How to add manually downloaded files to WSUS and use it in workgroup isolated area.

Hello all,

I have multiple computers in a workgroup environment (50 PCs) all not connected to the internet. I have downloaded the updates and I have the execution files, the question is can I use WSUS to push the updates to all PCs? How do I add the downloaded updates to WSUS.
LVL 8
Omar SoudaniSenior System EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
No, you need to let WSUS download its own files and those can be pushed via WSUS by Configuring update registry values ons those workgroup computers
David Johnson, CD, MVPOwnerCommented:
updates from wsus is a pull operation not a push operation. The simplest way is to create a registry file and merge the file

Step 1: Create a *.reg file (wsus-client.reg) containing this:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] 
"AcceptTrustedPublisherCerts"=dword:00000001 
"ElevateNonAdmins"=dword:00000001 
"TargetGroup"="Workstations" 
"TargetGroupEnabled"=dword:00000000 
"WUServer"="http://your-WSUS-server:port" 
"WUStatusServer"="http://your-WSUS-server:port"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
"AUOptions"=dword:00000004 
"AUPowerManagement"=dword:00000001 
"AutoInstallMinorUpdates"=dword:00000001 
"DetectionFrequency"=dword:0000000a 
"DetectionFrequencyEnabled"=dword:00000001 
"IncludeRecommendedUpdates"=dword:00000001 
"NoAUAsDefaultShutdownOption"=dword:00000001 
"NoAUShutdownOption"=dword:00000001 
"NoAutoRebootWithLoggedOnUsers"=dword:00000001 
"NoAutoUpdate"=dword:00000000 
"RebootRelaunchTimeout"=dword:0000000a 
"RebootRelaunchTimeoutEnabled"=dword:00000001 
"RescheduleWaitTime"=dword:0000000a 
"RescheduleWaitTimeEnabled"=dword:00000001 
"ScheduledInstallDay"=dword:00000000 
"ScheduledInstallTime"=dword:00000003 
"UseWUServer"=dword:00000001

Open in new window


Step 2: Edit the lines:
- 
 "WUServer"="http://your-WSUS-server:port"; and 
- "WUStatusServer"="http://your-WSUS-server:port"; 
to match the IP address (or FQDN) of your WSUS server. IMPORTANT: remove the ";" from the end of that lines!

Examples: 
"WUServer"=" http://WSUS.company.com:81 " 
"WUStatusServer"=" http://WSUS.company.com:81 "

"WUServer"=" http://192.168.0.1 " 
"WUStatusServer"=" http://192.168.0.1 "

"WUServer"=" http://intranet.local:8080 " 
"WUStatusServer"=" http://intranet.local:8080 "

The first key is named WUServer. This registry key holds a string value which should be entered as the WSUS server’s URL.

By default, in Windows Server 2012, WSUS 4.0 uses port 8530. However, WSUS 3.0 uses port 80, by default 
(How to Determine the Port Settings Used by WSUS - https://technet.microsoft.com/en-us/library/bb632477.aspx)

The other key that you will have to change is a string value named WUStatusServer. The idea behind this key is that the PC must report its status to a WSUS server so that the WSUS server knows which updates have been applied to the PC. The WUStatusServer key normally holds the exact same value as the WUServer key.

Open in new window


Source: https://community.spiceworks.com/how_to/2267-deploy-wsus-to-clients-without-ad-domain-gp-using-the-registry

See the source for a remove-wsus.reg and further reading
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There is a way to integrate existing downloaded packages into WSUS, but it is tedious, and for MS Windows Updates just not worth the effort.

Set up WSUS so it does not approve updates automatically,
apply to all clients what a group policy would do in a domain (the stuff David posted), with some changes as you like,
and  wait for at least two days, until enough machines have reported to WSUS.
Then approve what you want to get installed.
Machines being online should get the updates within the next two days after the update has been completed downloading.

You can try to force clients to report/check/download updates "immediately", but only on the machine itself:
net stop wuauserv
net start wuauserv
REM pre-W10:
wuauclt /detectnow
REM W10:
UsoClient /StartScan

Open in new window

This doesn't work all the time, though.
Shaun VermaakTechnical SpecialistCommented:
There is a way to integrate existing downloaded packages into WSUS, but it is tedious, and for MS Windows Updates just not worth the effort.
I think you are misunderstanding how that works. It does not give you the same end result. Downloading an MS patch via WSUS and importing it as a generic EXE is not the same.

Another option if you do not want to use WSUS is
www.wsusoffline.net/

If you want to integrate 3rd party updates you can try WSUS Package Publisher if you do not want commercial
https://github.com/DCourtel/Wsus_Package_Publisher

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Updates

From novice to tech pro — start learning today.