Sunday, November 20, 2016

How to apply Windows hotfix, patch... on a Windows without connect to network which is running on VMware ESXi?

Section 1 – To allow copy and paste text between administrator computer and VM via vSphere client

1.       Poweroff the Windows Server (VM)

2.       Change the following configuration parameters to allow copy and paste “text” via vSphere client


Section 2 – Use MBSA standalone to check a MS server for patch status and also transfer file between administrator computer and VM via vSphere client by mount the ISO file

3.       Download “Folder2Iso” (

4.       Download MBSA 2.3 and related files:

           a. Download Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) -

           b. Download Security update catalog ( from :

Remark: You need to keep using the latest one before run the offline scan

           c. Windows Update Redistribution Catalogue ( located at

5.       Use Folder2Iso to convert those MBSA 2.3 files into ISO

6.       Power on the Windows Server (VM)

7.       Mount the ISO via vSphere client  

8.       Copy file from virtual CD to the server and install MBSA 2.3

9.       After the installation of MBSA complete, copy the and to “C:\Program Files\Microsoft Baseline Security Analyzer 2”

And then, go to command promote to run:

MBSACLI /xmlout /catalog “C:\Program Files\Microsoft Baseline Security Analyzer 2\” /unicode >updates.xml

10.   Open the “updates.xml” by notepad and copy all text inside


Remark: You need to make sure all line being copied. Since the line and content in the files (updates.xml) may over the limit of VMware vSphere client able to copy, you need to check your result in file size very carefully. (I copy all text by separate the file into different parts – I did not copy all line in one time)

11.   Paste all text into a file which is on your machine and rename it to “updates.xml”

12.   Download the “Getupdate.ps1” from or

Modify the line 31, to remove the “#” and save the file to “Getupdate.ps1”


Copy the Run the “updates.xml” and “Getupdate.ps1” into the C:\temp and run the “Getupdate.ps1” under PowerShell to download all necessary hotfix, patch….

Remark: If you running the download from Windows 7 machine, you will need to upgrade your PowerShell verison 5 (By download and install Windows Management Framework 5.0 -

13.   Use Folder2Iso to convert those hotfix, patch files into ISO file

14.   Mount the ISO via vSphere client

15. Copy all files to C:\temp

16.  Install those hotfix by run the “_install.bat”

Remark: If you are using Windows Server 2012 R2, you will need to do the following change of the “_install.bat”

Change "start /wait pkgmgr.exe /ip /m:" to "dism /online /Add-Package /PackagPath:C:\temp\"

Change "nostart" to "norestart"

Remove "/l:%SystemRoot%\Temp\*****.log"



17. You can go to “Programs and Features” – View installed updates to verify those hotfix, patch being installed:


18. Reboot the Server

19. Run the MBSA scan again until no missing patch have been found

Reference: Print Friendly and PDF

No comments:

Post a Comment