Update Offline Virtual Machine with PowerShell and WSUS Offline Update: Part 1


Summary: Honorary Scripting Guy, Sean Kearney introduces a cool tool for updating virtual machines.

Hey, Scripting Guy! Question Hey, Scripting Guy! I have some virtual machines that are normally offline. They need to be updated on a regular basis, but these machines have no access to the Windows Server Update Services (WSUS) server. Is there an easy answer to this problem?

—WT

Hey, Scripting Guy! Answer Hello WT,

Honorary Scripting Guy, Sean Kearney, is here to show a little magic with Windows PowerShell and the Windows update system.

Updating an offline virtual machine really isn’t that difficult. Just power it up, wait for the updates to download from Microsoft or your central updating system, and…

Oh, wait a minute. That doesn’t cover all scenarios does it? What about virtual machines that never get attached to the production LAN? Or virtual machines that operate in a secure network structure, which is isolated from the Internet and the production update system for security reasons?

Even if you have access to a centralized update system (such as WSUS), you’ll still have to force a download of the updates.

Then what if you had the option to inject the updates directly into the virtual machine...maybe a process that didn’t even need network access? Would that not be an interesting option?

That option is yours to have! There is a free tool that you can download from the Internet called WSUS Offline Update. It’s a great tool that runs off donations from the community. It packages the automatic updates into a folder structure that you can burn to DVD or CD, store on portable USB media, or any other distribution solution your mind can imagine.

By leveraging this solution and a little Windows PowerShell, we can provide an easy-to-automate solution to inject those updates into offline VHD files.

First we need to download and configure WSUS Offline Update. This is quite simple to do. Go to the WSUS Offline Update website, click the Download button, and choose the link in the right pane. You will be downloading a single ZIP file that contains everything you’ll need to implement this easy-to-use solution.

Image of site

After it is downloaded, unblock the ZIP archive. I have found that if you don’t unblock ZIP archives it can actually affect the content, especially the MSI files within it.

Image of menu

Extract that ZIP archive to your folder of choice by right-clicking the file and selecting Extract All.

Image of menu

For our purposes today, I am going to place it at the root of drive C. It will automatically create a folder called WSUSOffline.  Click the Extract button to complete the process.

Image of menu

Now that you have extracted WSUS Offline Update, it’s time to configure.  This is actually very easy to do or to change afterwards. Navigate to the C:\Wsusoffline folder and run the UpdateGenerator.exe application.

We are going to target the following collections of updates:

  • Windows 8.1 and Windows Server 2012 R2
  • C++ Runtime Libraries and .NET Framework
  • Microsoft Security Essentials
  • Windows Defender definitions (for updating the antivirus while offline)

We could also expand this collection into updates for Microsoft Office 2013, 2010, and 2007, but we’ll focus on a simpler configuration at this time.

We are also going to create a single folder that will act as the medium. The author targets a USB key, but in actuality, the folder can exist anywhere. It provides the updates in addition to all the executables needed to inject the updates.

In the following image, note the configuration changes highlighted in red:

Image of menu

Click the Start button to continue. You may be prompted to update your Trusted Root Certificates. Please do so if prompted.

Image of message

At this point, the system will begin downloading the updates into the WSUSOffline folder structure. Grab a nice mint tea and sit down. This will take a while...

Image of code

Done with your tea? Maybe take in a Doctor Who episode while you were waiting? (I did!) When it’s done, we can get to the fun stuff!

WT, sorry but that is all for today. Please come back tomorrow for the rest of the story.

We invite you to follow us on Twitter and Facebook. If you have any questions, send email to scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow.

Sean Kearney, Microsoft PowerShell MVP and Honorary Scripting Guy

Comments (1)

  1. Good one. Thanks for sharing.

Skip to main content