HOW-TO: Import Out of Band Updates to WSUS using Microsoft Edge Chromium and modern IE Mode

Regular Contributor

History:
01/13/2022 - update links and clarification to prevent an error "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS", added Troubleshooting and Q&A section. 
02/11/2021 - initial version

PREREQUISITES:

Windows 10 / 11 / Windows Server 2016 or later with WSUS RSAT Tool installed.
latest Microsoft Edge installed, version 97 as of time of writing.
Internet Explorer (mode) is installed in Settings > Apps > Optional Features or equivalent location in Windows 11



HOW-TO:

- Open Edge 97 or later

- Open Microsoft Edge Options > Default Browser 

- Change "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow'

- Add links to add to Microsoft Edge IE Mode 
- Remove all other links in the scope of *.catalog.update.microsoft.com, only these shall remain for the catalog.update.microsoft.com page.

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx 

see screenshots below for better illustration.

- Close Edge and all catalog tabs if there were any open, especially if you use "Open tabs from the previous session" feature

- Open WSUS MMC and right click Updates from the tree > Import Updates 
- The link in Edge should

  • open in IE mode, there are several indicators on this 
  • the open tab to point to https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.xxxxx.xxxx&ServerName=YOURSERVER.CONTOSO.LOCAL&PortNumber=8531&Ssl=True&Protocol=1.20

NOTES
1.When the link opened in importing updates from WSUS MMC does not contain the "v7/site/" part or does contain a https://www.update instead of https://catalog.update your configuration is wrong.

 

2. The "Default" setting will not be sufficient to allow the installation and use of the ActiveX plugin.

Go back to your update catalog tab, Install the ActiveX if you have not done on this box already.
Check if you have not setup restrictions to execute or install ActiveX plugins in IE directly or via group policy.


3. Edge now has the ability to an IE Mode button. Also it has a new feature to automatically add pages to the exception list. Do not use this ability as shown in the picture for this use case as it might add wrong exceptions to the list.


4. When there are wrong exceptions in the exception list for IE mode it might not work correctly and cause a missing but very important redirection, which ultimately cause the import to fail.
More troubleshooting assistance below. 

K_WesterEbbinghaus_1-1635887581051.png

 

LINKS STARTING FROM DECEMBER 2021 / JANUARY 2022:

K_WesterEbbinghaus_0-1642099582195.png


Links to add to Microsoft Edge IE Mode

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx 

 

K_WesterEbbinghaus_2-1635887672230.png

 

 

TROUBLESHOOTING:
Q 1: Microsoft Edge does not allow me to configure any IE Site Mode links (greyed out).
A: Either you have not enabled "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow', or your enterprise has set policies to prevent that. This should be clearly indicated by a lock and message in the Edge settings tab.

Q 2: I have followed this guide or a previous version. I can see the cart to import into WSUS but cannot import any or just specific updates. Others fail with a message "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS".

A: This is a "known" issue and the guide has been updated to reflect this issue and a potential change on the server-side. Please make sure only the two links are included in your IE mode list. 
They may not include www in the link name. You need to include both links, not just one or the other as in the previous version of this guide.

Q 3: May I use the new Edge feature in Settings > Appearance > Internet Explorer Mode button
A: I would recommend to refrain using this feature, as the mechanism between WSUS update import and the browser is extremly picky. It would not work if you just copy the same link into a browser tab.
The feature of the cart to import into WSUS will be likely missing and you can just download to the Download folder instead.

Q 4: Edge offers me to restart this tab in IE mode next time.

K_WesterEbbinghaus_0-1642101338807.png

 

A: you should not receive this message, otherwise the exceptions as stated in the guide are invalid or you have more than the stated links in place. Go through the guide again and double-check.
Do not use this otherwise nice feature. It will cause to add more catalog links to the exception list which will cause an issue to import updates to WSUS, as described in Q #2.


Thanks for the hint @Eric_VanAelstyn, thanks to @abbodi1406 for additional hints after this guide got invalid a redirection change in December 2021 / January 2022.

cc @Aria Carley @MissyQ 

cc for the other teams as I did not want to repost it in Edge and Servicing communities, unless you insist :) 

 

13 Replies

@K_Wester-Ebbinghaus 

This didn't work for me.

 

I am using a Windows 11 client machine with RSAT installed and Server 2022 WSUS box.

We have enabled IE mode via group policy, and have added the catalogue URL to the IE site mode list XML file we have stored centrally (not the full URL, but just the base www.catalog.update.microsoft.com)

 

I can see when clicking "Import Updates", the site is opened in IE mode. I have set the "Allow sites to be reloaded in Internet Explorer mode" option to allow and restarted my browser.

I had already browsed to the site and installed the ActiveX control, but when going to my update basket, I still get an error about version compatibility:

"This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS"

 

Any ideas?

 

Thanks

James

Hello @James that's true.
Can you please like my lastet post and comment here.
ISSUE: Cannot import updates to WSUS, due to erroneous redirection in Windows Update Catalog
Hello @Eds1989
Unfortunately you could be affected by this issue I am seeing at customers. 

Thanks for leaving a like in the linked original post

And share your story:

https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/issue-cannot-import-updates-to-wsus...

Updated this guide to reflect changes and to prevent updates cannot be imported.
Thanks for your feedback and kudos to @abbodi1406 .

@K_Wester-Ebbinghaus It would be great if Microsoft replaced this old ActiveX technology with something newer!

On Microsoft Ignite 2021 Aria Carley held a great session about modern update management but also said loud and clear WSUS isn't going away. Yes the idea is nice but we all know WSUS is a frozen zone.

The session is a must-see for people involved with patchmanagement. 

https://myignite.microsoft.com/sessions/0da20a0e-eafa-461f-86d8-d386b12c53b3

 

I don't see WSUS going away for Servers either; I just want the ActiveX stuff in the Microsoft Catalog gone. Surely they can come up with another way to do these imports that doesn't rely on ActiveX. Even a small standalone Win32 app would be better.

@K_Wester-Ebbinghaus 

 

I added both sites to our IE Compability mode lists for Edge.

  <site url="catalog.update.microsoft.com/">
    <compat-mode>IE11</compat-mode>
    <open-in allow-redirect="true">IE11</open-in>
  </site>
  <site url="catalog.update.microsoft.com/v7/site/Home.aspx">
    <compat-mode>IE11</compat-mode>
    <open-in allow-redirect="true">IE11</open-in>
  </site>

Using this, I get an error  "To use this website, you browser must have the user data persistence setting enabled." I also added Windows Update Catalog to Trusted Site Zone list. In Trusted Site zone list, I have Userdata Persistence turned on. Its like IE mode isn't honoring that setting. 

 

For fun, I changed Compatibility Mode to IE8. In that mode, the message appears, however when I go to view basket where I would import updates, I get a different error, "Error number: 800A138F" instead.

 

I am doing this on a W11 system with WSUS and other RSAT tools installed. 

@EGrudzien 

Try IE7 mode

and make sure you have set SystemDefaultTlsVersions (or SchUseStrongCrypto)

this would include to touch very legacy code - you can bet they won't touch it. The problem I see is that with the end of IE when it is really removed from the OS, WSUS would be dead.
I have not tried the list yet, cannot tell. Thanks for adding this to the discussion. Makes sense to make it this way as the setting in the guide will be removed after a time. I noticed that later in the description it is not permanent per user.