Patch Missing from SCCM How to Import into WSUS Manually

Let us learn about Patch Missing from SCCM and How to import into WSUS manually. Whenever you have a Zero Day patch and you don’t have the patches in WSUS? What are your options as an SCCM admin to patch your Windows 10 devices? Do you want to learn Intune?

How to Fix the issue of the latest Zero-Day patch missing from SCCM. How to import them into the WSUS console manually? Internet Explorer out-of-support-related notes are added to the prerequisites for this method.

The top-level SUP uses WSUS to get information about software updates from Microsoft into SCCM. You might need an update that doesn’t automatically synchronize into WSUS for your selected products and classifications but is available in the Microsoft Update Catalog.

UPDATED on 26th July 2023 – Microsoft is removing the option to manually import the updates into WSUS because of the deprecation of ActiveX components. The Import Updates function was built using ActiveX, which is now deprecated. More details are below.

The latest example for this type manual method of import is explained – Bug Fix OOB Update Sign In And Kerberos Authentication Issue | Domain Controllers. This Guide is applicable for the following KB articles related to FIX Internet Connectivity Issue With Windows 10 | VPN | Proxy.

• Windows 10, version 1909 (KB4554364)
• Windows 10, version 1903 (KB4554364)
• Windows 10, version 1809 (KB4554354)
• Windows 10, version 1803 (KB4554349)
• Windows 10, version 1709 (KB4554342)

• KB4522014 for win10 1803
• KB4522015 for win10 1809

New PowerShell Script Method to Manually Import the Updates to WSUS

New PowerShell Script Method to Manually Import the Updates to WSUS and then to SCCM. A new PowerShell script replaces the import functionality within WSUS. You will now use this script to download the updates and have them imported to your WSUS server. As per Microsoft documentation, there are two ways to get this new script:

1. Follow your typical WSUS admin user interface steps: Actions > Import Updates. You’ll now be redirected to the documentation containing the script.
2. Go directly to the PowerShell script to import updates into WSUS in the official WSUS and the Catalog site documentation.

Once you copy the script, you’ll follow a series of steps to import updates into WSUS using PowerShell. Briefly, here’s what you’ll have to do:

1. Save the script.
2. Open the Microsoft Update Catalog site in a browser.
3. Search for an update you want to import into WSUS.
4. Select the desired update from the returned list.
5. Copy the UpdateID on the opened details page. Note: If importing multiple updates, create a text file with each UpdateID on a separate line.
6. To import updates, open a PowerShell console as an administrator and run the script with the syntax provided in our documentation.

Note: The files for the imported updates aren’t downloaded at the time of import. Please check your Update files settings to review or change when they will be downloaded.

<#
.SYNOPSIS
Powershell script to import an update, or multiple updates into WSUS based on the UpdateID from the catalog.

.DESCRIPTION
This script takes user input and attempts to connect to the WSUS server.
Then it tries to import the update using the provided UpdateID from the catalog.

.INPUTS
The script takes WSUS server Name/IP, WSUS server port, SSL configuration option and UpdateID as input. UpdateID can be viewed and copied from the update details page for any update in the catalog, https://catalog.update.microsoft.com. 

.OUTPUTS
Writes logging information to standard output.

.EXAMPLE
# Use with remote server IP, port and SSL
.\ImportUpdateToWSUS.ps1 -WsusServer 127.0.0.1 -PortNumber 8531 -UseSsl -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with remote server Name, port and SSL
.\ImportUpdateToWSUS.ps1 -WsusServer WSUSServer1.us.contoso.com -PortNumber 8531 -UseSsl -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with remote server IP, defaultport and no SSL
.\ImportUpdateToWSUS.ps1 -WsusServer 127.0.0.1  -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with localhost default port
.\ImportUpdateToWSUS.ps1 -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with localhost default port, file with updateID's
.\ImportUpdateToWSUS.ps1 -UpdateIdFilePath .\file.txt


.NOTES  
# On error, try enabling TLS: https://learn.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client

# Sample registry add for the WSUS server from command line. Restarts the WSUSService and IIS after adding:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

## Sample registry add for the WSUS server from PowerShell. Restarts WSUSService and IIS after adding:
$registryPath = "HKLM:\Software\Microsoft\.NETFramework\v4.0.30319"
$Name = "SchUseStrongCrypto"
$value = "1" 
if (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
Restart-Service WsusService, w3svc

# Update import logs/errors are under %ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log

#>

param(
    [Parameter(Mandatory = $false, HelpMessage = "Specifies the name of a WSUS server, if not specified connects to localhost")]
    # Specifies the name of a WSUS server, if not specified connects to localhost.
    [string]$WsusServer,

    [Parameter(Mandatory = $false, HelpMessage = "Specifies the port number to use to communicate with the upstream WSUS server, default is 8530")]
    # Specifies the port number to use to communicate with the upstream WSUS server, default is 8530.
    [ValidateSet("80", "443", "8530", "8531")]
    [int32]$PortNumber = 8530,

    [Parameter(Mandatory = $false, HelpMessage = "Specifies that the WSUS server should use Secure Sockets Layer (SSL) via HTTPS to communicate with an upstream server")]
    # Specifies that the WSUS server should use Secure Sockets Layer (SSL) via HTTPS to communicate with an upstream server.  
    [Switch]$UseSsl,

    [Parameter(Mandatory = $true, HelpMessage = "Specifies the update Id we should import to WSUS", ParameterSetName = "Single")]
    # Specifies the update Id we should import to WSUS
    [ValidateNotNullOrEmpty()]
    [String]$UpdateId,

    [Parameter(Mandatory = $true, HelpMessage = "Specifies path to a text file containing a list of update ID's on each line", ParameterSetName = "Multiple")]
    # Specifies path to a text file containing a list of update ID's on each line.
    [ValidateNotNullOrEmpty()]
    [String]$UpdateIdFilePath
)

Set-StrictMode -Version Latest

# set server options
$serverOptions = "Get-WsusServer"
if ($psBoundParameters.containsKey('WsusServer')) { $serverOptions += " -Name $WsusServer -PortNumber $PortNumber" }
if ($UseSsl) { $serverOptions += " -UseSsl" }

# empty updateID list
$updateList = @()

# get update id's
if ($UpdateIdFilePath) {
    if (Test-Path $UpdateIdFilePath) {
        foreach ($id in (Get-Content $UpdateIdFilePath)) {
            $updateList += $id.Trim()
        }
    }
    else {
        Write-Error "[$UpdateIdFilePath]: File not found"
		return
    }
}
else {
    $updateList = @($UpdateId)
}

# get WSUS server
Try {
    Write-Host "Attempting WSUS Connection using $serverOptions... " -NoNewline
    $server = invoke-expression $serverOptions
    Write-Host "Connection Successful"
}
Catch {
    Write-Error $_
    return
}

# empty file list
$FileList = @()

# call ImportUpdateFromCatalogSite on WSUS
foreach ($uid in $updateList) {
    Try {
        Write-Host "Attempting WSUS update import for Update ID: $uid... " -NoNewline
        $server.ImportUpdateFromCatalogSite($uid, $FileList)
        Write-Host "Import Successful"
    }
    Catch {
        Write-Error "Failed. $_"
    }
}

Introduction – Patch Missing from SCCM How to Import into WSUS Manually

In general, Microsoft will release the update with WSUS metadata catalog information most of the time. Sometimes, MS will release individual updates not part of the WSUS catalog.

We need to import the updates into the WSUS console using Windows Catalog Agent in this scenario.

NOTE! When you see the following in a KB article, you probably won’t see all these in SCCM WSUS or SUP-configured system.

Release Channel	Available	Next Step
Windows Update or Microsoft Update	No	See the other options below.
Microsoft Update Catalog	Yes	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	No	You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions.

NOTE! – Microsoft will be publishing these patches to WSUS soon. Probably by the end of the day today!

Prerequisites

1. WSUS Server to have internet access to import the metadata from Microsoft to WSUS Console
2. The Internet Explorer needs to add on ‘Microsoft Update Catalog’ to find the updates from the MS site, or it will be prompted when trying to open the Microsoft update catalog website URL – http://catalog.update.microsoft.com.
3. Internet Explorer is one of the prerequisites for this. Otherwise, check out the note below.

NOTE! – If you have already disabled IE, you need to use some of the tricks that are explained by K_Wester-Ebbinghaus in his Tech Community post.

Links to add to Microsoft Edge IE Mode

If you are already using IE Mode for MS Edge, then ensure you added the following URLs to IE Mode sites.

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx 

• Enable Internet Explorer IE Mode in Microsoft Edge
• Configure Enterprise Mode Site List to use IE Mode
• Disable Internet Explorer Using Intune Group Policy Browser App

Overall Process – Fix Zero-Day Patch Missing from SCCM

Technical Steps to Import the MS update (hotfixes) metadata in WSUS

Login into the Upstream (First) SUP WSUS server

Open the Windows Server Update Services with ‘Run as administrative‘  from the Administrative tools.

Click ‘Yes’ in the User Access Control window

In the left-hand panel, select Updates and click Import Updates…in the right-hand panel.

Input the KB article number and click the Search icon

Identify the required patch as per the environment and click Add

The metadata is added in the View Basket with the update count.

Input the another KB article number and click Search

Select the required KB article and Click Add

Click View Basket. The total update count is visible.

Ensure all the required updates are selected and click the Import icon

The select updates metadata information is being imported into the WSUS console.

The update metadata updates are imported into WSUS Console

How to check the Updates are Available in the WSUS console

Open the WSUS Console, Expand the Updates tab

Select All Updates and click the Search icon in the right-hand panel

Enter the KB article ID, which is recently imported, and click Find Now

Updates are available in the WSUS console

How to Sync from WSUS to SCCM database

• Open the SCCM Console,
• Select the Software Library,
• Expand Software Updates,
• Select ‘All Software Updates‘ and right-click and select ‘Synchronization Software updates.‘

• Open the WSUSSYnc.log from the Site server. You can find the imported update information.

Resources

• KB4522014 for win10 1803
• KB4522015 for win10 1809
• SCCM Patching Software Update Process Guide