WSUS Offline Update 10.9: download security updates only

Martin Brinkmann
Jan 11, 2017

WSUS Offline Update 10.9 ships with a new option to download "security only updates" instead of "quality rollups" for Windows 7 and 8.1, and Windows Server 2008 R2, 2012, and 2012 R2.

Microsoft switched to a new update format recently that changes how updates are provided for Windows 7, Windows 8.1, and the server operating systems Windows Server 2008 R2, 2012, and 2012 R2.

Two update packages are released every month for the operating systems instead. The first package includes security updates only, and is not cumulative. It is not offered through Windows Update either.

The second package is cumulative, and includes security and non-security updates.

WSUS Offline Update 10.9: download security updates only

wsus security updates

Windows customers who are concerned about privacy, download the security updates only to avoid any new telemetry collection features and other invasive features.

Users had to rely on the Microsoft Update Catalog up until now to download the security patches.

The latest version of WSUS Offline Update changes this as it comes with an option to download security updates only.

WSUS Offline Update is a popular third-party program to download updates for various Microsoft operating systems, Office, and other company products.

You can check out our review of WSUS Offline Update 8 here for an overview. The program is updated constantly to take into account update related changes, and to include new updates that Microsoft releases.

WSUS Offline Update 9.3 is a portable program that you can run from any location. To enable the downloaded of security updates only, do the following:

  1. Download the latest version of the program from the developer website.
  2. Extract the archive to a location on your system.
  3. Run the program afterwards.
  4. Check the "Use 'security only updates' instead of 'quality rollups'.

This works only for Windows 7 and 8.1 on the client side, and Windows Server 2012, 2012 R2 and 2008 R2 on the server side.

Here is what happens in the background when you enable that option:

  1. Updates released prior to October 2016 are downloaded just like before.
  2. Security-only Updates are downloaded starting October 2016. Quality rollups are not downloaded starting the same month.

This means that non-security updates are not downloaded anymore when you make the change. Regardless of that, updates are only downloaded to the local system but not executed after download.

Closing Words

The new option that WSUS Offline Update 10.9 ships with adds missing functionality to the program. Considering that you could only use it to download the quality rollup patches up until now, it is now once again usable by users who only want to download and install the security patches.

Now You: Which do you install? Security only patches, or all patches?

software image
Author Rating
5 based on 8 votes
Software Name
WSUS Offline Update
Operating System
Software Category
Landing Page

Tutorials & Tips

Previous Post: «
Next Post: «


  1. A different Martin said on January 17, 2017 at 5:56 pm

    @ www:

    Martin provided a link; do a search on this page for Landing Page. Once you’re on the site, scroll down a bit for English.

    WSUS Offline is a portable program. It seems to have short pathname limits, so put it somewhere close to a drive root (whether physical or mapped, I assume). I normally put my all-user portable programs in C:\Program Files (portable), and that was too long for WSUS Offline.

    1. www said on January 20, 2017 at 1:47 pm

      @A different Martin

      I now have a dedicated USB stick devoted solely to WSUS Offline. Is his interchangeable between two different Win7 machines? One a 32bit and the other a 64bit? And can it interchange with a Win8.1 if I include those Win8.1 update packages as well?

      Or should I just get separate USB sticks for each machine?

      Not trying to complicate things any. Just looking for any info you have, thanks.

      1. A different Martin said on January 20, 2017 at 5:48 pm

        @ www:

        I can’t say for sure. I’ve only used WSUS Offline once, on one x64 Win7 system. When I examine the program’s folder tree and the names and contents of the subfolders, it looks like you probably can use the same portable install of WSUS Offline for any supported version of Windows. You might want to be careful about double-checking settings in the generator and installer dialog windows when you switch from one version of Windows to another, since WSUS Offline seems to use a single (common?) INI file for the generator and one for the installer … but again, I can’t say for sure, never having done it. I’m pretty sure there are gHacks readers who have a lot more experience with WSUS Offline than I do. Maybe one of them can chime in.

    2. www said on January 18, 2017 at 12:49 pm

      Ah, I saw that after the fact! My bad. Thanks.

      Yes, I used a installation but it’s not as granular as I expected it to be. Even leaving the x64 boxes unticked (I use a 32bit machine), I see that it’s downloading them anyway. At least, according to the CMD box that pops up showing them.

      And it looks like I’m also downloading Service Pack 1 as we speak to the portableapps directory, yet I already have SP1 installed. What’s up with that?

      Looks like this is more for using after a clean install than anything.

      1. A different Martin said on January 18, 2017 at 8:06 pm

        @ www:

        For me, WSUS Offline downloaded 203 updates on the first (and so far sole) generator run and installed 10 updates on the first installer run and maybe 2 or 3 updates on the second installer run. I didn’t check my WSUS Offline “repository” against any master list of updates, but just from the number (203), I’m pretty sure no non-security updates were downloaded.

        To format my comments, I just use html tags in angle brackets, i for italics and strong for bold (b didn’t work when I tried it). I found this out through trial and error, but there’s probably a WordPress reference page somewhere saying what tags are supported.

      2. www said on January 18, 2017 at 6:24 pm

        “As I mentioned in an earlier comment, it looked to me like WSUS Offline downloads every update since RTM in the categories you check off,”

        No, it looks like it’s downloading in the categories I didn’t check off as well. 64bit updates or SP1? I don’t need those. We’re talking a couple of hundred updates since the beginning of time.

        “but only installs the updates you’re missing.”

        I wonder how it gets around to doing that at the end? I didn’t wait to find out since it’s much faster to use something like Belarc Personal Advisor to determine what’s missing and all that.

        PS: What tagging did you use to get italicized type font in your response?

      3. A different Martin said on January 18, 2017 at 3:41 pm

        As I mentioned in an earlier comment, it looked to me like WSUS Offline downloads every update since RTM in the categories you check off, so you have a kind of local repository, but only installs the updates you’re missing.

  2. www said on January 17, 2017 at 11:55 am

    Martin, is there a direct link to the developer’s website? I don’t see it up above.

    And is there a portable version for 10.9? Where is it also located?


  3. A different Martin said on January 14, 2017 at 4:44 am

    Thanks, Martin. This is very nice to have for all of us who have given up on Windows Update and who have had problems with the Microsoft Update Catalog site.

    I was a little concerned when WSUS Offline’s first executable (the update “generator”) downloaded 203 packages, as my computer is only a couple of months out of date. When the second executable (the update installer) only installed 10 of them (on the first run, plus maybe one or two on the second run), my concern was allayed. Everything worked smoothly, so far as I can tell, and Belarc Advisor now tells me I’m not missing any security updates. This makes me feel a bit less uncomfortable about continuing to run Windows 7 for a while longer.

    I guess now I’m waiting for the other shoe to drop … the other shoe being the next buggy or sneaky Microsoft security update. Now that far fewer people are installing individual security updates, I have a hunch it’s going to take a lot longer than before for us to hear about problems with them on the Web.

    In related news, Linux Mint 18.1 and Chapeau Linux 24 still seem to be running and updating fine in VirtualBox. Mint is conservative with a very familiar GUI (Cinnamon), and Chapeau is cutting-edge with a less familiar GUI (Gnome 3.2). Neither has caused me an significant hassles. Mint (with an older kernel) would be good for installing on a slighty older computer and Chapeau (with a very recent kernel) would probably be better for installing on a new computer with a Kaby Lake chipset, at least until Mint’s default kernel catches up. One of the downsides of Chapeau’s being a cutting-edge distro is that OS updates seem to be released every couple of days, and you have to reboot to install them. I suppose that could get annoying if it were your primary, bare-metal OS.

    Anyway, many thanks for posting this article. I had trouble with the previous version of WSUS Offline and wouldn’t have known about the new one, or tried it, if you hadn’t written about it.

  4. sirpaul2 said on January 13, 2017 at 5:38 am

    This seems to be a great idea, but with the way MS has been acting for the last year and a half, I don’t trust them.

  5. Pasha said on January 12, 2017 at 6:50 pm

    I’m curious, how long does it typically takes to update a fresh install of windows 7 using wsus? It’s almost been 24 hours and im still on update 1 of 9; Did I by chance run into an error or does it just take a long time?

  6. Mystique said on January 12, 2017 at 11:06 am

    Plot twist! Microsoft “Accidentally” mislabels several telemetry updates as a ‘Security’.

    I cannot trust Microsoft to do the right thing at all these days.

    Whilst some may argue that Microsoft may have always been this evil its silly to accept their behaviour after knowing better. It’s like smoking cigarettes, when my fathers generation began smoking they did so without the knowledge we have now and of course cigarettes have only become worse packed with all sorts of nasties so its entirely stupid to be smoking in our days knowing the risks.

    Be vigilant.

    P.S. Their new update to disable some telemetry changes nothing, they are still terrible. There should never be ads embedded in an OS… EVER!

  7. Dave said on January 11, 2017 at 1:35 pm

    Good news. Thanks Martin

  8. Anonymous said on January 11, 2017 at 12:22 pm

    Only security patches. Using WSUS since few months I really enjoy this new option, thank you for the info.

  9. mike said on January 11, 2017 at 11:54 am

    I’ve only ever had security updates selected.
    Recently updates failed when they moved to rollups.
    I tried everything, even standalone installers failed.
    I finally found the answer somewhere: to try DISM commands to install updates.
    It worked.
    I don’t know the reason, if any of you do, post it here.

    This programme peaked my interest and I’m making sure I have a copy just in case.

  10. mike said on January 11, 2017 at 11:33 am

    I welcome this option.
    I have only security updates selected.
    Never beeen bothered by it till now.
    I recently has Windows Update fail, the first thing to go wrong on my W7 rig.

    Even standalone installers failed. I tried everything, including many tips from here.

    I had thought it was the rollup format, but I finally found a tip to use DISM commands to install updates. Now it all works again, though I don’t know the reason. Love to know if anyone has the answer?

    So another option like this is great, I only hope the installer works.

  11. Fena said on January 11, 2017 at 11:20 am

    Install date from systeminfo is April 26-2010 Win 7 64 bit service pack 1 no updates at all. No problems at all. IExplorer is turned off.

  12. zund said on January 11, 2017 at 10:37 am

    i’ve been editing the custom exclude- and static-lists the last few months.
    so this update is very appreciated.

  13. Jojo said on January 11, 2017 at 10:25 am

    Looking good!
    Thanks =]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.