Updating Windows machines without internet access is a requirement in many enterprise scenarios — air-gapped networks, secure government environments, factory floors, or simply remote sites with unreliable connectivity. This guide covers all current methods in 2026, including an important update: Microsoft officially deprecated WSUS in September 2024. It still works and will continue to do so through at least 2035, but the long-term direction is clear. This article covers both the WSUS-based approach and the modern alternatives.

Detail
Last UpdatedMarch 2026
Applies ToWindows 10, Windows 11, Windows Server 2019/2022/2025
WSUS StatusDeprecated September 2024 — functional but no new features
DifficultyBeginner to Advanced (depending on method)

WSUS Deprecation — What It Actually Means for Offline Environments

On September 20, 2024, Microsoft announced the deprecation of Windows Server Update Services (WSUS). Before panicking, here is what deprecation actually means in practice:

  • WSUS still works — existing functionality is fully preserved and supported
  • Updates still flow through the WSUS channel — Microsoft will continue publishing updates via WSUS
  • No new features — Microsoft will not invest in new WSUS capabilities or accept feature requests
  • WSUS remains in Windows Server 2025 — and will be supported through that version’s lifecycle, estimated to 2035
  • SCCM/ConfigMgr is unaffected — the Software Update Point role in ConfigMgr still uses WSUS under the hood and is not impacted
  • Offline environments have no viable alternative — for air-gapped or disconnected networks, WSUS remains the only Microsoft-native option

The practical implication: you can confidently continue using WSUS for offline update management today. Start planning a migration to modern tooling for internet-connected parts of your fleet, but there is no urgency to replace WSUS in air-gapped environments.

Method 1: WSUS (Windows Server Update Services)

WSUS is the Microsoft-native solution for offline update distribution. A WSUS server is deployed on your network, synchronises updates from Microsoft (from an internet-connected machine or another WSUS upstream), and then distributes them to all Windows clients and servers on the network — no internet access required on the endpoints themselves.

Basic Architecture

  • Connected WSUS server — synchronises directly from Microsoft Update
  • Disconnected WSUS server — for fully air-gapped environments. Exports update metadata from an internet-connected WSUS instance, transfers via removable media, and imports on the offline WSUS server
  • WSUS + SCCM/ConfigMgr — the most common enterprise setup; ConfigMgr uses WSUS as its Software Update Point and adds approval workflows, deployment rings, and reporting on top

Disconnected WSUS — Export and Import

For a fully air-gapped WSUS setup, use wsusutil.exe to export updates from your internet-connected WSUS and import them on the offline instance:

# On the internet-connected WSUS server — export update metadata
# Run from: C:\Program Files\Update Services\Tools\
wsusutil.exe export C:\WSUSExport\export.xml.gz C:\WSUSExport\export.log

# Copy the export package and update files to removable media
# Then on the offline WSUS server — import
wsusutil.exe import C:\WSUSImport\export.xml.gz C:\WSUSImport\import.log

The update content files (the actual .cab and .msu files) must also be copied separately — the export only contains metadata. Copy the content from %WSUS_Content%\WsusContent\ on the source to the same path on the target.

Point Clients to WSUS via Registry or GPO

Configure clients to use your WSUS server instead of Windows Update. Via PowerShell (useful for quick testing or Intune Remediation):

# Point Windows Update client to your WSUS server
$wuPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$wuAUPath = "$wuPath\AU"

# Create keys if they don't exist
New-Item -Path $wuPath -Force | Out-Null
New-Item -Path $wuAUPath -Force | Out-Null

# Set WSUS server URL (replace with your actual WSUS server)
Set-ItemProperty -Path $wuPath -Name "WUServer" -Value "http://wsus-server:8530"
Set-ItemProperty -Path $wuPath -Name "WUStatusServer" -Value "http://wsus-server:8530"

# Enable use of WSUS server
Set-ItemProperty -Path $wuAUPath -Name "UseWUServer" -Value 1 -Type DWord

# Restart Windows Update service to apply
Restart-Service -Name wuauserv
Write-Host "Windows Update client configured to use WSUS."

Method 2: PSWindowsUpdate Module

The PSWindowsUpdate PowerShell module is the most practical tool for scripted offline update management on individual machines or small fleets. It wraps the Windows Update Agent API and works regardless of internet connectivity — as long as updates are available via WSUS or the local Windows Update cache.

Install and Configure

# Install from PSGallery (requires internet on the management machine)
Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers

# For offline machines: download on an internet-connected machine and copy manually
Save-Module -Name PSWindowsUpdate -Path "C:\Modules"
# Then copy C:\Modules\PSWindowsUpdate to the offline machine's
# C:\Program Files\WindowsPowerShell\Modules\ folder

List and Install Available Updates

# List all available updates (from WSUS or Windows Update)
Get-WUList -Verbose

# Install all available updates silently with auto-reboot
Install-WindowsUpdate -AcceptAll -AutoReboot -Verbose

# Install without reboot — schedule restart separately
Install-WindowsUpdate -AcceptAll -IgnoreReboot -Verbose

# Install only security updates
Install-WindowsUpdate -AcceptAll -AutoReboot -Category "Security Updates" -Verbose

Run Remotely Across Multiple Machines

# Install updates on multiple remote machines in parallel
# Requires PSRemoting enabled on target machines
$computers = @("SERVER01", "SERVER02", "SERVER03")

Invoke-WUJob -ComputerName $computers -Script {
    Import-Module PSWindowsUpdate
    Install-WindowsUpdate -AcceptAll -IgnoreReboot -Verbose |
        Out-File "C:\Temp\WULog_$env:COMPUTERNAME.txt"
} -Confirm:$false -RunNow

Write-Host "Update jobs dispatched to $($computers.Count) machines."

Method 3: Install Updates Manually via WUSA or DISM

For one-off updates or specific KB patches that need to be applied to an air-gapped machine, download the .msu or .cab file from the Microsoft Update Catalog (catalog.update.microsoft.com) on an internet-connected machine and transfer it via USB or file share.

Install .msu via WUSA

# Install a single .msu update silently
wusa.exe "C:\Updates\windows11.0-kb5048667-x64.msu" /quiet /norestart

# Install and allow restart
wusa.exe "C:\Updates\windows11.0-kb5048667-x64.msu" /quiet

# Install all .msu files in a folder (batch install)
Get-ChildItem -Path "C:\Updates" -Filter "*.msu" | ForEach-Object {
    Write-Host "Installing $($_.Name)..."
    Start-Process -FilePath "wusa.exe" -ArgumentList "`"$($_.FullName)`" /quiet /norestart" -Wait
}
Write-Host "All updates installed. Restart required."

Install .cab via DISM

For .cab packages or when wusa.exe fails (e.g. combined SSU+LCU packages on Windows 11 — see the update uninstall guide for context):

# Install a single .cab update via DISM
dism /online /add-package /packagepath:"C:\Updates\Windows11.0-KB5048667-x64.cab" /norestart

# Install all .cab files in a folder
Get-ChildItem -Path "C:\Updates" -Filter "*.cab" | ForEach-Object {
    Write-Host "Installing $($_.Name)..."
    dism /online /add-package /packagepath:"$($_.FullName)" /norestart /quiet
}

Method 4: WSUS Offline Update Tool (Third-Party, Free)

WSUS Offline Update (wsusoffline.net) is a free open-source tool that downloads all current Windows updates to a local folder or ISO on an internet-connected machine. You then copy that folder to the target offline machine and run the installer. It is particularly useful when you need to fully patch a machine that has been offline for a long time — avoiding the lengthy Windows Update process of downloading updates one by one.

  • Run UpdateGenerator.exe on an internet-connected machine to download updates for your target OS and architecture
  • Copy the output folder to the target machine (USB drive, network share, or ISO)
  • Run UpdateInstaller.exe on the offline machine to install all downloaded updates

Note: WSUS Offline Update last released version 12.0 in March 2020, which was the last version to support Windows 7 and Server 2008 R2. The tool is still functional for modern Windows but is no longer actively developed. For Windows 10 and 11, it remains a viable option — test in your environment before relying on it for production use.

Method 5: Microsoft Update Catalog — Manual Download

For targeted individual updates, the Microsoft Update Catalog at catalog.update.microsoft.com lets you search by KB number, product, and classification and download .msu or .cab files directly. This is the most surgical approach — no tools required, just a browser and a USB drive.

  1. On an internet-connected machine, go to catalog.update.microsoft.com
  2. Search by KB number (e.g. KB5048667) or product name
  3. Download the correct architecture variant (.msu for client, .cab for server packages)
  4. Transfer to the offline machine and install via wusa.exe or DISM

When downloading from the Catalog, always check the Supersedence tab for the KB you are downloading — the Catalog will show if a newer update supersedes it, which means you should download the newer one instead to avoid installing an outdated package.

Modern Cloud Alternatives — For the Connected Parts of Your Fleet

If you manage a mixed fleet — some internet-connected, some air-gapped — Microsoft’s recommended modern tools for the connected devices are:

ToolBest ForCost
Windows AutopatchFully automated update rings for Windows 11 + Microsoft 365 AppsIncluded in M365 E3/E5, Windows E3/E5
Microsoft Intune (Update rings)Controlled deferral rings for Windows clientsIncluded in most M365 plans
Azure Update ManagerServer patching including Windows Server and LinuxPay-per-use via Azure Arc
WSUS + ConfigMgrOn-premise or hybrid with full control — still viable until 2035ConfigMgr licence required

Choosing the Right Method

ScenarioRecommended Method
Large fleet, fully air-gapped networkWSUS (disconnected) + ConfigMgr
Small fleet or single site, offlinePSWindowsUpdate + WSUS, or WSUS Offline Update tool
One-off patch on an isolated machineMicrosoft Update Catalog + wusa.exe or DISM
Fully patch a machine that’s been offline a long timeWSUS Offline Update tool (downloads everything at once)
Mixed fleet — some connected, some air-gappedIntune/Autopatch for connected + WSUS for offline segments

Summary

Offline Windows update management in 2026 is defined by one major development: WSUS deprecation. It is deprecated — not dead. For air-gapped and disconnected environments, it remains the only viable Microsoft-native solution, and it will continue to work through at least 2035. For individual machines or small fleets, PSWindowsUpdate and the Microsoft Update Catalog with wusa.exe / DISM cover most scenarios without requiring a WSUS infrastructure at all.

  • WSUS is deprecated (September 2024) but fully functional — no action required for existing offline deployments
  • Use wsusutil.exe export/import for fully disconnected WSUS instances
  • PSWindowsUpdate is the best scripting tool for offline update management on individual machines or remote runs via Invoke-WUJob
  • For one-off patches: download from catalog.update.microsoft.com and install via wusa.exe /quiet /norestart or DISM
  • Plan gradual migration to Intune/Autopatch for internet-connected devices — WSUS for air-gapped segments can stay as-is