Microsoft Security Advisory - CTL update on internet detached network

I've been tasked at my job to implement a security advisory from Microsoft (Microsoft Security Advisory 3050995. Microsoft has updated the Certificate Trust list (CTL) to remove the trust of a subordinate CA certificate. Typically this is done automatically by installing a provided patch for Windows 2008 and windows 7 boxes. The problem I'm having is I'm not sure how to take these actions on a detached network without internet access. This network has its own Microsoft CA server that issues certificates. Any help or insight with this will be greatly appreciated. CA related matters are not my strong suit.

KJ
LVL 1
kj_syenceAsked:
Who is Participating?
 
btanExec ConsultantCommented:
It will be offline patching then as you likely still need to have the package (after downloading from one machine with internet access) rollout to the internal different client and server systems via the SCOM or WSUS.

The manual download package is available in http://support.microsoft.com/en-us/kb/3050995

Security updates are available on ISO-9660 DVD5 image files from the Microsoft Download Center
Microsoft now releases ISO-9660 DVD5 image files that contain all the security updates that are released on the Windows Update website. The ISO image files are released at the same time that security updates are released on the Windows Update website.

The ISO image files are intended for corporate administrators who:

Manage large multinational organizations
Must download multiple individual language versions of each security update
Do not use an automated solution such as Microsoft Windows Server Update Services (WSUS)

By using the ISO image files, administrators can download multiple updates in all languages at the same time.
- http://support.microsoft.com/en-us/kb/913086

another is the WSUS Offline Update (it can be used to even create the ISO image into DVD etc)
 - http://download.wsusoffline.net/

One use case (using the tools a/m), there can be setup of WSUS on even a laptop and have each patch (or the normal tuesday patch) sync with MS website or using the a/m tools to get the latest download. Thereafter have the laptop connected to the remote sites that required the updating. Note that the remote sites are configured to point to the laptop's WSUS service or they can also have a WSUS server at that remote site that is configured to point to the laptop WSUS server and they just sync the remote sites WSUS server with the laptop to get the latest patch. The regular regime is rather manual but to work off the restriction for those offline machine (not internet accessible).
0
 
kj_syenceAuthor Commented:
This was helpful, and I wasn't aware of the ISO image files. Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.