- Delegate permissions for domain join - Mon, Jun 5 2023
- Join Windows 11 to an Active Directory domain - Thu, Jun 1 2023
- Change Windows network profiles between public and private - Wed, May 24 2023
To import updates, the WSUS console provides a command in the context menu of the server. If you execute it, it launches the web browser and loads the start page of the Microsoft Update Catalog, where you can search for the desired updates.
Command for importing updates from the Microsoft Catalog
If, however, as is common on most PCs today, Internet Explorer (IE) is not configured as the standard browser, then you bump into the first obstacle. The transfer to WSUS requires an ActiveX control, which does not run in any browser other than IE.
If the command above opens Chrome or Edge, the next step is to start IE from an administrative prompt by entering
"C:\Program Files\Internet Explorer\iexplore.exe"
Then copy the URL from the browser opened by the import command into IE. If the ActiveX control for the Update Catalog is not yet installed, you have the opportunity to do so now.
If you start IE with administrative rights you can install ActiveX for the Update Catalog
After that, you can search for the update you want to import. In the search result, the Add button appears next to the hits so that you can put the relevant updates in the shopping basket. With all other browsers, you only get a Download button here.
Search result in the Update Catalog with the option to add updates to the shopping cart
If you then open the basket via the link at the top right, you should see a list containing the previously selected updates. Above the table, there is a checkbox labeled Import directly to Windows Server Update Services, which is enabled by default. By clicking the Import button, you would complete the process.
In practice, however, it often happens that IE displays the following error message:
"This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS. Learn more…"
In this case, you can safely ignore the Learn more link.
You can activate the import to WSUS in the shopping basket however this often fails with an error message
To avoid this problem, there is a tip in some forums to replace the parameter Protocol=1.20 with Protocol=1.80 in the URL, which the import command initially opens in the browser. In my attempt, however, this did not lead to any success.
Considering that the import from the WSUS console via IE is so prone to errors, we recommend using a different method. This is also supported by the fact that Internet Explorer is being phased out and that in many environments, the installation of ActiveX is undesirable and often not possible.
Importing updates via PowerShell
The alternative here is again PowerShell. However, Microsoft does not make it easy for you to get the required information for the import. Objects of the UpdateServer type contain the method ImportUpdateFromCatalogSite, which in turn needs the name of the update file as well as the update's ID.
You can easily determine the name of the file after the manual download, but the catalog does not show the ID anywhere in the update's detailed information. However, if you click the link with the description of the update, then a popup window opens whose URL contains the ID.
Getting the ID of the updates using PowerShell
Instead of trudging through the details of each update and its URL, you can download and evaluate the entire list with a few lines of PowerShell:
$kb = Read-Host -Prompt "Which KB do you want to search for?"
$uc = Invoke-WebRequest -Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"
$uc.Links | where onClick -Like "*goToDetails*"|
foreach {$_.innerText + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Description","ID"|
Out-GridView -PassThru | Format-List
After downloading the search results for a certain KB number with Invoke-WebRequest, the following commands filter the names and IDs from the web page, display them in a graphical table, and finally output the entry selected by the user.
Retrieving IDs of the desired updates from the catalog using PowerShell
If you carry out this action under Server Core, IE is not available there, and you have to call Invoke-WebRequest with the UseBasicParsing switch.
But then there is no direct access to many DOM elements, so you have to help yourself with a regular expression when filtering. Out-GridView is also not available; hence, you only get a simple output using Format-List.
$kb = Read-Host -Prompt "Which KB do you want to search for?"
$uc = Invoke-WebRequest -UseBasicParsing `
-Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"
$uc.Links | where onClick -Like "*goToDetails*"|
foreach {($_.outerHTML -replace '(<a id=.*?>|</a>)|\s{2,}','') + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Description","ID"| Format-List
Connecting to WSUS
The next step is to connect to the WSUS server. If you work directly on the WSUS server, you just type
$wsus = Get-WsusServer
But since you usually access the WSUS server from a workstation, you'll need additional information. If you have set up an SSL connection for it, the command would usually look like this:
$wsus = Get-WsusServer -Name <WSUS-FQDN> -PortNumber 8531 -UseSsl
Then you call up the import function mentioned above:
$wsus.ImportUpdateFromCatalogSite('<Update-ID>', '<UpdateFile.msu>')
You can get the ID from the output of the script above or from the URL in the catalog popup. The function expects the file name with the full path.
Connection error
After you launch the command, chances are that it will fail with this error message:
Exception calling "ImportUpdateFromCatalogSite" with "2" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."
The WSUS server rejects the unsecure connection through PowerShell
The reason is apparently that PowerShell wants to establish the connection via TLS 1.0, which the WSUS server has refused for some time now. Since PowerShell is based on the .NET framework, you have to enforce strong encryption for it. This is achieved by setting the following registry entry on the WSUS server:
Subscribe to 4sysops newsletter!
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
For the change to take effect, you must restart the server. After that, the update import to WSUS should work.
Great article. I used it in combination with ‘Patch Missing From SCCM How To Import Into WSUS Manually How To Manage Devices (anoopcnair.com)’. I need it for importing KB5001567. Thx
Perfect, thanks!! The registry-key (SchUseStrongCrypto) was helpful. I'm now able to import from Microsoft Catalog to my WSUS.
Thanks for the post! I followed Manually import updates into WSUS and SCCM and this for the new KBs to fix the printer's errores. Thanks again!
super besten Dank… hat mir geholfen das KB5001567 zu installieren
This saved me for KB5001567!!!!
Adding https://www.catalog.update.microsoft.com/ to the trustedsites helped me 'import updates' from WSUS directly.
OMG Thank you. This saved me from pulling out my hair.
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
So just an update I was having the same issue getting the updates to download through the IE import function.
I added the registry key you mentioned and then after a reboot it started working through the built in process.
Just a heads up
I had the same issue. Added the registry key to my WSUS server, rebooted, BINGO! Back in business through the built in process.
Hello every one,
Thanks to the author of this article
can i ask whoever has experienced installation of SCCM and SCOM 2019 to provide me please any material that could help to have an successful installation and configuration.
i have been assigned to finish a task that was left from an employee that left the job, i have tried to find whats wrong with WSUS and SCCM nothing is working, i cant download updates, cant push installation of apps.
Thanks in advance
You, sir, are a gentleman and a scholar. Thank you for the detailed write-up. Microsoft sucks in so many ways and this saved me a ton of time. One of the few articles that details exactly why things went wrong and what to do to fix it. I’d buy you a beer if I could.
Thank you so much for this. I was about to rebuild my WSUS servers because I could not get the “Basket” add-in to appear.
It is a pain to add each one manually, but at least I have been able to add the patches I need to add the out-of-band patches I need for this month.
THANK YOU!