WSUS in disconnected environment

Question

I need to build a WSUS server in a disconnected environment. This environment bears no relation to our office domain in any way. So I have built the WSUS server and followed the instructions from Microsoft on how to configure it, instructions here - https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127442

Essentially instructions advised to do the following:

1. Using 'Windows Server Backup' to backup the WSUSContent folder from our office WSUS server and then using 'Windows Server Backup' to 'Recover' the data on the disconnected server. Note that I have copied the file structure of the office network WSUS server so the data is going into the same path on the disconnected WSUS server.
2. I then used 'WSUSUtil.exe' to export the metadata from the office network WSUS server and then imported it on the disconnected WSUS server.

After doing that, I can actually see all of the updates (over 7000) listed in the WSUS administration console and I selected them all and approved for download and install.

However, even though the WSUS server sees the updates, it is reporting that it needs to download the updates. So all updates are stuck on trying to download which they are not doing. Of course, since I already manually copied over the updates, the system shouldn't think it needs to download them.

And being a disconnected environment, the WSUS server should talk to itself to get the updates but even though the server is listed under 'Computers' in the console, the status reports that it needs 48 updates.

I looked in local group policy and there was a computer policy called 'Specify intranet Microsoft update service location' and in that, I put the address of the server itself so it would hopefully point to itself but when I go 'Check for updates', it says its up to date.

I think the core issue here is that WSUS itself thinks it needs to download the updates, but it doesn't actually have to because I manually copied them over. I assumed that after copying across the updates manually, that importing the metadata would let the system see the updates were local already.

Does anyone have a clue what I am missing here? Thanks in advance.

Answer 1

Okay I've been building a similar solution with Windows Server 2022 and although I'm still having tonnes of issues and have developed deep hatred for WSUS, I have faced your issues and "resolved" them in the last month or so.

You cannot approve any updates on the disconnected WSUS server which were not also approved on the internet facing server. Also, if you have approved 6999 updates on the internet facing server but then approve 7000 updates on the disconnected server, WSUS likes to just infinitely hang on any single update that you have approved on the disconnected server but not the other, making it look like all 7000 updates are "needing to download."

But when fixing this issue, you might find that certain updates, when you unapprove them, cause the WSUS console to crash. If you get this error congrats, you now need to do a full reinstall of WSUS (not as simple as just removing the WSUS feature and re-adding btw - follow online guides).

Lastly, you need to make sure your update files & language settings in both WSUS consoles match. e.g. you cannot have all languages on the connected and only English on the disconnected.

Disconnected WSUS is a complete nightmare, welcome to the pain. Also, I refuse to pay for Overdrive's script just to get WSUS to work. We're already paying for the Microsoft server licenses, why is the only solution to 95% of WSUS problems online to use some dude's script which now has a paid subscription model.. /rant