Patch Missing from SCCM How to Import into WSUS Manually

Let’s learn about Patches Missing from SCCM and how to import them into WSUS manually. Whenever you have a Zero Day patch and don’t have the patches in WSUS, what are your options as an SCCM admin to patch your Windows 10 devices? Do you want to learn Intune?

How to Fix the issue of the latest Zero-Day patch missing from SCCM. How to import them into the WSUS console manually? Internet Explorer out-of-support-related notes are added to the prerequisites for this method.

The top-level SUP uses WSUS to get information about software updates from Microsoft into SCCM. You might need an update that doesn’t automatically synchronize into WSUS but is available in the Microsoft Update Catalog for your selected products and classifications.

UPDATED on 26th July 2023: Microsoft is removing the option to manually import the updates into WSUS because ActiveX components are now deprecated. The Import Updates function was built using ActiveX, which is now deprecated. More details are below.

Sign up to get the best of How To Manage Devices straight to your inbox!

The latest example for this type of manual import method is explained – Bug Fix OOB Update Sign In And Kerberos Authentication Issue | Domain Controllers. This Guide is applicable for the following KB articles related to FIX Internet Connectivity Issue With Windows 10 | VPN | Proxy.

• Windows 10, version 1909 (KB4554364)
• Windows 10, version 1903 (KB4554364)
• Windows 10, version 1809 (KB4554354)
• Windows 10, version 1803 (KB4554349)
• Windows 10, version 1709 (KB4554342)
• KB4522014 for win10 1803
• KB4522015 for win10 1809

New PowerShell Script Method to Manually Import the Updates to WSUS

New PowerShell Script Method to Manually Import the Updates to WSUS and then to SCCM. A new PowerShell script replaces the import functionality within WSUS. You will now use this script to download and import the updates to your WSUS server. As per Microsoft documentation, there are two ways to get this new script:

1. Follow your typical WSUS admin user interface steps: Actions > Import Updates. You’ll now be redirected to the documentation containing the script.
2. You can go directly to the PowerShell script to import updates into WSUS in the official WSUS and the Catalog site documentation.

Once you copy the script, you’ll follow a series of steps to import updates into WSUS using PowerShell. Briefly, here’s what you’ll have to do:

1. Save the script.
2. Open the Microsoft Update Catalog site in a browser.
3. Search for an update you want to import into WSUS.
4. Select the desired update from the returned list.
5. Copy the UpdateID on the opened details page. Note: If importing multiple updates, create a text file with each UpdateID on a separate line.
6. To import updates, open a PowerShell console as an administrator and run the script using our documentation’s syntax.

Note: The files for the imported updates aren’t downloaded at the time of import. Please check your Update files settings to review or change when they will be downloaded.

<#
.SYNOPSIS
Powershell script to import an update, or multiple updates into WSUS based on the UpdateID from the catalog.

.DESCRIPTION
This script takes user input and attempts to connect to the WSUS server.
Then it tries to import the update using the provided UpdateID from the catalog.

.INPUTS
The script takes WSUS server Name/IP, WSUS server port, SSL configuration option and UpdateID as input. UpdateID can be viewed and copied from the update details page for any update in the catalog, https://catalog.update.microsoft.com. 

.OUTPUTS
Writes logging information to standard output.

.EXAMPLE
# Use with remote server IP, port and SSL
.\ImportUpdateToWSUS.ps1 -WsusServer 127.0.0.1 -PortNumber 8531 -UseSsl -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with remote server Name, port and SSL
.\ImportUpdateToWSUS.ps1 -WsusServer WSUSServer1.us.contoso.com -PortNumber 8531 -UseSsl -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with remote server IP, defaultport and no SSL
.\ImportUpdateToWSUS.ps1 -WsusServer 127.0.0.1  -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with localhost default port
.\ImportUpdateToWSUS.ps1 -UpdateId 12345678-90ab-cdef-1234-567890abcdef

.EXAMPLE
# Use with localhost default port, file with updateID's
.\ImportUpdateToWSUS.ps1 -UpdateIdFilePath .\file.txt


.NOTES  
# On error, try enabling TLS: https://learn.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client

# Sample registry add for the WSUS server from command line. Restarts the WSUSService and IIS after adding:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

## Sample registry add for the WSUS server from PowerShell. Restarts WSUSService and IIS after adding:
$registryPath = "HKLM:\Software\Microsoft\.NETFramework\v4.0.30319"
$Name = "SchUseStrongCrypto"
$value = "1" 
if (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
Restart-Service WsusService, w3svc

# Update import logs/errors are under %ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log

#>

param(
    [Parameter(Mandatory = $false, HelpMessage = "Specifies the name of a WSUS server, if not specified connects to localhost")]
    # Specifies the name of a WSUS server, if not specified connects to localhost.
    [string]$WsusServer,

    [Parameter(Mandatory = $false, HelpMessage = "Specifies the port number to use to communicate with the upstream WSUS server, default is 8530")]
    # Specifies the port number to use to communicate with the upstream WSUS server, default is 8530.
    [ValidateSet("80", "443", "8530", "8531")]
    [int32]$PortNumber = 8530,

    [Parameter(Mandatory = $false, HelpMessage = "Specifies that the WSUS server should use Secure Sockets Layer (SSL) via HTTPS to communicate with an upstream server")]
    # Specifies that the WSUS server should use Secure Sockets Layer (SSL) via HTTPS to communicate with an upstream server.  
    [Switch]$UseSsl,

    [Parameter(Mandatory = $true, HelpMessage = "Specifies the update Id we should import to WSUS", ParameterSetName = "Single")]
    # Specifies the update Id we should import to WSUS
    [ValidateNotNullOrEmpty()]
    [String]$UpdateId,

    [Parameter(Mandatory = $true, HelpMessage = "Specifies path to a text file containing a list of update ID's on each line", ParameterSetName = "Multiple")]
    # Specifies path to a text file containing a list of update ID's on each line.
    [ValidateNotNullOrEmpty()]
    [String]$UpdateIdFilePath
)

Set-StrictMode -Version Latest

# set server options
$serverOptions = "Get-WsusServer"
if ($psBoundParameters.containsKey('WsusServer')) { $serverOptions += " -Name $WsusServer -PortNumber $PortNumber" }
if ($UseSsl) { $serverOptions += " -UseSsl" }

# empty updateID list
$updateList = @()

# get update id's
if ($UpdateIdFilePath) {
    if (Test-Path $UpdateIdFilePath) {
        foreach ($id in (Get-Content $UpdateIdFilePath)) {
            $updateList += $id.Trim()
        }
    }
    else {
        Write-Error "[$UpdateIdFilePath]: File not found"
		return
    }
}
else {
    $updateList = @($UpdateId)
}

# get WSUS server
Try {
    Write-Host "Attempting WSUS Connection using $serverOptions... " -NoNewline
    $server = invoke-expression $serverOptions
    Write-Host "Connection Successful"
}
Catch {
    Write-Error $_
    return
}

# empty file list
$FileList = @()

# call ImportUpdateFromCatalogSite on WSUS
foreach ($uid in $updateList) {
    Try {
        Write-Host "Attempting WSUS update import for Update ID: $uid... " -NoNewline
        $server.ImportUpdateFromCatalogSite($uid, $FileList)
        Write-Host "Import Successful"
    }
    Catch {
        Write-Error "Failed. $_"
    }
}

Patch Missing from SCCM How to Import into WSUS Manually

In general, Microsoft releases updates with WSUS metadata catalog information most of the time. Sometimes, MS releases individual updates that are not part of the WSUS catalog.

In this scenario, we need to import the updates into the WSUS console using Windows Catalog Agent.

NOTE! If you see the following in a KB article, you probably won’t see all of them in an SCCM WSUS or SUP-configured system.

Prerequisites

1. WSUS Server to have internet access to import the metadata from Microsoft to WSUS Console
2. Internet Explorer needs to add ‘Microsoft Update Catalog’ to find updates from the MS site, or it will be prompted when opening the Microsoft update catalog website URL—http://catalog.update.microsoft.com.
3. Internet Explorer is one of the prerequisites for this. Otherwise, check out the note below.

NOTE! – If you have already disabled IE, you need to use some of the tricks that are explained by K_Wester-Ebbinghaus in his Tech Community post.

Links to add to Microsoft Edge IE Mode

If you already use IE Mode for MS Edge, ensure you added the following URLs to IE Mode sites.

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx 

• Enable Internet Explorer IE Mode in Microsoft Edge
• Configure Enterprise Mode Site List to use IE Mode
• Disable Internet Explorer Using Intune Group Policy Browser App

Overall Process – Fix Zero-Day Patch Missing from SCCM

Technical Steps to Import the MS update (hotfixes) Metadata in WSUS

Login into the Upstream (First) SUP WSUS server

Open the Windows Server Update Services with ‘Run as administrative‘  from the Administrative tools.

Click ‘Yes’ in the User Access Control window

In the left-hand panel, select Updates and click Import Updates in the right-hand panel.

Input the KB article number and click the Search icon.

Identify the required patch as per the environment and click Add.

The metadata is added in the View Basket with the update count.

Input the another KB article number and click Search.

Select the required KB article and Click Add.

Click View Basket. The total update count is visible.

Ensure all the required updates are selected and click the Import icon.

The select updates metadata information is being imported into the WSUS console.

The update metadata updates are imported into WSUS Console.

How to check the Updates are Available in the WSUS console

Open the WSUS Console, Expand the Updates tab

Select All Updates and click the Search icon in the right-hand panel

Enter the KB article ID, which is recently imported, and click Find Now

Updates are available in the WSUS console.

How to Sync from WSUS to SCCM database

• Open the SCCM Console,
• Select the Software Library,
• Expand Software Updates,
• Select ‘All Software Updates‘ and right-click and select ‘Synchronization Software updates.‘

• Open the WSUSSYnc.log from the Site server. You can find the imported update information.

Resources

• KB4522014 for win10 1803
• KB4522015 for win10 1809
• SCCM Patching Software Update Process Guide

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Kannan CS is a Technical Architect with more than 15 years of experience in the IT domain. He has worked on various technologies like Windows server administration, SCCM, SCOM, Desktop Engineering domains. For the last 10 years, he has been working in Microsoft SCCM with the focus on Configuration Manager and Intune technologies.