Third Party Updates On an Air-Gapped Network

Over the years I have worked with numerous customers that have specialty networks that are air-gapped from anything internet facing. While this brings additional challenges to many areas, today I want to talk about how you can use the third-party update functionality of Configuration Manager on an air gapped network. Sort of.

The first step is to get the update catalog over to your air-gapped network.

You can find the list of available catalogs here. In this example I am going to use the Dell catalog. Save the cab file and copy over to your isolated network. You will need to put the cab file somewhere that you can get it via a http request. I went about as easy as you can get and created a folder in the default folder for IIS. I dropped the file in there and that is all I had to do to make it available.

Now over in the CM console go to the third-party update area and choose to add a custom catalog using the URL to point to the file you copied over.

This is where we take the big split from your standard CM implementation of third-party updates. CM requires internet access to download and publish the updates. Without that access, we are limited to scanning against the update metadata. Attempts to publish will fail. Just having the metadata is useful for seeing what is required in the environment so we do not have to guess.

The way around the internet access requirement it to go back in time.

[Insert Back to the Future reference / joke here]

We are going to use Updates Publisher. I am not going to cover the download and setup of Updates Publisher, you can use the linked docs for that. Once you have finished the install and configuration, go ahead, and import the same catalog we used in CM into Updates Publisher.

I am not going to add screenshot after screenshot here, I am presuming you either have some experience with Updates Publisher or can work through the general usage.

At this point we are going to pop back over to the CM console. Let’s go to all updates and filter down to see the required updates.

By the blue icons we can see that the updates are published as metadata only. At this point we can grab the update ID, take that over to Updates Publisher, look up the update, and we can get the URL to download the payload. Keep in mind I said, “You can…”, not that we will. Instead, we are going to run a sql query to get the URLs for all applicable third party updates.

select UI.Title, ISV.DownloadUrl
from v_UpdateInfo UI
JOIN v_Update_ComplianceSummary CS on CS.CI_ID=UI.CI_ID
JOIN ISVPublishedUpdates AS ISV on cast(ISV.Id as varchar(300))=UI.CI_UniqueID
where CS.NumMissing > 0
and UI.IsDeployed = 0
and UI.CI_UniqueID in (select CI_UniqueID from ISVPublishedUpdates);

The query will give us a nice list of updates and their payload URL that we can save as a csv. You can type the URLs manually over on your internet facing network or if you have a process to move files from the air gapped network to the internet facing one, it will be much faster.

Once you download the desired update(s) and copy over to your air gapped network we have a change to make in Updates Publisher options. On the Authoring tab, we want to enable the local source option. I opted to use the custom path for this as well.

Now find the first of the updates you want to publish in updates publisher.

Put the payload in the local publishing folder you defined.

Right click on the update and choose Publish

Choose Full Content and then click through the wizard.

If you look in the Updates Publisher log you can see that it finds the local source.

Now go back to CM and tell it to do a full update sync. Once that is complete, search for the updates again and you will see the update(s) we published now show as full content (green icon).

Now you can download and deploy in CM as you normally would on an internet facing network.