How to Manually Import (Add) Update into WSUS from Microsoft Update Catalog

Not all fixes, patches, and updates for Microsoft products are available for installation in the Windows Server Update Services (WSUS) console. For example, you might have disabled update synchronization for a specific product, Windows version, or update class in your WSUS settings. Also, there are no updates in the WSUS console that are designed to solve a specific problem and don’t imply a bulk installation on all devices. In these cases, you can manually add (import) any update available in the Microsoft Update Catalog to WSUS or SCCM (Configuration Manager) via IE or PowerShell.

For example, we want to add the KB3125574 update to the list of WSUS updates (convenience rollup update that allows fixing a problem of high RAM usage by wuauserv).

Importing Updates Manually into WSUS with Internet Explorer

1. Open the WSUS console;
2. In the console tree, right-click on the Updates section and select Import Updates;
3. Then Internet Explorer will start and automatically go to the Microsoft Update Catalog webpage (https://catalog.update.microsoft.com/);
     When you visit this website in IE for the first time, you will have to install a special ActiveX extension for WSUS. it’s better to add the Microsoft Update Catalog site to the list of trusted websites. You can register this ActiveX component with the command: regsvr32 c:\Windows\SysWOW64\MicrosoftUpdateCatalogWebControl.dll
4. Find the KBs you need with the search and click Add to add them to the basket. It’s better not to select more than 20-30 updates at once;
5. Then click View basket to open it;
6. Check the option Import directly into Windows Server Update Services (if this option is not available, make sure you have the administrator privileges on your WSUS server) and click Import;
7. Wait till the updates are downloaded (If the download is interrupted, try again);
8. Then find the downloaded patches in the All Updates section of the WSUS console. Approve the installation of updates on the required computer groups (the easiest way to target computers to WSUS groups is through a GPO).

Thus, any update from the Microsoft catalog can be imported to the WSUS server, including drivers, service packs, feature packs, etc.

Errors When Importing Updates and Drivers into WSUS

You may receive an error when importing updates to WSUS running on Windows Server 2019/2016:

This update cannot be imported into Windows Server Update Services. Cause: it is not compatible with your version of WSUS.

If such an error appears, you need to manually change the URL that is generated after clicking the Import Updates button. Replace in URL http://catalog.update.microsoft.com/…Protocol=1.20 to Protocol=1.80.

You should get something like this link:

http://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.14393.2248&ServerName=yourwsushost&PortNumber=8530&Ssl=False&Protocol=1.80

If you receive a Failed status (Error Number: 80131509) when importing updates into WSUS, enable TLS 1.2 strong encryption support for .Net Framework 4.0 on the WSUS server. To do this, set the SchUseStrongCrypto parameter to 1 in the registry. Run the following command in the elevated cmd:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

Adding Updates Manually into WSUS via PowerShell

You can add new updates to the WSUS server using PowerShell. To do this, you need to download the update file from the Microsoft update catalog website and get its GUID.

Find the KB you need in the WSUS console and click on its name. A web page with a description of the update will open. Copy the update value from the address bar, and download the MSU update file to your local disk.

Connect to the WSUS server from the PowerShell console:

$WsusSrv = Get-WsusServer (if you run the PowerShell console directly on the WSUS server)
$WsusSrv = Get-WsusServer -Name mun-wsus1 -PortNumber 8531 –UseSsl (if you connect to the WSUS server remotely )

Now you can add the downloaded update to the WSUS console. The following import command is used:

$WsusSrv.ImportUpdateFromCatalogSite('UpdateGUID', 'Update.msu')

For example:

$WsusSrv.ImportUpdateFromCatalogSite('a5e40bf9-f1dc-4e6d-93e7-b62c6bf1ce3e', 'C:\Downloads\Updates\kb5005260.msu')

You can check that the update was imported successfully and display information about it:

$WsusSrv.SearchUpdates('kb5005260') | fl *

When importing WSUS update via PowerShell, an error may appear:

Exception calling “ImportUpdateFromCatalogSite” with “2” argument(s): “The underlying connection was closed: An unexpected error occurred on a send.”   
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException

This is also because PowerShell is trying to establish a connection over the TLS 1.0 protocol, which is disabled on the WSUS server. To solve the problem, add the SchUseStrongCrypto parameter on the WSUS server (and restart it):

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

After that, importing the update to the WSUS server from PowerShell will work correctly.