Today, I will explore Patching WSUS Offline Tool Keep Windows Machines Updated Software Updates Windows Update.
The WSUS Offline tool lets you update lab machines running Windows 10, Server 2016, or Office 2016. You download Microsoft update only once from the internet and then use the WSUS Offline Tool to install it on all the lab machines without needing an internet connection.
As mentioned below, I don’t recommend using this tool in any production environment. However, it could be useful for an isolated lab environment if you don’t have SCCM with a software update point (SUP).
If you already have SCCM in your lab, I will surely recommend SCCM and WSUS ((patching guide) for the lab environment.
Note: I don’t recommend using the WSUS Offline Tool for the production environment
Table of Contents
How WSUS Offline Tool Works?
WSUS Offline Update uses Microsoft’s update catalog file, wsusscn2.cab, to dynamically determine the required patches. The catalogue file contains at least all the updates classified as critical and security-relevant, but it does not necessarily contain all the important and optional ones.
What is the disadvantage of the WSUS Offline Tool?
The disadvantage of this tool is that computers updated by WSUS Offline Update will hardly ever completely satisfy Microsoft’s Online Update afterwards. Still, the patch coverage completely satisfies Microsoft’s Baseline Security Analyzer.
Video Tutorial – WSUS Offline Tool
The following video will explain Windows Office updates using the WSUS Offline Tool, which keeps Windows Machines Updated, Software Updates, and Windows Updates.
- Microsoft Announces Deprecation Of WSUS Driver Synchronization
- WSUS Enhancements Preview Expected Soon as per Microsoft | Exciting News
- FIX SCCM Offline Servicing Error 0x80004001 Applicability check not supported | ConfigMgr
- Top 50+ Latest SCCM Interview Questions and Answers
Download the WSUS Offline Tool
Download the WSUS Offline Tool and extract the ZIP file. You don’t need to install it. Instead, you can directly run the exe (UpdateInstaller.exe) from the source file folder.
Download C:\Users\Anoop\Downloads\wsusoffline113\wsusoffline\UpdateInstaller.exe
Download the WSUS Offline Tool from here
Run WSUS Offline Tool
Launch UpdateInstaller.exe and select the updates you want to download for offline updates. Once you have downloaded the updates, you must run the following exe (UpdateInstaller.exe) from the client device where you want to install them. I recommend keeping the CLIENT folder in a shared location so that you can access it from many devices.
CLIENT C:\Users\Anoop\Downloads\wsusoffline113\wsusoffline\client\UpdateInstaller.exe
There are options to minimize or hide the download progress screen (more details in the FAQ section below). But I love the status screen during the download. Depending on the updates you have selected from the tool, this will take a long time to finish.
Execution – Download of Update
The WSUS Offline Update uses Windows Update Agent” (WUA) to determine the patches to install on the client/target side.
ndp46-kb4040957-x64_25f369534 100%[=================================================>] 1.57M 3.52MB/s in 0.4s 2018-05-17 21:11:37 (3.52 MB/s) - '../client/dotnet/x64-glb/ndp46-kb4040957-x64_25f36953431af3abd007e23f44950bc9b46134d7.exe' saved [1648800/1648800] Downloading/validating update 10 of 29... --2018-05-18 10:11:37-- http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/ndp45-kb4096495-x64_41a96e508184f9dac887e02a2c1caf75842a4e95.exe Resolving download.windowsupdate.com (download.windowsupdate.com)... 117.18.232.240 Connecting to download.windowsupdate.com (download.windowsupdate.com)|117.18.232.240|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 64581904 (62M) [application/octet-stream] Saving to: '../client/dotnet/x64-glb/ndp45-kb4096495-x64_41a96e508184f9dac887e02a2c1caf75842a4e95.exe'
Client Update – Source Folder Locations
The following are folder locations where client update source files will be stored. The video tutorial provides more details.
Windows 10 Update --> C:\Users\Anoop C Nair\Downloads\wsusoffline113 \wsusoffline \client\w100-x64\glb DotNet Updates --> C:\Users\Anoop C Nair\Downloads\wsusoffline113\ wsusoffline\ client\ dotnet
WSUS Offline Tool – FAQs
How can I update “WSUS Offline Update” itself using the WSUS Offline Tool?
If release notes or installation hints don’t recommend others, you may unpack a new version’s archive (.zip) over/into an existing structure if you let existing files be overwritten. Of course, you may use the automatic self-update functionality instead.
Where are the downloaded update files stored – WSUS Offline Tool?
Every file that is required for the installation part is stored in the “client” subdirectory.
Why are check boxes greyed out when I start UpdateInstaller.exe?
The check boxes’ availability depends on the platform, update medium and package installation state.
I receive an error indicating an invalid package.xml file during download or installation. What can I do?
Your copy of Microsoft’s update catalog file (…\client\wsus\wsusscn2.cab) seems to be corrupt. Please delete it and re-run the download process.
Can I let the download WSUS Offline Tool window(s) stay in the background?
Yes. Please edit the UpdateGenerator.ini file and add an entry/line “minimizeondownload=Enabled” to the “[Miscellaneous]” section.
After the patches are installed using the WSUS Offline tool Update, an empty box without contents appears on every reboot. Only when I click “OK” does the boot process continue?
It’s uncertain at this time what causes this behavior. Please log in as “Administrator” and check if the Windows registry key “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” contains a value named “WSUSOfflineUpdate” or if the key “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce” contains values named “DeleteWOUTempAdminProfile” or “ShowOfflineUpdateLogFile”. If they exist, delete them.
If these entries do not exist in the registry, the Offline Updater did not cause this behavior. The WSUS Offline Updater team welcomes further hints concerning this problem.
During the download, I receive a file integrity verification failure for the WSUS Offline Tool. What can I do to resolve this?
If you’re sure your repository’s patch files weren’t manipulated, you may delete the corresponding checksum files under …\client\md. They’ll then be recreated during the next download run.
I miss the IEx, .NET, and MSSE installation files for my language. Why aren’t they downloaded, and what can I do to have them downloaded?
Since Service Packs and updates for Windows Vista / 7 / Server 2008(R2) are multilingual, there’s no 24-language selection table for these platforms, so by default, only the English and German versions of those localized installation packages for IEx, .NET and MSSE will be downloaded.
To have your favorite locale(s) downloaded in addition, you may use the …\cmd\AddCustomLanguageSupport.cmd script.
Determining “superseded updates” takes more than 15 minutes for WSUS Offline Tool. How can I speed it up?
Some Anti-Virus-Scanners (especially “Microsoft Security Essentials” (MSSE)) retard the required calculations. You may temporarily disable your AV scanner or define an appropriate exception.
I miss the x64 versions of Office 2010 Service Pack 2 and Office 2013 Service Pack 1. How can I have them downloaded?
Please call …\cmd\AddOffice2010x64Support.cmd {lng} once to add their URLs to your custom static download definitions (see directory …\static\custom).
I don’t need the German installation files for IEx, .NET and MSSE. How can I disable their downloads?
Please call …\cmd\RemoveGermanLanguageSupport.cmd once to remove their URLs from the static download definitions.
Before the update installation, the system is checked to determine the maximum number of updates to be installed in one run. Is there a parameter to specify this value?
The parameters can be specified in the file …\client\cmd\custom\SetUpdatesPerStage.cmdt. It should not exceed the parameter “UPDATES_PER_STAGE” in the file \client\cmd\SetTargetEnvVars.cmd (currently 40). Smaller values are automatically corrected. After setting the stage limits, the file SetUpdatesPerStage.cmd must be renamed (cmd without t)!
Can I download/install additional patches?
Yes, you can adjust how the download and update scripts behave by excluding or adding patches from the download or installation. For adding updates, proceed as follows:
1. Adding updates to download routines
For adding an update to be downloaded, insert its download URL into the matching “StaticDownloadLinks-<platform>[-architecture>]-<language>.txt file, found in the “…\static\custom” directory. Please don’t forget a trailing <CR><LF>.
2. Adding updates to installation routines
Add an update to the installation by inserting its knowledge base ID (KBxxxxxx or simply xxxxxx) into the matching “StaticUpdateIds-[-].txt file (directory “…\client\static\custom”). Please don’t forget a trailing.
Can I only skip the dynamic update determination during downloading/installation and use my static definitions?
Yes.
To avoid dynamic update URL determination during download, add “skipdynamic=Enabled” to the [Miscellaneous] section of your UpdateGenerator.ini file.
To avoid dynamic update ID determination during installation, set “skipdynamic=Enabled” in the [Installation] section of your UpdateInstaller.ini file.
I already have the latest Service Pack for my selected OS and don’t want to have it downloaded again. Can I integrate it into the WSUS Offline Updater somehow?
Yes, if the following preconditions are met: First, you must put the file into the correct directory; for an XP-SP3 English, this would be “.\client\wxp\enu”, for example. Additionally, the filename and the size have to match the properties on Microsoft’s servers, in this example, “WindowsXP-KB936929-SP3-x86-ENU.exe” with a size of 331,805,736 bytes. As the download uses “wget” with the “-N” option (timestamping), the local copy also must not be older than the copy on the Microsoft server.
Can I integrate patches for products made by third parties?
No, and there are no plans to add this. Patches from third parties commonly have completely different command-line parameters, making integration problematic, if not impossible. Additionally, the Offline Update is meant to make a PC as secure as possible before going online. Updates from third parties can then be downloaded from their respective websites. Many third-party products, such as Acrobat Reader, Firefox, Thunderbird, and SUN Java Runtime, offer auto-update mechanisms to keep themselves current.
Is it possible to automate the creation of the updated media (CD/DVD images), maybe with a scheduled task? If yes, how do I do that?
Create a new batch file in the “.\cmd” directory, e.g. “DownloadUpdatesAndCreateISOImage.cmd”. Then enter the desired calls to “DownloadUpdates.cmd” and “CreateISOImage.cmd” with the required options into this file. An example of such a file would be:
@echo off call DownloadUpdates wxp enu call CreateISOImage wxp enu
Next, create a scheduled task for your new custom script “DownloadUpdatesAndCreateISOImage.cmd” and select the desired run time. For example, if you intend to create new update media following each Microsoft Patchday, select “second Wednesday of every month”.
Can I start updating the installation from a shared network resource?
Yes, but you should only use the “Automatic reboot and recall” feature if the shared resource permits anonymous access. Otherwise, the automatic recall will fail because the share won’t be accessible for the temporary administrator account “WOUTempAdmin”.
If the network share doesn’t have a drive letter assigned to it, the “UpdateInstaller” script will automatically do a drive mapping because cmd.exe does not support UNC paths (\\<server>\<share>) as the current directory (see http://support.microsoft.com/kb/156276/).
Suppose you like to assign a drive letter yourself using the “map network drive” feature or “net use” command. In that case, you’ll have to do this in an administrative context/command shell (Windows Vista/7/Server 2008(R2)) because the “UpdateInstaller” script requests administrative privileges for patch installation.
Please remember that installing patches over the network is against the philosophy of an Offline update, and the machine may be vulnerable to attacks while the update process is still in progress.
A patch is installed repeatedly despite being installed already on the target system. What is the reason, and how can I resolve this?
This problem regularly occurs when doing kernel updates on OEM systems; it’s a Microsoft issue.
To solve the issue, install such updates manually and specify the “/o” (or “/overwriteoem”) switch (as shown on http://support.microsoft.com/kb/262841).
When installing patches, I am warned that kb890830 and kb976002 have been skipped. Why aren’t they integrated?
Patch kb890830 is not really an update but the Malicious Software Removal Tool (MSRT). This tool (MRT.exe) scans the PC once after a reboot for possible malware infections. Still, it is inferior to commercial virus software regarding detection rate and updating frequency (it’s only updated once a month on most PCs). Additionally, multiple versions are contained in WSUSSCN2.CAB (Microsoft’s update catalog), so it’s already filtered out on download. Patch kb976002 is the Browser Choice update for the European market.
During patch installation, I received warnings about further missing updates for the WSUS Offline Tool. What’s up?
WSUS Offline update by default downloads only patches contained in Microsoft’s catalog WSUSSCN2.CAB. This includes at least all critical and security-related patches but not every important, recommended or optional one. If you feel the need to include them, you are free to do so manually (see above).
Can I force the installation of patches despite them being installed already on the target system?
Yes, but not with the GUI (UpdateInstaller.exe). Call the batch file “Update.cmd” directly using the “/all” option, e.g., “Update.cmd /auto reboot/show log/all.”
The missing updates on my target system can’t be determined; on another computer, missing updates are installed repeatedly. Why?
In most cases, the Windows Update Agent (WUA) is responsible for this misbehavior. To resolve this problem, please follow the instructions to reset the Windows Update components (http://support.microsoft.com/kb/971058).
On patch installation, I’m getting strange errors in the command line window, e.g., ” C: wsusupdateclientcmdDetermineSystemProperties.vbs(92, 3) (null): 0x80041014.” Then the script terminates. What is the cause, and how can I solve this problem?
For trouble-free execution, the script requires the correct installation and configuration of the following Windows services/components: “Automatic Update/Windows Update (WUA)”, “Windows Script Host (WSH)” and “Windows Management Instrumentation (WMI)”. Please check first if you have restricted or even disabled these services with tools like TweakUI, nLite/vLite, XP-Antispy, XPy, Tuneup Utilities etc.
If that’s not true, the cause is probably erroneous scripting components or WMI registration.
To (re-)register the scripting components on your computer, please follow the instructions at http://support.microsoft.com/kb/949140.
To check your WMI installation, use Microsoft’s WMI diagnostics tool (http://www.microsoft.com/downloads/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en). Further technical information is given on http://technet.microsoft.com/en-us/library/cc787057(WS.10).aspx; the WMI FAQs are found on http://technet.microsoft.com/en-us/library/e692772.aspx.
When installing patches, I’m receiving the error: “…\ListMissingUpdateIds.vbs(17, 1) (null): The file or directory is corrupted and unreadable.” or “…\ListMissingUpdateIds.vbs(17, 1) (null): The signature of the certificate cannot be verified.” How can I solve that problem?
This error occurs if the file “.\client\wsus\wsusscn2.cab” is truncated/corrupted because it has not been downloaded completely. Of course, this invalidates its digital signature. Please rerun the download and media creation again to replace the bad file.
My antivirus package reports the downloaded archive to be infected by a virus/trojan. Is that true?
This is, with a very high probability, a false positive! The archive contains compiled AutoIt3 scripts, which some antivirus programs generally detect as malware. You can verify the clean status of the scripts (*.au3) by compiling them yourself using the AutoIt3 compiler (http://www.autoitscript.com/autoit3/). Alternatively, upload the downloaded archive to a site like VirusTotal (http://virustotal.com) or Jotti (http://virusscan.jotti.org) and let many antivirus engines scan it. Additionally, many antivirus suites can send the presumed false positives to the author, either manually over a web form/email or automatically within the program. This will improve the detection abilities of these products.
While downloading patches, I’m receiving messages like “ERROR 404: Not Found.” Does the Offline Updater use invalid URLs? Is this a problem with the WSUS Offline Tool?
No, but Microsoft does. The URLs will be determined at runtime from Microsoft’s catalog package.xml in the file wsusscn2.cab. For unknown reasons, Microsoft has these invalid URLs in the file.
I have selected creating an Office update medium in my specific language, e.g., Russian. But there are patches in English downloaded, too. Why is this?
Some patches in Microsoft’s catalog wsusscn2.cab (package.xml) are language-dependent, but others only exist in English. The latter are patches for language-independent parts of Office and can be installed on non-English Office installations without any problems.
For that reason, there has been created an additional subdirectory named “glb” (global), besides the existing ones like “deu”, “enu”, “rus” etc. In the glb directory, the dynamically determined patches are stored, and they only exist in English, no matter what language has been selected. In the case of Office 2003, the Service Packs for Project, Visio, etc., which are in English, will be filtered out when creating an update medium. This will save space.
I’m about to burn a 500MB ISO image using Nero, but I am receiving a message telling me the ISO is too big in size. Is the ISO corrupt?
No, certainly not. In some versions, Nero seems to have problems determining the required CD/DVD size. Please update Nero or use another CD/DVD/BluRay recording software like ImgBurn (http://imgburn.com).
My ISO image is too big to fit on a CD. How can I record it using a DVD? Why does the WSUS Offline Tool have DVD options?
There’s no difference in how recording software treats the CD or DVD ISO and media. That means you can burn every ISO image on DVD as long as your recording software supports the ISO format and DVDs. Note that sometimes, when the ISO is smaller than 1GiB, the recording software will add padding data to the end to write at least 1 GiB. This is for compatibility reasons and will not influence the CD/DVD contents.
When creating an ISO, I receive the warning: “ISO-9660 filenames longer than 31 may cause buffer overflows in the OS.” Should I be alarmed?
No. This is a generic warning displayed on every run for creating WSUS Offline Update ISOs. It is only a note that breaking the restrictions of the original ISO9660 filesystem (only short filenames like FILENAME.EXT) may have undesired effects on older operating systems like MS-DOS, especially with filenames of 32 characters or longer. All platforms relevant to the Offline Updater handle this without problems, so there is no need to worry.
Is it possible to integrate the downloaded patches from Offline Update into an OS installation disc via slipstreaming?
Not all patches support slipstreaming. Besides, as new patches are released monthly (and sometimes even more frequently), you must create a new disc every time. Therefore, we recommend that you slipstream only the latest Service Pack and install the rest of the patches after OS installation using the Offline Updater.
I used the “automatic reboot and recall” option, but the WSUS Offline Updater doesn’t resume its work as intended. What can I do?
It seems you have stored the Offline Updater files in a restricted area of your filesystem, which the temporary account “WOUTempAdmin” has no access to despite having administrative rights. This could be a user-specific directory like “(My )Documents” or “Desktop” or an NTFS encrypted one. Please use another base directory for patch installation.
I have selected the “Show log file” option in the WSUS Offline Tool, but after finishing the installation and rebooting, the log is not shown. What’s the reason?
Maybe the user account you’re logging in with after the final reboot has no permission to access the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce or the log file (%SystemRoot%\wsusofflineupdate.log). After installing and rebooting, please log in once with a sufficiently privileged account.
I enabled the “automatic reboot and recall” option, and now my PC automatically logs into the “WOUTempAdmin” account. How can I prevent that and revert to my previous account settings?
That issue rarely happens. Please help improve the software by submitting a detailed error report to the development team, including the preconditions and instructions on reproducing the error.
To “clean up” your OS do the following:
- Cancel running update scripts using <Ctrl>+C;
- Execute the “CleanupRecall.cmd” script in the “cmd” directory, then reboot.
If it still doesn’t work, follow this guide:
- Log off the “WSUSAdmin” account. While doing this, hold the <Shift> key to prevent automatic login and show the Logon screen instead.
- Log on to the “Administrator” account (or an account with administrative rights).
- Check for the existence of a file named “%SystemRoot%\wsusbak-winlogon.reg”.
- If the file exists, start the registry editor ([Start – Run…] regedit) and delete the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”. Then merge the backed-up values back into the registry by double-clicking the “%SystemRoot%\wsusbak-winlogon.reg” file and confirming the prompt. Then you can delete that file.
- If the file doesn’t exist, start the registry editor ([Start – Run…] regedit) and modify some values of the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” as follows:
- DefaultUserName: Administrator (or another user account of your choice)
- DefaultPassword: Delete value
- AutoAdminLogon: Delete value
- ForceAutoLogon: Delete value
- Delete the “WOUTempAdmin” account using the “User accounts” Control Panel item.
- Delete the user profile files if they still exist (XP: C: Documents and Settings, Vista/7: C: Users).
- Reboot.
Can I exclude patches from download and/or installation using the WSUS Offline Tool?
Yes, that’s possible through customising the download- and updating scripts according to your requirements. You may add new patches or exclude existing ones. Please follow this guide:
1. Exclude patches from download
You have to differentiate between statically defined updates (like the latest Service Packs, for example) and updates that are determined dynamically at the script’s runtime.
a) Statically defined updates
To exclude static updates from download, please delete the corresponding URL definitions in the matching file named “StaticDownloadLinks-<platform>[-<architecture>].txt” in the folder “static\custom”. Please note that the files residing here will be overwritten on a software update.
b) Dynamically determined updates
To exclude dynamically determined updates from download, insert their knowledge base ID (KBxxxxxx or simply xxxxxx) into the matching exclude file named “ExcludeList-[-].txt” in the folder “exclude\custom”.
2. Excluding updates from installation
- Once again, you must make a difference between statically defined and dynamically determined updates.
- a) Statically defined updates. The statically defined updates (latest version each) are:
- Service Pack (SP)
- Microsoft Installer (MSI)
- Windows Script Host (WSH)
- Internet Explorer (IE)
- These updates will be installed only if the version installed on the target system is lower than those defined in the file “SetTargetEnvVars.cmd” (directory .\client\cmd). Suppose you generally want to prevent the installation of one of those updates. In that case, you have to modify the expected values in the “SetTargetEnvVars.cmd” or insert jump marks into the “DoUpdate.cmd” (which controls the installation process). You should do this only in special cases like SP, WUA, MSI, and WSH. Certain versions are required as preconditions.
- b) Dynamically determined updates: To exclude dynamically determined updates from installation, insert their knowledge base ID (KBxxxxxx or simply xxxxxx) into the file “ExcludeList.txt” (directory .\client\exclude\custom). These updates will now be ignored, and you’ll receive a warning in the log.
The following updates are already excluded:
- kb816093 (Security update for Microsoft VM)
- kb951847 (.NET Framework 3.5 SP1 Family Update (will be explicitly installed if selected))
- kb890830 (Windows Malicious Software Removal Tool (MSRT))
- kb944036 (Internet Explorer 8 (will be explicitly installed if selected))
- kb982861 (Internet Explorer 9 (will be explicitly installed if selected))
- kb2718695 (Internet Explorer 10 (will be explicitly installed if selected))
- kb2841134 (Internet Explorer 11 (will be explicitly installed if selected))
- kb976002 (Browser Choice)
- kb923618 (Office 2003 Service Pack 3 (will be implicitly installed if required))
- kb2526086 (Office 2007 Service Pack 3 (will be implicitly installed if required))
- kb2687455 (Office 2010 Service Pack 2 (will be implicitly installed if required))
- kb2817430 (Office 2013 Service Pack 1 (will be implicitly installed if required))
- kb936929 (Windows XP Service Pack 3 (will be implicitly installed if required))
- kb914961 (Windows Server 2003 Service Pack 2 (will be implicitly installed if required))
- kb936330 (Windows Vista Service Pack 1 (will be implicitly installed if required))
- kb948465 (Windows Vista Service Pack 2 (will be implicitly installed if required))
- kb976932 (Windows 7 Service Pack 1 (will be implicitly installed if required))
Please be aware that excluding updates may have an impact on the security of your PC.
All these FAQs are documented in the installation source directory of the WSUS Offline Tool.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.