Microsoft does not deliver all updates to WSUS, especially those missing that do not seem particularly urgent. However, they can be manually imported into the WSUS server. As using Internet Explorer does not work all too often, you can use PowerShell instead.

To import updates, the WSUS console provides a command in the context menu of the server. If you execute it, it launches the web browser and loads the start page of the Microsoft Update Catalog, where you can search for the desired updates.

Command for importing updates from the Microsoft Catalog

Command for importing updates from the Microsoft Catalog

If, however, as is common on most PCs today, Internet Explorer (IE) is not configured as the standard browser, then you bump into the first obstacle. The transfer to WSUS requires an ActiveX control, which does not run in any browser other than IE.

If the command above opens Chrome or Edge, the next step is to start IE from an administrative prompt by entering

"C:\Program Files\Internet Explorer\iexplore.exe"

Then copy the URL from the browser opened by the import command into IE. If the ActiveX control for the Update Catalog is not yet installed, you have the opportunity to do so now.

If you start IE with administrative rights you can install ActiveX for the Update Catalog

If you start IE with administrative rights you can install ActiveX for the Update Catalog

After that, you can search for the update you want to import. In the search result, the Add button appears next to the hits so that you can put the relevant updates in the shopping basket. With all other browsers, you only get a Download button here.

Search result in the Update Catalog with the option to add updates to the shopping cart

Search result in the Update Catalog with the option to add updates to the shopping cart

If you then open the basket via the link at the top right, you should see a list containing the previously selected updates. Above the table, there is a checkbox labeled Import directly to Windows Server Update Services, which is enabled by default. By clicking the Import button, you would complete the process.

In practice, however, it often happens that IE displays the following error message:

"This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS. Learn more…"

In this case, you can safely ignore the Learn more link.

You can activate the import to WSUS in the shopping basket however this often fails with an error message

You can activate the import to WSUS in the shopping basket however this often fails with an error message

To avoid this problem, there is a tip in some forums to replace the parameter Protocol=1.20 with Protocol=1.80 in the URL, which the import command initially opens in the browser. In my attempt, however, this did not lead to any success.

Considering that the import from the WSUS console via IE is so prone to errors, we recommend using a different method. This is also supported by the fact that Internet Explorer is being phased out and that in many environments, the installation of ActiveX is undesirable and often not possible.

Importing updates via PowerShell ^

The alternative here is again PowerShell. However, Microsoft does not make it easy for you to get the required information for the import. Objects of the UpdateServer type contain the method ImportUpdateFromCatalogSite, which in turn needs the name of the update file as well as the update's ID.

You can easily determine the name of the file after the manual download, but the catalog does not show the ID anywhere in the update's detailed information. However, if you click the link with the description of the update, then a popup window opens whose URL contains the ID.

Getting the ID of the updates using PowerShell ^

Instead of trudging through the details of each update and its URL, you can download and evaluate the entire list with a few lines of PowerShell:

$kb = Read-Host -Prompt "Which KB do you want to search for?"
$uc = Invoke-WebRequest -Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"

$uc.Links | where onClick -Like "*goToDetails*"|
foreach {$_.innerText + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Description","ID"|
Out-GridView -PassThru | Format-List

After downloading the search results for a certain KB number with Invoke-WebRequest, the following commands filter the names and IDs from the web page, display them in a graphical table, and finally output the entry selected by the user.

Retrieving IDs of the desired updates from the catalog using PowerShell

Retrieving IDs of the desired updates from the catalog using PowerShell

If you carry out this action under Server Core, IE is not available there, and you have to call Invoke-WebRequest with the UseBasicParsing switch.

But then there is no direct access to many DOM elements, so you have to help yourself with a regular expression when filtering. Out-GridView is also not available; hence, you only get a simple output using Format-List.

$kb = Read-Host -Prompt "Which KB do you want to search for?"
$uc = Invoke-WebRequest -UseBasicParsing `
-Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"

$uc.Links | where onClick -Like "*goToDetails*"|
foreach {($_.outerHTML -replace '(<a id=.*?>|</a>)|\s{2,}','') + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Description","ID"| Format-List

Connecting to WSUS ^

The next step is to connect to the WSUS server. If you work directly on the WSUS server, you just type

$wsus = Get-WsusServer

But since you usually access the WSUS server from a workstation, you'll need additional information. If you have set up an SSL connection for it, the command would usually look like this:

$wsus = Get-WsusServer -Name <WSUS-FQDN> -PortNumber 8531 -UseSsl

Then you call up the import function mentioned above:

$wsus.ImportUpdateFromCatalogSite('<Update-ID>', '<UpdateFile.msu>')

You can get the ID from the output of the script above or from the URL in the catalog popup. The function expects the file name with the full path.

Connection error ^

After you launch the command, chances are that it will fail with this error message:

Exception calling "ImportUpdateFromCatalogSite" with "2" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."

The WSUS server rejects the unsecure connection through PowerShell

The WSUS server rejects the unsecure connection through PowerShell

The reason is apparently that PowerShell wants to establish the connection via TLS 1.0, which the WSUS server has refused for some time now. Since PowerShell is based on the .NET framework, you have to enforce strong encryption for it. This is achieved by setting the following registry entry on the WSUS server:

Subscribe to 4sysops newsletter!

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

For the change to take effect, you must restart the server. After that, the update import to WSUS should work.

avataravatar
9 Comments
  1. Luka Meglič 9 months ago

    Great article. I used it in combination with ‘Patch Missing From SCCM How To Import Into WSUS Manually How To Manage Devices (anoopcnair.com)’. I need it for importing KB5001567. Thx

  2. bjartman 9 months ago

    Perfect, thanks!! The registry-key (SchUseStrongCrypto) was helpful. I'm now able to import from Microsoft Catalog to my WSUS.

  3. JConte 9 months ago

    Thanks for the post! I followed Manually import updates into WSUS and SCCM and this for the new KBs to fix the printer's errores. Thanks again!

  4. Stefan 9 months ago

    super besten Dank... hat mir geholfen das KB5001567 zu installieren

  5. Jay 8 months ago

    This saved me for KB5001567!!!!

  6. Apu 8 months ago

    Adding https://www.catalog.update.microsoft.com/ to the trustedsites helped me 'import updates' from WSUS directly.

  7. Donn Michael Henderson 8 months ago

    OMG Thank you.   This saved me from pulling out my hair.

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

  8. Tom 8 months ago

    So just an update I was having the same issue getting the updates to download through the IE import function.  

    I added the registry key you mentioned and then after a reboot it started working through the built in process. 

    Just a heads up

  9. Big Al 7 months ago

    I had the same issue.  Added the registry key to my WSUS server, rebooted, BINGO!  Back in business through the built in process.

Leave a reply to Luka Meglič Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account