Forum Discussion

Karl-WE's avatar
Karl-WE
MVP
Nov 02, 2021
Solved

HOW-TO: Import Out of Band Updates to WSUS using Microsoft Edge Chromium IE Mode and PowerShell

 

 

-----

 

I recommend using 

https://www.powershellgallery.com/packages/Import-WSUSUpdate

 

Full instructions to install the module are located here - https://www.ajtek.ca/blog/the-new-way-to-import-updates-into-wsus/

 

-----

History:

09/12/2023 - adding PowerShell method to the OP

07/30/2023 - please follow the latest comments for the updated approach using PowerShell.
The method in the OP has become obsolete
01/13/2022 - update links and clarification to prevent an error "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS", added Troubleshooting and Q&A section. 
02/11/2021 - initial version

PREREQUISITES:
Windows 10 / 11 / Windows Server 2016 or later with WSUS RSAT Tool installed.
latest Microsoft Edge installed, version 97 as of time of writing.
Internet Explorer (mode) is installed in Settings > Apps > Optional Features or equivalent location in Windows 11



HOW-TO:

- Open Edge 97 or later

- Open Microsoft Edge Options > Default Browser 

- Change "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow'

- Add links to add to Microsoft Edge IE Mode 
- Remove all other links in the scope of *.catalog.update.microsoft.com, only these shall remain for the catalog.update.microsoft.com page.

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx

see screenshots below for better illustration.

- Close Edge and all catalog tabs if there were any open, especially if you use "Open tabs from the previous session" feature

- Open WSUS MMC and right click Updates from the tree > Import Updates 
- The link in Edge should

  • open in IE mode, there are several indicators on this 
  • the open tab to point to https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.xxxxx.xxxx&ServerName=YOURSERVER.CONTOSO.LOCAL&PortNumber=8531&Ssl=True&Protocol=1.20

NOTES
1.When the link opened in importing updates from WSUS MMC does not contain the "v7/site/" part or does contain a https://www.update instead of https://catalog.update your configuration is wrong.

 

2. The "Default" setting will not be sufficient to allow the installation and use of the ActiveX plugin.

Go back to your update catalog tab, Install the ActiveX if you have not done on this box already.
Check if you have not setup restrictions to execute or install ActiveX plugins in IE directly or via group policy.


3. Edge now has the ability to an IE Mode button. Also it has a new feature to automatically add pages to the exception list. Do not use this ability as shown in the picture for this use case as it might add wrong exceptions to the list.


4. When there are wrong exceptions in the exception list for IE mode it might not work correctly and cause a missing but very important redirection, which ultimately cause the import to fail.
More troubleshooting assistance below. 

 

LINKS STARTING FROM DECEMBER 2021 / JANUARY 2022:


Links to add to Microsoft Edge IE Mode

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx

 

 

 

TROUBLESHOOTING:
Q 1: Microsoft Edge does not allow me to configure any IE Site Mode links (greyed out).
A: Either you have not enabled "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow', or your enterprise has set policies to prevent that. This should be clearly indicated by a lock and message in the Edge settings tab.

Q 2: I have followed this guide or a previous version. I can see the cart to import into WSUS but cannot import any or just specific updates. Others fail with a message "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS".

A: This is a "known" issue and the guide has been updated to reflect this issue and a potential change on the server-side. Please make sure only the two links are included in your IE mode list. 
They may not include www in the link name. You need to include both links, not just one or the other as in the previous version of this guide.

Q 3: May I use the new Edge feature in Settings > Appearance > Internet Explorer Mode button
A: I would recommend to refrain using this feature, as the mechanism between WSUS update import and the browser is extremly picky. It would not work if you just copy the same link into a browser tab.
The feature of the cart to import into WSUS will be likely missing and you can just download to the Download folder instead.

Q 4: Edge offers me to restart this tab in IE mode next time.

 

A: you should not receive this message, otherwise the exceptions as stated in the guide are invalid or you have more than the stated links in place. Go through the guide again and double-check.
Do not use this otherwise nice feature. It will cause to add more catalog links to the exception list which will cause an issue to import updates to WSUS, as described in Q #2.


Thanks for the hint Eric_VanAelstyn, thanks to abbodi1406 for additional hints after this guide got invalid a redirection change in December 2021 / January 2022.

cc AriaUpdated MissyQ 

cc for the other teams as I did not want to repost it in Edge and Servicing communities, unless you insist 🙂 

 

management
Windows Server
  • Karl-WE's avatar
    Karl-WE
    MVP
    Jul 30, 2023

    abbodi1406 released a gist to retrieve the update ID required for Microsoft PowerShell method.
    if you find issues with his script, please contribute using github https://gist.github.com/abbodi1406/d061bb3ac22a015947414ef988053eef

     

    Examples:
    all IDs
    .\GetUpdateID.ps1 KB5028245

    specific architecture
    .\GetUpdateID.ps1 KB5028245 x64

    specific version or product
    .\GetUpdateID.ps1 5028264 x64 Server
    .\GetUpdateID.ps1 5028264 x64 Embedded
    .\GetUpdateID.ps1 5028166 x86 22H2

    • Deleted's avatar
      Deleted
      Jul 31, 2023

      alternatively, to the script from abbodi1406 here is a different approach from Wolfgang Sommergut.

      It should be compatible with PowerShell 5 and 7, as out-gridview relies on the deprecated ISE and this might be manually removed already from Windows Server, I encourage to deploy PowerShell 7 on the WSUS Server and remove ISE.
      source: Import von Updates nach WSUS erfolgt nun mit PowerShell | WindowsPro

      $kb = Read-Host -Prompt "Nach welcher KB suchen?"
if($kb.Substring(0,2) -ine "kb"){
    $kb = "kb" + $kb
    }
$uc = Invoke-WebRequest -Uri "https://www.catalog.update.microsoft.com/Search.aspx?q=$kb"

$uc.Links | where onClick -Like "*goToDetails*"|
foreach {$_.innerText + ";" + $_.id -replace '_link',''} |
ConvertFrom-Csv -Delimiter ";" -Header "Bezeichnung","ID"|
Out-GridView -PassThru | Format-List

  • Deleted's avatar
    Deleted
    Oct 05, 2022

    abbodi1406 

    It seems like it works again with Windows Server 2022 20348.1006, Edge 106.0.1370.34.
    On this particular machine IE has been disabled and re-enabled via PowerShell

     

     Enable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 –Online

     

    setup Edge as provided in this guide.

    the Update ActiveX plugin installed correctly;

    we enabled IE Protected Zone Mode on request. Closed the Edge Browser and tried WSUS MMC.

  • abbodi1406's avatar
    abbodi1406
    Steel Contributor
    Sep 19, 2022

    For me it no longer work, even though ActiveX was already installed

     

     

    • Karl-WE's avatar
      Karl-WE
      MVP
      Sep 19, 2022

      Hi abbodi1406 thank you for confirming the same situation I am seeing here. 

      Who do you think could be of help the most to investigate further? Aria Carley, or Missy from Edge Dev? 

      I would be in the position to evaluate again end of this month.

  • EGrudzien's avatar
    EGrudzien
    Copper Contributor
    Jan 21, 2022

    Karl-WE 

     

    I added both sites to our IE Compability mode lists for Edge.

      <site url="catalog.update.microsoft.com/">
    <compat-mode>IE11</compat-mode>
    <open-in allow-redirect="true">IE11</open-in>
  </site>
  <site url="catalog.update.microsoft.com/v7/site/Home.aspx">
    <compat-mode>IE11</compat-mode>
    <open-in allow-redirect="true">IE11</open-in>
  </site>

    Using this, I get an error  "To use this website, you browser must have the user data persistence setting enabled." I also added Windows Update Catalog to Trusted Site Zone list. In Trusted Site zone list, I have Userdata Persistence turned on. Its like IE mode isn't honoring that setting. 

     

    For fun, I changed Compatibility Mode to IE8. In that mode, the message appears, however when I go to view basket where I would import updates, I get a different error, "Error number: 800A138F" instead.

     

    I am doing this on a W11 system with WSUS and other RSAT tools installed. 

    • Karl-WE's avatar
      Karl-WE
      MVP
      Feb 10, 2022
      I have not tried the list yet, cannot tell. Thanks for adding this to the discussion. Makes sense to make it this way as the setting in the guide will be removed after a time. I noticed that later in the description it is not permanent per user.
      • kwester-ebbinghaus-business's avatar
        kwester-ebbinghaus-business
        Iron Contributor
        Aug 25, 2022
        My guide was helpful until it lasted valid. Anyone else seeing the issue that ActiveX can no longer be installed in IE Mode, thus the import of updates cannot be executed?
    • abbodi1406's avatar
      abbodi1406
      Steel Contributor
      Jan 22, 2022

      EGrudzien 

      Try IE7 mode

      and make sure you have set SystemDefaultTlsVersions (or SchUseStrongCrypto)

  • agressiv's avatar
    agressiv
    Brass Contributor
    Jan 18, 2022

    Karl-WE It would be great if Microsoft replaced this old ActiveX technology with something newer!

      • agressiv's avatar
        agressiv
        Brass Contributor
        Jan 19, 2022
        I don't see WSUS going away for Servers either; I just want the ActiveX stuff in the Microsoft Catalog gone. Surely they can come up with another way to do these imports that doesn't rely on ActiveX. Even a small standalone Win32 app would be better.
  • Karl-WE's avatar
    Karl-WE
    MVP
    Jan 13, 2022

    Updated this guide to reflect changes and to prevent updates cannot be imported.
    Thanks for your feedback and kudos to abbodi1406 .

  • Eds1989's avatar
    Eds1989
    Brass Contributor
    Jan 10, 2022

    Karl-WE 

    This didn't work for me.

     

    I am using a Windows 11 client machine with RSAT installed and Server 2022 WSUS box.

    We have enabled IE mode via group policy, and have added the catalogue URL to the IE site mode list XML file we have stored centrally (not the full URL, but just the base www.catalog.update.microsoft.com)

     

    I can see when clicking "Import Updates", the site is opened in IE mode. I have set the "Allow sites to be reloaded in Internet Explorer mode" option to allow and restarted my browser.

    I had already browsed to the site and installed the ActiveX control, but when going to my update basket, I still get an error about version compatibility:

    "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS"

     

    Any ideas?

     

    Thanks

    James

Resources