Each month Microsoft releases updates to different channels. The most common channel for administrators is enterprise, every second Tuesday of the month. This channel is the channel that automatically synchronizes with Windows Server Update Services (WSUS) and, consequently, with SCCM (Configuration Manager).
But sometimes a critical error can arise that allows us to wait for that channel to be up-to-date and we must deploy updates from other channels such as the out-of-band, which are not in WSUS or SCCM. How do I deploy these updates if I can’t deploy from SCCM or WSUS? Here’s how to manually import updates into SCCM and WSUS for distribution. Check this other article if you encountered an error importing updates to WSUS.
TL;DR
Fix PrintNightmare – CVE-2021-34527- July 2021:
PrintNightmare is a remote code execution vulnerability through the Windows Print Spooler service. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.
Microsoft has released security updates to solve this vulnerability. You can read how to fix PrintNightmare (CVE-2021-34527) here.
The security updates released on July 6, 2021 contain protections for CVE-2021-1675 and the Windows Print Spooler exploit known as “PrintNightmare”, documented in CVE-2021-34527:
- Windows 10, version 21H1(KB5004945)
- Windows 10, version20H2(KB5004945)
- Windows 10, version2004 (KB5004945)
- Windows 10, version1909 (KB5004946)
- Windows 10, version1809 (KB5004947)
- Windows 10, version 1607 (KB5004948)
- Windows 10, version 1507 (KB5004950)
- Windows 8.1 (Monthly Rollup / Security Only)
- Windows 7 (Monthly Rollup / Security Only)
- Windows Server 2019 (KB5004947)
- Windows Server 2016 (KB5004948)
- Windows Server 2012 R2 (Monthly Rollup / Security Only)
- Windows Server 2012 (Monthly Rollup / Security Only)
- Windows Server 2008 R2 (Monthly Rollup / Security Only)
- Windows Server 2008 (Monthly Rollup / Security Only)
All these updates are out-of-band and must be applied following the method in this article to Manually Import updates in WSUS and SCCM. Windows Server 2000 and Windows Server 2003 don’t have support.
Pre-note bug Printers – March 2021:
Microsoft, Kyocera, Ricoh and other printer manufacturers have reported that the March 2021 patches for Windows 10 create problems with printers and cause blue screens when trying to print. This guide will guide you on how to manually import the new out-of-band updates released on 03/15/2021 to solve the error APC_INDEX_MISMATCH:
- Windows 10, version 20H2 – Old Update: (KB5000802) – Fixed Update: (KB5001567)
- Windows 10, version 2004 – Old Update: (KB5000802) – Fixed Update: (KB5001567)
- Windows 10, version 1909 – Old Update: (KB5000808) – Fixed Update: (KB5001566)
- Windows 10, version 1809 – Old Update: (KB5000822) – Fixed Update: (KB5001568)
- Windows 10, version 1803 – Old Update: (KB5000809) – Fixed Update: (KB5001565)
Pre-note bug VPN and Proxies – March 2020::
Microsoft has reported that the February and March patches for Windows 10 created problems with manually configured and self-configured VPN connections and proxies. This guide is used to distribute optional out-of-band patches released on 30/03/2020 to fix the bug:
- Windows 10, version 1909 (KB4554364)
- Windows 10, version 1903 (KB4554364)
- Windows 10, version 1809 (KB4554354)
- Windows 10, version 1803 (KB4554349)
- Windows 10, version 1709 (KB4554342)
Requirements for Importing Updates into SCCM and WSUS:
- A WSUS Server with Internet access to import metadata from Microsoft and download updates.
- Internet Explorer with the “Microsoft Update Catalog” add-on. If you do not have it installed, you will ask us to do so during the procedure.
- Administrator permissions on the WSUS Server.
How to manually import updates into WSUS:
To get started, we’ll need to open Windows Server Update Services with administrator permissions:
Once Windows Server Update Services is open, choose “Updates” in the left panel and “Import Updates…” in the right panel:
Internet Explorer opens. If you do not already have it installed, we install the “Microsoft Update Catalog” add-on in Internet Explorer from the following notification:
Click on “Install“:
With the add-on installed and after reloading the page, we will see the search box where we will have to enter the ID of the update to be imported (for example “4522011”) click on “Search“:
We identify in the search results the updates to be imported and click on “Add” or “Add All” according to our needs:
Once added to import we will see that the status has changed to “Remove” and “Remove All“. If required, we can remove the ones we want:
Already added all the updates we need, click on “view basket“, confirm that the updates are the desired and click on “Import” with the check of “Import directly into Windows Server Update Services” marked.
It will open a pop-up automatically (if they do not appear they may be being blocked by some policy and we should allow it temporarily) where we will see the status of each update in the “Progress” column. Once they are all in the “Done” state, you can close the window by clicking “Close“:
Verify that updates are available in WSUS:
Open Windows Server Update Services again, choose “Updates” in the left panel and display the “All Updates” window. We can manually verify that the desired KBs are and use a search engine using “Search…” in the right panel:
Force SCCM database synchronization with WSUS:
The next and final step will be to force the synchronization of the SCCM database with WSUS. In this way, we will have the updates in SCCM to be able to distribute to the computers. To do this:
- Open the SCCM console.
- Click on “Software Library“.
- Extend “Software Updates“.
- Select “All Software Updates”, right click and choose “Synchronize Software Updates“:
A pop-up will appear. Confirm that we want to run the synchronization by clicking “Yes“:
You can confirm that updates are being imported using the log “wsyncmgr.log” located at “%SCCM_installation_patch%\Logs\wsyncmgr.log”:
1 2 3 4 5 6 7 8 9 | sync: SMS synchronizing updates, processed 0 out of 7 items (0%) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:49.555-120><thread=6780 (0x1A7C)> Synchronizing update 613b6dae-5fc9-4f88-b75e-9d7d8decc91c - 2019-09 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x64-based systems (KB4522007) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:49.598-120><thread=6780 (0x1A7C)> Synchronizing update f1711de1-0244-4900-9837-8717b72c6bfc - 2019-09 Cumulative Update for Windows 10 Version 1803 for x86-based Systems (KB4522014) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:50.325-120><thread=6780 (0x1A7C)> Synchronizing update e6d23270-c2dc-4597-b7f9-aee866582ac6 - 2019-09 Cumulative Update for Windows 10 Version 1703 for x86-based Systems (KB4522011) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:51.031-120><thread=6780 (0x1A7C)> Synchronizing update ce9a3561-2cb8-403b-9e1f-a9ee3bb29f80 - 2019-09 Cumulative Security Update for Internet Explorer 11 for Windows 7 for x86-based systems (KB4522007) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:51.669-120><thread=6780 (0x1A7C)> Synchronizing update e80f39ae-26e6-447f-988c-d0eecd7e988d - 2019-09 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4522011) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:52.391-120><thread=6780 (0x1A7C)> Synchronizing update f818452d-647a-41c3-bd23-75241c381b62 - 2019-09 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4522014) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:53.076-120><thread=6780 (0x1A7C)> Synchronizing update a227b23d-9f5e-4256-baf8-149c3e117c2b - Security Intelligence Update for Windows Defender Antivirus - KB2267602 (Version 1.303.217.0) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:39:53.698-120><thread=6780 (0x1A7C)> sync: SMS synchronizing updates, processed 7 out of 7 items (100%) $$<SMS_WSUS_SYNC_MANAGER><09-26-2019 19:40:30.213-120><thread=6780 (0x1A7C)> |
This way the WSUS patches would already be ready in SCCM to distribute like any other patch we have in the SCCM Console.