Air-gapped SUP sync to upstream WSUS.
Question
I am setting up an air-gapped ConfigMgr environment (no internet). I have the WSUS for my SUP pointing to an internet facing upstream WSUS (different domain, not a site system, firewall opened to allow sync).
Problem: While most patches are downloading, many are failing to download (“DownloadUpdateContent() failed with hr=0x80070002” in the patchdownloader.log).
*** Do updates on the Upstream WSUS need to be approved in order for them to sync/download to the downstream WSUS/SUP? ***
Otherwise, I am used to leaving WSUS patches in an ‘unapproved’ state for a simple standalone connected SUP.
Answers ( 3 )
Hi, I think there is know issue with air-gapped WSUS environment
have you already tried this?
https://support.microsoft.com/en-us/topic/software-updates-do-not-download-in-configuration-manager-environment-if-wsus-is-disconnected-1d665614-4fdf-171d-20c8-f1e5cec424f3
Unless I am missing something, this article seems specific to 1806 needing a hotfix. I am running 1910.
It seems to me as if I need to have the patches approved upstream before they can be downloaded downstream. Perhaps setting up auto-approval rule to an empty computer group at the top level WSUS would be a way to get it dynamically?
Have you already tried the method you explained above ? I never tested this