The offline WSUS server is the only supported Microsoft way.
How to handle updates in a completely offline setup
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 30%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Jenifer Teffani
0
Reputation points
We’re currently designing a fully air-gapped environment with no internet connectivity whatsoever. This naturally complicates our patching and updating procedures. What is your preferred approach to keeping systems secure and up to date in this sort of setup?
Windows for business | Windows 365 Business
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Tracy Le 7,480 Reputation points Independent Advisor2026-04-28T14:03:02.7266667+00:00 Hi Jenifer Teffani,
For a truly air-gapped environment, the industry standard and most reliable method is using a Disconnected WSUS (Windows Server Update Services) topology.
Here is the exact step-by-step approach:
1. The "Export" Server: Set up a WSUS server on a network with internet access. Approve and download all required updates and metadata for your environment here.
2. The Sneakernet Transfer: Use the
wsusutil.exe exportcommand to export the update metadata to a file. Then, manually copy that export file and the actual update payloads (theWsusContentfolder) to a secure, scanned USB or external drive.3. The "Import" Server: Physically move the drive across the air-gap to your completely offline WSUS server. Copy the payload files into its
WsusContentfolder and runwsusutil.exe importto load the metadata.4. Client Patching: Point all your air-gapped Windows machines to this offline WSUS server via Group Policy (GPO).
This method requires zero third-party tools, gives you full centralized control, and keeps your air-gap perfectly intact. If this approach works for your design, please click "Accept Answer".
Tracy.