SCCM
Trending

Manually import updates into WSUS and SCCM

()

Each month Microsoft releases updates to different channels. The most common channel for administrators is enterprise, every second Tuesday of the month. This channel is the channel that automatically synchronizes with Windows Server Update Services (WSUS) and, consequently, with SCCM (Configuration Manager).

But sometimes a critical error can arise that allows us to wait for that channel to be up-to-date and we must deploy updates from other channels such as the out-of-band, which are not in WSUS or SCCM. How do I deploy these updates if I can’t deploy from SCCM or WSUS? Here’s how to manually import updates into SCCM and WSUS for distribution. Check this other article if you encountered an error importing updates to WSUS.

Fix PrintNightmare – CVE-2021-34527- July 2021:

PrintNightmare is a remote code execution vulnerability through the Windows Print Spooler service. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.

Microsoft has released security updates to solve this vulnerability. You can read how to fix PrintNightmare (CVE-2021-34527) here.

The security updates released on July 6, 2021 contain protections for CVE-2021-1675 and the Windows Print Spooler exploit known as “PrintNightmare”, documented in CVE-2021-34527:

All these updates are out-of-band and must be applied following the method in this article to Manually Import updates in WSUS and SCCM. Windows Server 2000 and Windows Server 2003 don’t have support.

Pre-note bug Printers – March 2021:

Microsoft, Kyocera, Ricoh and other printer manufacturers have reported that the March 2021 patches for Windows 10 create problems with printers and cause blue screens when trying to print. This guide will guide you on how to manually import the new out-of-band updates released on 03/15/2021 to solve the error APC_INDEX_MISMATCH:

  • Windows 10, version 20H2 – Old Update: (KB5000802) – Fixed Update: (KB5001567)
  • Windows 10, version 2004 – Old Update: (KB5000802) – Fixed Update: (KB5001567)
  • Windows 10, version 1909 – Old Update: (KB5000808) – Fixed Update: (KB5001566)
  • Windows 10, version 1809 – Old Update: (KB5000822) – Fixed Update: (KB5001568)
  • Windows 10, version 1803 – Old Update: (KB5000809) – Fixed Update: (KB5001565)
WSUS - SCCM - Manually Import - KB5001568 - KB5001567 - KB5001566 - KB5001565

Pre-note bug VPN and Proxies – March 2020::

Microsoft has reported that the February and March patches for Windows 10 created problems with manually configured and self-configured VPN connections and proxies. This guide is used to distribute optional out-of-band patches released on 30/03/2020 to fix the bug:

0 - SCCM - Software Updates - Proxies bug 2020

Requirements for Importing Updates into SCCM and WSUS:

  • A WSUS Server with Internet access to import metadata from Microsoft and download updates.
  • Internet Explorer with the “Microsoft Update Catalog” add-on. If you do not have it installed, you will ask us to do so during the procedure.
  • Administrator permissions on the WSUS Server.

How to manually import updates into WSUS:

To get started, we’ll need to open Windows Server Update Services with administrator permissions:

1 - Windows Server Update Services - Run as administrator

Once Windows Server Update Services is open, choose “Updates” in the left panel and “Import Updates…” in the right panel:

2 - Windows Server Update Services - Updates - Import Updates

Internet Explorer opens. If you do not already have it installed, we install the “Microsoft Update Catalog” add-on in Internet Explorer from the following notification:

3 - Windows Server Update Services - Windows Catalog - add-on

Click on “Install“:

4 - Windows Server Update Services - Windows Catalog - add-on

With the add-on installed and after reloading the page, we will see the search box where we will have to enter the ID of the update to be imported (for example “4522011”) click on “Search“:

5 - Windows Server Update Services - Windows Catalog - Search

We identify in the search results the updates to be imported and click on “Add” or “Add All” according to our needs:

6 - Windows Server Update Services - Windows Catalog - Add KB

Once added to import we will see that the status has changed to “Remove” and “Remove All“. If required, we can remove the ones we want:

7 - Windows Server Update Services - Windows Catalog - Add KB

Already added all the updates we need, click on “view basket“, confirm that the updates are the desired and click on “Import” with the check of “Import directly into Windows Server Update Services” marked.

8 - Windows Server Update Services - Windows Catalog - Import directly into WSUS

It will open a pop-up automatically (if they do not appear they may be being blocked by some policy and we should allow it temporarily) where we will see the status of each update in the “Progress” column. Once they are all in the “Done” state, you can close the window by clicking “Close“:

9 - Windows Server Update Services - Windows Catalog - Your updates are importing
10 - Windows Server Update Services - Windows Catalog - Import Completed

Verify that updates are available in WSUS:

Open Windows Server Update Services again, choose “Updates” in the left panel and display the “All Updates” window. We can manually verify that the desired KBs are and use a search engine using “Search…” in the right panel:

11 - Windows Server Update Services - All Updates - Search

Force SCCM database synchronization with WSUS:

The next and final step will be to force the synchronization of the SCCM database with WSUS. In this way, we will have the updates in SCCM to be able to distribute to the computers. To do this:

  1. Open the SCCM console.
  2. Click on “Software Library“.
  3. Extend “Software Updates“.
  4. Select “All Software Updates”, right click and choose “Synchronize Software Updates“:
12 - SCCM - Software Updates - Synchronize Software Updates

A pop-up will appear. Confirm that we want to run the synchronization by clicking “Yes“:

13 - SCCM - Software Updates - Run Synchronization

You can confirm that updates are being imported using the log “wsyncmgr.log” located at “%SCCM_installation_patch%\Logs\wsyncmgr.log”:

14 - SCCM - Software Updates - wsyncmgr

This way the WSUS patches would already be ready in SCCM to distribute like any other patch we have in the SCCM Console.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Nando Corzo

Passionate about IT and Microsoft technologies with more than 5 years of experience in complex environments (Banking, Congresses and Public Services). Exploring and learning about Modern Workplace every day. I write about SCCM, Windows, Microsoft Intune, Hyper-V, etc...

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button