SOLVED

ISSUE: Cannot import updates to WSUS, due to erroneous redirection in Windows Update Catalog

Iron Contributor

Scenario:

Management Host: Windows Server 2022 Build 20348.405

WSUS Server: Windows Server 2019 Build 10.0.17763.1971

Microsoft Edge Release 96.0.1054.62

 

Repro Steps:

- Edge is your default browser

 On the Management Host open WSUS MMC (via Server Manager) to connect to the WSUS Server via https

- in the WSUS MMC > Update > Import Updates 

- Open the catalog in Edge IE Mode: refer my guide

HOW-TO: Import Out of Band Updates to WSUS using Microsoft Edge Chromium and modern IE Mode - Micros...

 

- Accept the ActiveX 

 

What is happening:

- you may add updates to the cart

 

What is the issue: 

- you cannot import (OOB) updates for Windows Server 2022 updates or other updates
- on affected systems we get redirected to a different update catalog server that seems to be different

Browser: IE, natively
Result: import works
https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=Y...

 

Browser: Edge, IE Mode
Result: import works
https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=Y...

 

Browser: Edge, IE Mode
Result: import does not work
https://www.catalog.update.microsoft.com/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=YOURS...

 

kwesterebbinghausbusiness_2-1641475374162.png


What we have tried so far:
- reproduce this on the local Windows Server running WSUS instead of remote server > no change
- changing Protocol Version from 1.20 to 1.80 (old, but fixed issue) > no change
- troubleshooting via Developer Mode
- we will upgrade the WSUS to Windows Server 2022 and try to reproduce

Error message:

This update cannot be imported. Reason: It is not compatible with your version of WSUS

 

Affected patches:

apparently any patches that have a different build than the WSUS Server

see screenshots


- Windows Server 2022

- Azure Stack HCI 22H2

- Windows 11 

- Windows 10

 

Reproducible: mostly

 

Summary:
We see this happening at different customers. 
Using Edge IE Mode, despite using same setting, Edge IE mode sometimes get redirected
to a different server that has not the v7/sites. This results into missing ability to import updates.

kwesterebbinghausbusiness_0-1641479735749.png

 

@Aria Carley 

@Andrei Stoica have you heard about similar reports?
Do you know anyone that could check a potential redirection or inconsistency on the update catalog server?

Usecase:
Originally we would like to import 2022-01 updates into WSUS running on Windows Server 2019 to patch affected RDS Servers. 

15 Replies
Hello,

We too seem to be experiencing this issue.

WSUS server is Windows Server 2022.
Client machine is Windows 11 running RSAT and managing/importing updates remotely.
Edge 96 is my default browser, but running the update catalogue site in IE mode with the ActiveX control installed.

We can search for and add updates to our basket, but when proceeding to the basket, we are told they could not be imported because they are not compatible with our version of WSUS.
The update we are trying to import is KB5010197.

I have tried to add the /v7/site part to our catalogue URL as a workaround, but I get a site/page error.
Our URL loaded when clicking import updates is of the format:
https://www.catalog.update.microsoft.com/Home.aspx?SKU=WSUS&Version=10.0.20348.143&ServerName=OUR_SE...

Are there any other potential workarounds to this issue at this time?

Many thanks
James

fwt0YA1 

- If not already added, add SystemDefaultTlsVersions (and/or SchUseStrongCrypto) registry values to both .NETFramework\v4.0.30319 keys, and restart the system

 

- Add these URLs to IE mode pages, and remove any other catalog url

 

 

https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx 

 

 

- If not already installed, open https://catalog.update.microsoft.com/v7/site/Home.aspx and install ActiveX controller

 

@abbodi1406 I know you have deep knowledge about servicing.
We have already added both links according to my guide. 
The TLS settings have been made earlier and as such are already correct.

Any other ideas?

edit: I still hope that the Microsoft Servicing team can respond on this post, why sometimes the browser does not get redirected to the /v7/site/Home.aspx when clicking import updates in the WSUS MMC. This should fix it, when the settings are applied.

best response confirmed by kwester-ebbinghaus-business (Iron Contributor)
Solution

@abbodi1406 

I have spent more time into the testing and found out that it worked in a VERY specific configuration. So to say must be exactly this configuration as you stated.
Bummer. 

 

ONE MAY NOT USE https://www.catalog.update.microsoft.com/ in the exception 
While these pages can be technically reached, they do not work correctly and will not redirect. Imho this is still a server-side config issue on the IIS 10.

1. It only works as expected when you use the link without www. It does not work with the www. anymore.

2. you need to actually add both links. One or the other won't be enough anymore.
Both was till November 2021. But no more.

3. really remove any other links in the scope of *.catalog.microsoft.com

4. close all catalog.microsoft.com tabs and restart the browser (just in case you have set that Edge should reopen all tabs on next start)

 

Thank you @abbodi1406 I will update my guide accordingly. 

 

@Eds1989 can you please confirm this solution worked for you?

 

Glad it worked
yes, urls must be without www.
now :) it worked with www. back in November. I hope they are going to look into this if you do not add both links either it will redirect to www.catalog.* or the redirect will not be to v7/site page which means no import is possible at all or the said error happens.
If you have time check the updated guide, just to make sure it is correct again.
I did not include the TLS thing as this is a practice one should do globally and is also in place on Windows Server 2022 (I believe except PS 5.1).

@kwester-ebbinghaus-business 

We use enterprise site manager to add our IE mode sites to a centrally stored XML files, that Edge group policies are set to load.

We have these two URLs configured as below:

Eds1989_0-1642120230600.png

 

We do not see these in Edge settings, but they should be effective:

Eds1989_1-1642120262604.png

 

When I click on the import updates button, it still loads a www. URL without the v7 in the path:

Eds1989_2-1642120321961.png

 

It's gone midnight now, so I'll try updating policies and from another machine in the morning to see what happens.

 

Thanks

Scratch that, just tried once more before bed, and can confirm this does now seem to be loading the correct URL, however....

When trying to complete the import process, it fails:

Eds1989_0-1642121249741.png

Error page:

Eds1989_1-1642121263383.png

 

Have I done something wrong?

You must add SystemDefaultTlsVersions registry value and restart the system
The ActiveX controller utilize legacy .NET 4.0 connection which do not use TLS 1.2 by default
SystemDefaultTlsVersions (or SchUseStrongCrypto) is needed to force it to TLS 1.2

Can you kindly elaborate on where this key needs to be created, what type it should be, and what value I need to set it to?

Thanks
James

@Eds1989Run these in command prompt as administrator

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SystemDefaultTlsVersions /T REG_DWORD /D 1 /F
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 /V SystemDefaultTlsVersions /T REG_DWORD /D 1 /F

more info

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions 

@abbodi1406 @Eds1989 these are settings I would propose to deploy via Group Policy GPP across your organization not only for WSUS. There are many other settings in this regard, that should be checked I will try to blog about it on techcommunity on a later date.

 

I've added those entries to my WSUS server and am testing from there. It says that the ActiveX failed to run though:

Eds1989_0-1642157962460.png

 

If I re-run my test my from my client machine, I assume I also need to add those entries and reboot?

 

Cheers

James

Bingo!

Adding those keys to my client machine, I am able to now import:

Eds1989_0-1642159208865.png

 

Thanks for the help guys!

1 best response

Accepted Solutions
best response confirmed by kwester-ebbinghaus-business (Iron Contributor)
Solution

@abbodi1406 

I have spent more time into the testing and found out that it worked in a VERY specific configuration. So to say must be exactly this configuration as you stated.
Bummer. 

 

ONE MAY NOT USE https://www.catalog.update.microsoft.com/ in the exception 
While these pages can be technically reached, they do not work correctly and will not redirect. Imho this is still a server-side config issue on the IIS 10.

1. It only works as expected when you use the link without www. It does not work with the www. anymore.

2. you need to actually add both links. One or the other won't be enough anymore.
Both was till November 2021. But no more.

3. really remove any other links in the scope of *.catalog.microsoft.com

4. close all catalog.microsoft.com tabs and restart the browser (just in case you have set that Edge should reopen all tabs on next start)

 

Thank you @abbodi1406 I will update my guide accordingly. 

 

@Eds1989 can you please confirm this solution worked for you?

 

View solution in original post