In environments where computers are not connected to the internet or a central network, ensuring they receive the latest security updates can be challenging. The Windows Update Scan Tool, leveraging the Windows Update Agent (WUA), provides a solution by enabling offline scanning for security updates. This method allows you to assess the update status of isolated systems without requiring a connection to Windows Update or a Windows Server Update Services (WSUS) server.
The core component for conducting offline scans is the Wsusscn2.cab file. This is a digitally signed cabinet file provided by Microsoft that contains metadata about security-related updates. By utilizing this file, the Windows Update Scan Tool can determine which security updates are applicable to a computer, even in the absence of an internet connection. It’s important to note that Wsusscn2.cab only contains scan information and not the actual update files. You will need to obtain and deploy the required updates through alternative methods after identifying them with the scan tool.
To initiate an offline scan, you first need to download the most recent version of the Wsusscn2.cab file from the official Microsoft Update Catalog: Download Wsusscn2.cab. Microsoft regularly updates this file as new security updates are released or revised.
Once downloaded, the Wsusscn2.cab file becomes the input for the Windows Update Scan Tool. Specifically, you can integrate it using the AddScanPackageService method within the WUA API. This method allows you to point the WUA to the offline scan package. The WUA then validates the digital signature of Wsusscn2.cab to ensure its authenticity and integrity before proceeding with the offline scan.
It is crucial to be aware that offline scans using CAB files may require significant memory resources. For efficient scanning, especially on systems with limited resources, consider adjusting system settings to allocate sufficient memory. This might involve increasing the page file size or adding more processors to the system. Adequate memory allocation ensures the Windows Update Scan Tool can operate effectively and complete the scan without issues.
A key update regarding the Wsusscn2.cab file is its signing mechanism. In line with Microsoft’s SHA-1 deprecation initiative, the file is now exclusively signed using SHA-256. Previously, it was dual-signed with both SHA-1 and SHA-256. Administrators who verify digital signatures should now expect only SHA-256 signatures on the Wsusscn2.cab file.
Below are examples demonstrating how to use the Windows Update Scan Tool with Wsusscn2.cab in both VBScript and PowerShell to identify missing updates.
Set UpdateSession = CreateObject("Microsoft.Update.Session")
Set UpdateServiceManager = CreateObject("Microsoft.Update.ServiceManager")
Set UpdateService = UpdateServiceManager.AddScanPackageService("Offline Sync Service", "c:wsusscn2.cab")
Set UpdateSearcher = UpdateSession.CreateUpdateSearcher()
WScript.Echo "Searching for updates..." & vbCRLF
UpdateSearcher.ServerSelection = 3 ' ssOthers
UpdateSearcher.ServiceID = UpdateService.ServiceID
Set SearchResult = UpdateSearcher.Search("IsInstalled=0")
Set Updates = SearchResult.Updates
If searchResult.Updates.Count = 0 Then
WScript.Echo "There are no applicable updates."
WScript.Quit
End If
WScript.Echo "List of applicable items on the machine when using wssuscan.cab:" & vbCRLF
For I = 0 to searchResult.Updates.Count-1
Set update = searchResult.Updates.Item(I)
WScript.Echo I + 1 & "> " & update.Title
Next
WScript.Quit$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateServiceManager = New-Object -ComObject Microsoft.Update.ServiceManager
$UpdateService = $UpdateServiceManager.AddScanPackageService("Offline Sync Service", "c:wsusscn2.cab")
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
Write-Host "Searching for updates..."
$UpdateSearcher.ServerSelection = 3 # ssOthers
$UpdateSearcher.ServiceID = [string] $UpdateService.ServiceID
$SearchResult = $UpdateSearcher.Search("IsInstalled=0")
$Updates = $SearchResult.Updates
If ($SearchResult.Updates.Count -eq 0) {
Write-Host "There are no applicable updates."
Exit
}
Write-Host "List of applicable items on the machine when using wssuscan.cab:"
For ($i = 0; $i -lt $SearchResult.Updates.Count; $i++) {
$update = $SearchResult.Updates.Item($i)
Write-Host ($i + 1) "> " $update.Title
}In conclusion, the Windows Update Scan Tool, in conjunction with the Wsusscn2.cab file, offers a robust method for performing offline security update scans. This is particularly valuable for managing systems in isolated networks, ensuring they can be assessed for necessary security patches even without direct connectivity to update servers. Remember to always download the latest Wsusscn2.cab file and consider system memory resources when conducting offline scans.
