Well it’s not really airgapped, but more so many policies, and selective firewalling to make Windows 10 useless.
I was given a ‘new machine’ in some deep data centre, but it’s pretty barren. No Microsoft Office (LOL USE GOOGLE stuff? NO ODBC?!!! WTF!!!!?), and worse, no Linux Subsystem, no ‘Windows Store’ and no Microsoft.Net
Well to add .NET it turns out that, it’s on the installation media. Which I was oddly able to download, using the ‘Windows Media Creation Tool‘, and have the installation tool create an ISO. Then simply mount the ISO as my ‘D’ drive and run:
Dism /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs /LimitAccess
And of course .Net 1.1 can also be shoved into there for good measure. Wasn’t that fun?
As for the store, you need to first turn it on in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore]
"RemoveWindowsStore"=dword:00000000
"DisableOSUpgrade"=dword:00000000
Then run the following powershell:
Get-AppXPackage WindowsStore -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
Now you can get those … exciting apps.
If you can’t get the store running (it also can fail for various services not running like Storage Service), you can download the Linux Userland directly, after enabling the Linux Subsystem.
Ugh, nothing like having to uncrippled something deliberately crippled to waste your time.
I used to administer some computers that were also not connected to the internet, but I could bring files onto them. For me the biggest question was how to install updates to the computers without WSUS or anything else that requires connectivity. Fortunately with Windows 10 it’s actually quite straightforward with the cumulative updates. You can get the .msu package (google: Windows 10 release information, click the KB article link corresponding to the minor build you want to update to) and just install it with wusa.exe, even silently. I was even able to update major builds without problems by bringing the ISO file to the computer, mounting it with Powershell and then running setup.exe /auto upgrade /quiet (+ a few other options I cannot recall right now – google Windows Setup Command-Line Options).
I have a feeling I’m going to need that as they have the updates pointed to a server that doesn’t exist (yet?!)…
Honestly it feels these air gapped systems are if anything far more vulnerable as they are never updated.
The other options I used were: /compat ignorewarning (ignore non-critical warnings when upgrading with /quiet), /dynamicupdate disable (don’t try to get the latest cumulative update / driver updates from the internet to which you don’t have access to begin with – this is not strictly necessary as it’ll just time out without a connection, but why let it even try), /migratedrivers all (I see no reason to do otherwise – if a driver is not compatible or not needed, it’ll just get ignored later), /showoobe none (don’t show any user-configurable OOBE screens) and /uninstall disable (don’t let the user downgrade).
Depending on your scenario, the last two might not be applicable. In my case, I did not want the users to have any say in the matter or be able to roll back upgrades.