation points

2024-12-12T19:55:13.78+00:00

As described, the VM was installed with OSD media from MS (SW_DVD9_Win_Server_STD_CORE_2022_2108.35_64Bit_English_DC_STD_MLF_X23-78027.ISO) acquired from what used to be called VLSC and updated until no more updates were offered to manual update checks. The server is not domain joined and had no local security policies changed.

I have since taken a step back and tried the setup on a freshly installed but unpatched system adapting a old script from https://smsagent.blog/2014/02/07/installing-and-configuring-wsus-with-powershell/ for configuration with the addition of modifying the IIS private memory limit to for the site to unlimited. After installing an SQLEXPRESS instance and configuring the script to use such, the script completed the initial synchronization and the update files are trickling in. This should get me functional.Out of curiosity, I spun up another fresh VM with the same install media and again forgoing updates and attempted a bare minimum GUI install following the steps at https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/1-install-the-wsus-server-role and https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus with the addition of setting the IIS private Memory limit to unlimited. Again, the server completed the initial connection and synchronization.

As my last successful WSUS setup was done 6-8 months ago, I am suspicious there is something in one of the recent updates to Server 2022 causing issues. After the servers finish their downloads I'll see about updating them to see if they still function afterwards.

Answer 1

I updated the server instances in question and synchronizations are being logged as successful. To confirm, I also spun up a new instance, updated Windows server, then installed and configured WSUS successfully, which I was not expecting. After seeing this, I went back to several of the instances I had installed during testing and noticed that those machines which had failed synchronizations I started via the Configuration Wizard where I had also scheduled synchronizations afterward in an attempt to work around the Wizard failure began successfully synchronizing in the evening after I made the post. At this point I suspect a server side data issue is the culprit rather than an update issue.

Answer 2

I just setup a Server 2025 using (SW_DVD9_WIN_SERVER_STD_CORE_2025_24H2_64BIT_ENGLISH_DC_STD_MLF_X23-81891.ISO) and updated it to latest CU and then installed the WSUS role, ran the post install, configured it to pull only a couple of products (Win11, server 24H2), and then began the initial sync and it successfully synced.

I then setup a Server 2022 using (SW_DVD9_WIN_SERVER_STD_CORE_2022_2108.32_64BIT_ENGLISH_DC_STD_MLF_X23-73837.ISO [From April 2024]). Updated it to latest CU and then installed the WSUS role, ran the post install, configured it to pull only a couple of products (Win11, server 24H2)With no modifications to anything, and a couple of restarts due to my laptop running hyper-v, the initial sync completed successfully and also one of the hourly syncs.

Share via

How does one set up a WSUS server for an air-gapped system on Windows Server 2022?

2 answers

Your answer