This article provides a step-by-step tutorial on how to import updates into SCCM (ConfigMgr). If you find that an important patch is missing in SCCM, there is a simple manual import process you can use.
Importing the updates into SCCM involves adding the updates to WSUS first and then synchronizing the updates from WSUS to SCCM. That’s because Configuration Manager utilizes Windows Server Update Services (WSUS) functionality to synchronize, monitor, and deploy software updates to Configuration Manager clients throughout the network environment.
In other words, when you manually import the updates into WSUS and perform a SUP synchronization, you can get those updates in SCCM too. However, there is a procedure that needs to be followed to import updates into SCCM, which we will look at in detail in this post. You can manually add one update at a time to SCCM, or you can add several updates all at once.
If you are using WSUS standalone for deploying the software updates to client computers, you can refer to the guide on how to manually import updates into WSUS. The instructions in the guide detail how to download the update from the Microsoft Update Catalog and import it into the WSUS console. An alternate method is that you can manually export and import updates in WSUS using the WSUSUtil tool.
When do you Manually Import an update into Configuration Manager?
You may need to import an update into Configuration Manager in certain circumstances. Administrators benefit a lot from the fact that Microsoft’s Update Catalog website lets them download updates. I’ll use two scenarios to illustrate the necessity of importing updates into SCCM.
Scenario 1: Suppose you want to deploy zero day patch that is released by Microsoft at the earliest to all the computers in your enterprise. In the Configuration Manager console, you go to Software Updates node and realize that this zero day patch isn’t available. You run the SUP synchronization manually and the critical update still doesn’t appear in the console. This is when you need to import an update into SCCM.
Scenario 2: Configuration Manager allows you to select the products and categories under Software Update Point properties to decide which products and with what types of updates you want to patch. If a certain product update isn’t synchronized in Configuration Manager, you can choose to import a manual update for that product and use SCCM to deploy it.
The Microsoft Update Catalog contains the updates for all the operating systems that Microsoft supports. These updates include the following:
- Device drivers
- Updated system files
- New Windows features
Microsoft typically releases security updates once a month. But if a critical vulnerability is found, like a virus or worm that spreads quickly, Microsoft will put out an update as soon as possible in the MS catalog. This update is also known as a “zero-day patch” (zero-day is commonly associated with the terms “vulnerability, exploit, and threat”).
Configuration Manager has most of the critical and security updates, but occasionally, it takes a while for the updates to be synchronized. Apart from the above described scenarios, there can other examples that can justify the need for importing the updates into Configuration Manager.
Prerequisites for Manually Importing Updates into Configuration Manager
Before you manually import updates into SCCM, please ensure the following prerequisites are met.
- Configure the SUP role correctly and ensure the software deployments are working correctly. You can read the Software Update Point installation guide that shows you the correct steps to install and configure SUP role in your enterprise.
- To import the updates into ConfigMgr, you’ll need access to WSUS administration console.
- You will still need Internet Explorer to import updates into SCCM. Although, Edge browser can also be used but with some tweaks. The Internet Explorer will require an add-on called ‘Microsoft Update Catalog’ to find the updates from the Microsoft site. Normally, a prompt appears requesting users to this add-on and if installed, there shouldn’t be any issues.
- The WSUS Server must have the internet access to import the metadata from Microsoft to WSUS Console. Take a look at this excellent article on how to troubleshoot WSUS Connection issues with SCCM. Especially useful when you get errors around WSUS not connecting to the SCCM server.
How to Import Updates into SCCM | ConfigMgr
We will look at the procedure to import the updates into SCCM. The update(s) must be downloaded from the Microsoft Update Catalog, imported into WSUS, and then synced with the SCCM database.
As an example, I am going to import the update “KB5021043” into the Configuration Manager as I don’t this update available in the console. If you want to check whether a specific update is available in SCCM, you can go to “All Software Updates” node and type the KB number of the update and click Search. If the update is listed in the search results, it means the update is available in SCCM. Otherwise, you can manually import it.
The same update that wasn’t available in SCCM is also not listed in WSUS console.
To import the updates into SCCM, we will first add this update to the WSUS console. Launch the WSUS administration console on your Windows Server and select Updates > Import Updates.
This opens the Microsoft Update Catalog in the Internet Explorer browser. Type the KB number in the search box and click Search. The list of updates will now appear based on the operating systems that they apply to, select the updates that you want to import by clicking the Add button.
After you select the Add button, the updates are instantly added to the basket. The number of updates that you added can be identified by the count displayed by View Basket. To proceed with importing the updates, click on View Basket.
All the updates that you have added to the basket are now listed on the page. Ensure the option “Import directly into Windows Server Update Services” is checked and now click on Import.
The updates are now downloaded from Microsoft Update Catalog and are directly imported in to WSUS console. The WSUS server stores the metadata in the WSUS database.
Important: During the process of importing the updates into WSUS, some of you may encounter 80131509 and 800a0046 errors. Read this guide to know how to resolve WSUS Update Import Error 80131509.
Open the WSUS admin console and select the Updates tab. Type the KB number of the update and click Find Now. The update that we just imported appears in the console. This is how you import the MS update metadata in WSUS.
Synchronize Updates from WSUS to SCCM
In this step, we will synchronize the updates from WSUS to SCCM. This will import the updates from WSUS into SCCM console.
- Launch the Configuration Manager console.
- Navigate to Software Library > Software Updates > All Software Updates.
- Right-click All Software Updates and select Synchronize Software Updates.
The WSUS Synchronization Manager polls the WSUS server, detects that WSUS synchronization has completed successfully, requests the software update metadata from the WSUS server, and inserts it into the Configuration Manager site database. Click Yes to initiate a site-wide synchronization of Software Updates.
At this point, to ensure the software updates synchronization is working, and the updates are imported into SCCM from WSUS, open the wsyncmgr.log. This file records the information about the software updates synchronization process.
When the metadata synchronization process is complete, you can view the imported updates from within the Configuration Manager console. In the SCCM console, select All Software Updates node and type the update KB number, and now we see the updates are imported. If you have imported multiple updates, you should see all of them in the ConfigMgr console.
Once you import updates into SCCM, the next step is to select the updates and deploy it to the computers. Refer to the following guide to learn how to deploy software updates using SCCM.