lang="en-US"> ▷ Manually import updates into WSUS and SCCM - NanDocs

Manually import updates into WSUS and SCCM

Each month Microsoft releases updates to different channels. The most common channel for administrators is enterprise, every second Tuesday of the month. This channel is the channel that automatically synchronizes with Windows Server Update Services (WSUS) and, consequently, with SCCM (Configuration Manager).

But sometimes a critical error can arise that allows us to wait for that channel to be up-to-date and we must deploy updates from other channels such as the out-of-band, which are not in WSUS or SCCM. How do I deploy these updates if I can’t deploy from SCCM or WSUS? Here’s how to manually import updates into SCCM and WSUS for distribution. Check this other article if you encountered an error importing updates to WSUS.

Fix PrintNightmare – CVE-2021-34527- July 2021:

PrintNightmare is a remote code execution vulnerability through the Windows Print Spooler service. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.

Microsoft has released security updates to solve this vulnerability. You can read how to fix PrintNightmare (CVE-2021-34527) here.

The security updates released on July 6, 2021 contain protections for CVE-2021-1675 and the Windows Print Spooler exploit known as “PrintNightmare”, documented in CVE-2021-34527:

All these updates are out-of-band and must be applied following the method in this article to Manually Import updates in WSUS and SCCM. Windows Server 2000 and Windows Server 2003 don’t have support.

Pre-note bug Printers – March 2021:

Microsoft, Kyocera, Ricoh and other printer manufacturers have reported that the March 2021 patches for Windows 10 create problems with printers and cause blue screens when trying to print. This guide will guide you on how to manually import the new out-of-band updates released on 03/15/2021 to solve the error APC_INDEX_MISMATCH:

Pre-note bug VPN and Proxies – March 2020::

Microsoft has reported that the February and March patches for Windows 10 created problems with manually configured and self-configured VPN connections and proxies. This guide is used to distribute optional out-of-band patches released on 30/03/2020 to fix the bug:

Requirements for Importing Updates into SCCM and WSUS:

How to manually import updates into WSUS:

To get started, we’ll need to open Windows Server Update Services with administrator permissions:

Once Windows Server Update Services is open, choose “Updates” in the left panel and “Import Updates…” in the right panel:

Internet Explorer opens. If you do not already have it installed, we install the “Microsoft Update Catalog” add-on in Internet Explorer from the following notification:

Click on “Install“:

With the add-on installed and after reloading the page, we will see the search box where we will have to enter the ID of the update to be imported (for example “4522011”) click on “Search“:

We identify in the search results the updates to be imported and click on “Add” or “Add All” according to our needs:

Once added to import we will see that the status has changed to “Remove” and “Remove All“. If required, we can remove the ones we want:

Already added all the updates we need, click on “view basket“, confirm that the updates are the desired and click on “Import” with the check of “Import directly into Windows Server Update Services” marked.

It will open a pop-up automatically (if they do not appear they may be being blocked by some policy and we should allow it temporarily) where we will see the status of each update in the “Progress” column. Once they are all in the “Done” state, you can close the window by clicking “Close“:

Verify that updates are available in WSUS:

Open Windows Server Update Services again, choose “Updates” in the left panel and display the “All Updates” window. We can manually verify that the desired KBs are and use a search engine using “Search…” in the right panel:

Force SCCM database synchronization with WSUS:

The next and final step will be to force the synchronization of the SCCM database with WSUS. In this way, we will have the updates in SCCM to be able to distribute to the computers. To do this:

  1. Open the SCCM console.
  2. Click on “Software Library“.
  3. Extend “Software Updates“.
  4. Select “All Software Updates”, right click and choose “Synchronize Software Updates“:

A pop-up will appear. Confirm that we want to run the synchronization by clicking “Yes“:

You can confirm that updates are being imported using the log “wsyncmgr.log” located at “%SCCM_installation_patch%\Logs\wsyncmgr.log”:

This way the WSUS patches would already be ready in SCCM to distribute like any other patch we have in the SCCM Console.

Exit mobile version