Whenever you have a Zero Day patch and you don’t have the patches in WSUS? What are the options you have as an SCCM admin to patch your Windows 10 devices? How to Fix the issue of the latest Zero-Day patch missing from SCCM. How to import them into WSUS console manually?
**Updated 31 March 2020
This Guide is applicable for the Following KB articles related FIX Internet Connectivity Issue With Windows 10 | VPN | Proxy.
- Windows 10, version 1909 (KB4554364)
- Windows 10, version 1903 (KB4554364)
- Windows 10, version 1809 (KB4554354)
- Windows 10, version 1803 (KB4554349)
- Windows 10, version 1709 (KB4554342)
Introduction
In General, most of the time Microsoft will release the update with WSUS metadata catalog information. Sometime, MS will release individual updates that are not part of the WSUS catalog. In this scenario, we need to import the updates into the WSUS console using Windows Catalog Agent.
NOTE! – When you see following in a KB article – Most probably you won’t see all these in SCCM WSUS or SUP configured system.
Release Channel | Available | Next Step |
Windows Update or Microsoft Update | No | See the other options below. |
Microsoft Update Catalog | Yes | To get the standalone package for this update, go to the Microsoft Update Catalog website. |
Windows Server Update Services (WSUS) | No | You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions. |
NOTE! – Microsoft will be publishing these patches to WSUS soon. Probably by end of the day today!
Prerequisites
- WSUS Server to have internet access to import the metadata from Microsoft to WSUS Console
- The Internet Explorer need add-on ‘Microsoft Update Catalog’ to find the updates from MS site or it will be prompted when trying to open the Microsoft update catalog web site URL – http://catalog.update.microsoft.com
Overall Process – Fix Zero Day Patch Missing from SCCM
Technical Steps to Import the MS update (hotfixes) metadata in WSUS
Login into Upstream (First) SUP WSUS server
Open the Windows Server Update Services with ‘Run as administrative‘ from Administrative tools
Click ‘Yes’ in the User Access Control window
In Left-hand panel select Updates and click Import Updates…in the right-hand panel
Zero Day Patch Missing from SCCM
Input the KB article number and click the Search icon
Zero Day Patch Missing from SCCM
Identify the required patch as per the environment and click Add
Zero Day Patch Missing from SCCM
The metadata is added in the View Basket with update count
Input the another KB article number and click Search
Select the required KB article and Click Add
Click View Basket, the total update count is visible
Ensure all the required updates are selected and click Import icon
The select updates metadata information is being imported in WSUS console
Zero Day Patch Missing from SCCM
The update metadata updates are imported into WSUS Console
Zero Day Patch Missing from SCCM
How to check the Updates are Available in WSUS console
Open the WSUS Console, Expand the Updates tab
Select All Updates and click the Search icon in the right hand panel
Zero Day Patch Missing from SCCM
Enter the KB article ID which is recently imported, click Find Now
Zero Day Patch Missing from SCCM
Updates are available in WSUS console
Zero Day Patch Missing from SCCM
How to Sync from WSUS to SCCM database
- Open the SCCM Console,
- Select the Software Library,
- Expand Software Updates,
- Select ‘All Software Updates‘ and right-click and select ‘Synchronization Software updates‘
- Open the WSUSSYnc.log from Site server, you can find the imported update information.
Thank you Kannan. When we try to install .msu file with the help of WUSA.exe, the command is not executing via SCCM. But manually it works. Any idea of the issue?
Awesome thanks.
WSUSSYnc.log should be wsyncmgr.log (screenshoot is correct)
Thanks for sharing!!
Hi kannan sir,my name is Krishna it was nice talk with u
Nice artical
Great article. I used it in combination with ‘https://4sysops.com/archives/import-updates-manually-into-wsus-with-ie-or-powershell/’. I need it for importing KB5001567. Thx
HI Kannan,
In our environment, we are not enabled for Windows Defender in products, but as part of vulnerability remediation, we imported an update through MS catalog, it was showing in WSUS portal, but not synced to SMS DB, any idea?
Hello – I never tried this. I was trying to understand how the scan against the cab file works in this scenario if you have not enabled the category/product.
Worked a treat, Many Thanks needed the reboot