Context

Windows systems have to kept up to date, wheter it be for operationnal or security maintenance. Most systems may be part of a network with a WSUS server (on Internet or local network). But some may not - these systems will be designated afterward as "offline", even though they may actually be part of a network, just not a network with WSUS capability.

Some third-party solutions exists to make the offline Windows updates easier in this kind of configuration (eg: the ambivalently-named "WSUS Offline Update" solution⁵). However, for practical or security reasons, it may be required to not rely on such means and rather manage with more official or native solutions. Note that the previously mentionned "WSUS Offline Update" solution and website for example is not a Microsoft officially supported project.

Historically, an external (although Microsoft official) tool was to be downloaded and used to scan for missing updates on offline hosts : Microsoft Baseline Security Analyzer (MBSA)³. But most recent Windows system embed a native tool for this purpose : the Windows Update Agent (WUA)¹. According to official documentation, WUA is supported starting with Windows XP for clients and with Windows Server 2003 for servers⁴ (although personally used the MBSA solution on Windows 7 clients).

The Windows Update Agent (WUA) is actually an interface for system administrators and programmers (via PowerShell or VBScript for instance) to access Windows Update and Windows Server Update Services (WSUS).

Whatever the solution, apart from the updates files themselves, an external file is nonetheless required to be downloaded (on the Internet) for the scan of offline systems: the "Wsusscan" CAB (extension) file - or the "Windows Update (WU) offline scan file" or simply "offline scan file" (and sometimes "offline scan cab") according to Microsoft documentation. Before 2007-03, this file was named Wsusscan.cab ; since this data, a new format has been introduced with the Wsusscan2.cab². This offline scan file basically acts as an index of all available updates for (supported) Windows systems, againt which an offline Windows system may compare to.

Process

1. Download offline scan file

On online (i.e. connected to the Internet) Windows system: Download the last version of offline scan file (wsusscan2.cab)⁷.

1. Scan for updates

On offline Windows system: via script (here, VBScript - but could be PowerShell) with input the offline scan file (wsusscan2.cab) (cf. step (0)), use the WUA to generate a list of available updates for this system (notably with the ID and/or download links for each update).

1. Download updates

On online (i.e. connected to the Internet) Windows system: from the list generated on step (1), download corresponding installation files (script can also automate things at this step).

1. Install updates

On offline Windows system: install all required updates from downloaded files of step (2).

1. System restart.

If required.

1. Check updates

Scan once more just to check if - after the updates - new ones are available.

Logs

[2022-07-02 13:45-16:20]

Main reference is Micosoft official documentation about Windows Update Agent (WUA)¹, more precisely the section providing a quite complete VBScript code to search, download and install updates⁶.

As suggested by the documentation, we can simply use that script using the Windows Script Host (WSH):

> cscript WUA_SearchDownloadInstall.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

This script is provided by Microsoft Corporation to demonstrate techniques that can be used to search, download,
and install updates through the Windows Update Agent API.

This script is not intended as production code.

Searching for updates...

List of applicable items found on the machine:
There are no applicable updates.

Executed without arguments, the script scan online for available updates.

To actually make an offline scan, the /Offline option must be provided, followed by the path to the offline scan file (wsusscan2.cab)⁷.

> cscript WUA_SearchDownloadInstall.vbs /Offline:C:\Full\Path\To\wsusscn2.cab
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

This script is provided by Microsoft Corporation to demonstrate techniques that can be used to search, download,
and install updates through the Windows Update Agent API.

This script is not intended as production code.

Registered offline scan cab, service ID 3f5697d7-b28f-4284-8e33-481510646b87

Searching for updates...

List of applicable items found on the machine:
There are no applicable updates.

Note that the full path to the offline scan file must be provided.

Also note that the process could be quite long (several minutes).

To get the most out of the script for the scanning part, the following options are relevant:

• /Show: Unhide any hidden updates found by the scan.
• /NoDownload: Do not download any updates that the scan detects (cannot occur in our case - step (1) on the offline system).
• /NoInstall: Do not install any updates that the scan detects (cannot occur in our case - step (1) on the offline system).
• /ShowDetails: Show details about the updates found by the scan.
• /ShowBundle: Output information about the child updates in the bundled updates that are found.

Here, for test purpose, we beforehand manually uninstalled one update (KB5014699) from our (up to date) test system via Windows Settings: Update & Security > View update history > Uninstall updates.

> cscript WUA_SearchDownloadInstall.vbs /Offline:C:\Full\Path\To\wsusscn2.cab /Show /NoDownload /NoInstall /ShowDetails /ShowBundle
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

This script is provided by Microsoft Corporation to demonstrate techniques that can be used to search, download,
and install updates through the Windows Update Agent API.

This script is not intended as production code.

Registered offline scan cab, service ID 5f23b990-7d37-4fbf-896e-7941eef6065b

Searching for updates...

List of applicable items found on the machine:
1> 2022-06 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5014699) {6b6b1213-b96b-479b-a408-0c6d3991f599.200} (KB5014699) Categories: Security Updates {0fa1201d-4330-4fa8-8ae9-b877473b6441},Windows 10 LTSB {d2085b71-5f1f-43a9-880d-ed159016d5c6},Windows 10, version 1903 and later {b3c75dc1-155f-4be4-b015-3f1a91758e52} Deployment action: Installation
1> 1>  {752af291-39f9-4097-b0f8-13a30cb499fd.200} Categories:  Deployment action: None (Inherit)

Checking search results:
Skipping install as requested.

Optionally, we may name more explicitly our administration operation with the following option:

• /AppName: Name to pass to the WUA API as the 'calling application'; this appears in the Windows Update logs; Default: "WUA API Sample Script"; Alternative: "Offline Update via WUA API Script".

We must now confirm if the informations already provided by the script are enough to then (automatically) download the correponding update installation files. A must would have been to directly get the download URL to Microsoft repositories⁸. Here, for KB5014699, the "information" URL is "https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=6b6b1213-b96b-479b-a408-0c6d3991f599" which mostly matches the first identifier provided by the script {6b6b1213-b96b-479b-a408-0c6d3991f599.200}. And the "download" URL is "https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/06/windows10.0-kb5014699-x64_202eb4370b02f689b4904b69f13076b66ce5e1f1.cab" - which however less fits the available data.

[2022-07-03 13:05-16:05]

Let us try to get more information from WUA API about each update object - hoping to find among these, a direct download URL that can then be exported to a simple file (TXT or CSV).

Here we investigate this part of the previous script code (lines 207-222 of original script):

Dim searchResult
Set searchResult = updateSearcher.Search(criteria)

WScript.Echo "List of applicable items found on the machine:"

Dim I
Dim B
For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & UpdateDescription(update)
    If showBundle Then
        For B = 0 to update.BundledUpdates.Count-1
            WScript.Echo I+1 & "> " & B+1 & "> " & UpdateDescription(update.BundledUpdates.Item(B))
        Next
    End If
Next

We are more specifically interested in:

• the object searchResult.Updates :

The interface of object searchResult is ISearchResult and the interface of searchResultis IUpdateCollection.

Thus, the list of updates returned from the search has the interface IUpdate.

These informations are available in the WUA API reference⁹.

• the function UpdateDescription() (lines 73-103 of original script):

Function UpdateDescription(update)
    Dim description
    Dim I
    Dim category
    description = update.Title & " {" & update.Identity.UpdateID & "." & update.Identity.RevisionNumber & "}"
    If update.IsHidden Then
        description = description & " (hidden)"
    End If
    If WScript.Arguments.Named.Exists("ShowDetails") Then
        if update.KBArticleIDs.Count > 0 Then
            description = description & " ("
            For I = 0 To update.KBArticleIDs.Count -1
                If I > 0 Then
                    description = description & ","
                End If
                description = description & "KB" & update.KBArticleIDs.Item(I)
            Next
            description = description & ")"
        End If
        description = description & " Categories: "
        For I = 0 to update.Categories.Count - 1
            Set category = update.Categories.Item(I)
            If I > 0 Then
                description = description & ","
            End If
            description = description & category.Name & " {" & category.CategoryID & "}"
        Next
        description = description & " Deployment action: " & DeploymentActionToText(update.DeploymentAction)
    End If
    UpdateDescription = description
End Function

From the previous point, we know that the update parameter of this function is of interface IUpdate¹⁰. Among other things, this interface provides multiple interesting attributes:

• MoreInfoUrls: collection of language-specific strings that specify the hyperlinks to more information about the update.

This may match the previously identified "information" URL.

• DownloadContents: file information about the download contents of the update.

This may contain more information to download the update file(s).

• BundledUpdates: information about the ordered list of the bundled updates for the update.

Indeed, looking more closely at the function UpdateDescription(), we understand that an update object may actually "package" multiple updates.

Furthermore, the documentation states it quite clearly:

If the BundledUpdates property contains an IUpdateCollection, some properties and methods of the update may only be available on the bundled updates, for example, DownloadContents or CopyFromCache.

Unfortunately, in our case, we cannot directly exploit the "download" part of the script as it uses directly the IUpdate objects previously constructed. And there is no clear way to serialized these objects to files for further user. We must thus cook our own serialization.

Now is time to update the original script to return more useful information for an offline update:

Function UpdateDescription(update)
    Dim description
    Dim I
    Dim category
    description = description & "Title: " & update.Title & vbCrLf
    description = description & "ID + Rev Numb:" & update.Identity.UpdateID & "." & update.Identity.RevisionNumber & vbCrLf

    If WScript.Arguments.Named.Exists("ShowDetails") Then
        If update.DownloadContents.Count > 0 Then
            For I = 0 To update.DownloadContents.Count-1
                description = description & "Download URL: " & update.DownloadContents.Item(I).DownloadUrl & vbCrLf
            Next
        End If
    End If
    UpdateDescription = description
End Function

And here is the result:

> cscript WUA_SearchDownloadInstall.vbs /Offline:C:\Users\Midorino\Desktop\wsusscn2.cab /Show /NoDownload /NoInstall /ShowDetails /ShowBundle & ^G
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

This script is provided by Microsoft Corporation to demonstrate techniques that can be used to search, download,
and install updates through the Windows Update Agent API.

This script is not intended as production code.

Registered offline scan cab, service ID 23b7244f-835a-46a9-ad50-ba05e436e3a4

Searching for updates...

List of applicable items found on the machine:
1> Title: 2022-06 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5014699)
ID + Rev Numb:6b6b1213-b96b-479b-a408-0c6d3991f599.200

1> 1> Title:
ID + Rev Numb:752af291-39f9-4097-b0f8-13a30cb499fd.200
Download URL: http://download.windowsupdate.com/c/msdownload/update/software/secu/2022/06/windows10.0-kb5014699-x64_202eb4370b02f689b4904b69f13076b66ce5e1f1.cab


Checking search results:
Skipping install as requested.
'' is not recognized as an internal or external command,
operable program or batch file.

Note: as the process is somewhat long, we can use the following cmd syntax to beep when the script has completed (^G - input for beep - is typed by pressing CTRL + G):

> my_command & ^G