Let us learn about Patch Missing from SCCM and How to import into WSUS manually. Whenever you have a Zero Day patch, and you don’t have the patches in WSUS? What are your options as an SCCM admin to patch your Windows 10 devices?
How to Fix the issue of the latest Zero-Day patch missing from SCCM. How to import them into the WSUS console manually? Internet Explorer out-of-support-related notes are added to the prerequisites for this method.
The top-level SUP uses WSUS to get information about software updates from Microsoft into SCCM. You might need an update that doesn’t automatically synchronize into WSUS for your selected products and classifications but is available in the Microsoft Update Catalog.
The latest example for this type manual method of import is explained – Bug Fix OOB Update Sign In And Kerberos Authentication Issue | Domain Controllers. This Guide is applicable for the following KB articles related FIX Internet Connectivity Issue With Windows 10 | VPN | Proxy.
- Windows 10, version 1909 (KB4554364)
- Windows 10, version 1903 (KB4554364)
- Windows 10, version 1809 (KB4554354)
- Windows 10, version 1803 (KB4554349)
- Windows 10, version 1709 (KB4554342)
Introduction – Patch Missing from SCCM How to Import into WSUS Manually
In general, Microsoft will release the update with WSUS metadata catalog information most of the time. Sometimes, MS will release individual updates not part of the WSUS catalog.
We need to import the updates into the WSUS console using Windows Catalog Agent in this scenario.
NOTE! When you see the following in a KB article, you probably won’t see all these in SCCM WSUS or SUP-configured system.
Release Channel | Available | Next Step |
Windows Update or Microsoft Update | No | See the other options below. |
Microsoft Update Catalog | Yes | To get the standalone package for this update, go to the Microsoft Update Catalog website. |
Windows Server Update Services (WSUS) | No | You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions. |
NOTE! – Microsoft will be publishing these patches to WSUS soon. Probably by the end of the day today!
Prerequisites
- WSUS Server to have internet access to import the metadata from Microsoft to WSUS Console
- The Internet Explorer needs to add on ‘Microsoft Update Catalog’ to find the updates from the MS site, or it will be prompted when trying to open the Microsoft update catalog website URL – http://catalog.update.microsoft.com.
- Internet Explorer is one of the prerequisites for this. Otherwise, check out the note below.
NOTE! – If you have already disabled IE, you need to use some of the tricks that are explained by K_Wester-Ebbinghaus in his Tech Community post.
Links to add to Microsoft Edge IE Mode
If you already using IE Mode for MS Edge, then ensure you added the following URLs to IE mode sites.
https://catalog.update.microsoft.com/ https://catalog.update.microsoft.com/v7/site/Home.aspx
- Enable Internet Explorer IE Mode in Microsoft Edge
- Configure Enterprise Mode Site List to use IE Mode
- Disable Internet Explorer Using Intune Group Policy Browser App
Overall Process – Fix Zero-Day Patch Missing from SCCM
Technical Steps to Import the MS update (hotfixes) metadata in WSUS
Login into the Upstream (First) SUP WSUS server
Open the Windows Server Update Services with ‘Run as administrative‘ from the Administrative tools.
Click ‘Yes’ in the User Access Control window
In the left-hand panel, select Updates and click Import Updates…in the right-hand panel.
Input the KB article number and click the Search icon
Identify the required patch as per the environment and click Add
The metadata is added in the View Basket with the update count.
Input the another KB article number and click Search
Select the required KB article and Click Add
Click View Basket. The total update count is visible.
Ensure all the required updates are selected and click the Import icon
The select updates metadata information is being imported into the WSUS console.
The update metadata updates are imported into WSUS Console
How to check the Updates are Available in the WSUS console
Open the WSUS Console, Expand the Updates tab
Select All Updates and click the Search icon in the right-hand panel
Enter the KB article ID, which is recently imported, and click Find Now
Updates are available in the WSUS console
How to Sync from WSUS to SCCM database
- Open the SCCM Console,
- Select the Software Library,
- Expand Software Updates,
- Select ‘All Software Updates‘ and right-click and select ‘Synchronization Software updates.‘
- Open the WSUSSYnc.log from the Site server. You can find the imported update information.
Thank you Kannan. When we try to install .msu file with the help of WUSA.exe, the command is not executing via SCCM. But manually it works. Any idea of the issue?
Awesome thanks.
WSUSSYnc.log should be wsyncmgr.log (screenshoot is correct)
Thanks for sharing!!
Hi kannan sir,my name is Krishna it was nice talk with u
Nice artical
Great article. I used it in combination with ‘https://4sysops.com/archives/import-updates-manually-into-wsus-with-ie-or-powershell/’. I need it for importing KB5001567. Thx
HI Kannan,
In our environment, we are not enabled for Windows Defender in products, but as part of vulnerability remediation, we imported an update through MS catalog, it was showing in WSUS portal, but not synced to SMS DB, any idea?
Hello – I never tried this. I was trying to understand how the scan against the cab file works in this scenario if you have not enabled the category/product.
Worked a treat, Many Thanks needed the reboot