WSUS Offline

Hello Experts - I've got several secure stand alone workstations that i use WSUS Offline Version 10.7 to keep them current with updates from Microsoft.
For some odd reason after the updates are applied to the systems applications like MS Office, IE, Adobe Reader these are the three we've noticed thus far.  But any way when clicking to open one of these applications we get the little circle like its thinking about it, then nothing.
Checking in Task Manager, Process the applications show up as "Running" but they never launch in windows explorer.  The only solution that we have been able to use is system restore which in turn removes all the updates that were applied, this is not helping us as we need to keep these systems up-to-date.  Also seems like everything launches fine when using Safe Mode. This is a new process for us we are still learning, if there is a better method for us to keep these machines updated we are all hears.

Thank You Guys in advance
ManieyaK_Citrix Systems / Network AdminAsked:
Who is Participating?
Mike TConnect With a Mentor Leading EngineerCommented:

I'm not sure I can answer "what's the best method" as it depends on a few things.

The options I know (from recent experience of a similar quandry).

1) Run an air-gapped WSUS pair
2) Download patches using the monthly MS ISO and then apply use a script

I know WSUS works but I'm not keen on using opensource apps on secure systems. Call me old-fashioned but I feel uneasy.

Option 1 - WSUS pair
This is quite straight-forward and gives you far more granular control than "WSUS offline". You need a machine running Windows Server (2008 or 2012). This is your online, internet connected source.
You can approve patches there, but it's probably easier not to. Just download everything relevant.
Then you export it. There is a tool (command line) called WSUtil. This will export the metadata into an XML file for you. Copy it to secure media.
Now take a full copy (robocopy, don't drag'n'drop) the WHOLE WSUS content folder. That's the patches to go with the metadata.

Now go to the other offline, (not connected to Internet ever) server with WSUS installed.
Copy the patches to it's WSUS\Content directory and then run the WSUtil with /import. This will sync up the metadata.
You will now have a local WSUS source of all MS patches. Now you can go ahead and approve only the ones you want. You will never *miss* a patch this way because your Internet box has ALL patches.
It just gets messy if you try and filter on both, because then you have to worry about ticking the same patches on each and life's too short for that.

Option 2) The cheaper option is just use a tool to download what you need, or even just use MS Catalog to do it. It's not *that* onerous. Then use a PowerShell script to look at whole directory and run them all sequentially for you. I just did that for some servers and it works beautifully!

Hector2016Connect With a Mentor Systems Administrator and Solutions ArchitectCommented:
Hello ManieyaK,

This is more like an Application Start Control issue, because if the problems were directly related to the Windows Updates, then it would do the same on Safe Mode.

See if you have any Antivirus/Anti-Malware software blocking those applications from start.
You can find lot of information reviewing the Windows Application Events Log:
1. Windows Key + R, then type Eventvwr.exe
2. Select Application inside Windows Logs

Each event will show you information about every importan fact on the computer, seek for errors and warnings related to the applications failling.
ManieyaK_Citrix Systems / Network AdminAuthor Commented:
Hector thanks for your comment, is WSUS Offline the best method to keep these machines up-to-date?
ManieyaK_Citrix Systems / Network AdminAuthor Commented:
Guys thank you for your comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.