Jan 06 2022 06:38 AM - edited Jan 13 2022 10:43 AM
Scenario:
Management Host: Windows Server 2022 Build 20348.405
WSUS Server: Windows Server 2019 Build 10.0.17763.1971
Microsoft Edge Release 96.0.1054.62
Repro Steps:
- Edge is your default browser
On the Management Host open WSUS MMC (via Server Manager) to connect to the WSUS Server via https
- in the WSUS MMC > Update > Import Updates
- Open the catalog in Edge IE Mode: refer my guide
- Accept the ActiveX
What is happening:
- you may add updates to the cart
What is the issue:
- you cannot import (OOB) updates for Windows Server 2022 updates or other updates
- on affected systems we get redirected to a different update catalog server that seems to be different
Browser: IE, natively
Result: import works
https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=Y...
Browser: Edge, IE Mode
Result: import works
https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=Y...
Browser: Edge, IE Mode
Result: import does not work
https://www.catalog.update.microsoft.com/Home.aspx?SKU=WSUS&Version=10.0.17763.1971&ServerName=YOURS...
What we have tried so far:
- reproduce this on the local Windows Server running WSUS instead of remote server > no change
- changing Protocol Version from 1.20 to 1.80 (old, but fixed issue) > no change
- troubleshooting via Developer Mode
- we will upgrade the WSUS to Windows Server 2022 and try to reproduce
Error message:
This update cannot be imported. Reason: It is not compatible with your version of WSUS
Affected patches:
apparently any patches that have a different build than the WSUS Server
see screenshots
- Windows Server 2022
- Azure Stack HCI 22H2
- Windows 11
- Windows 10
Reproducible: mostly
Summary:
We see this happening at different customers.
Using Edge IE Mode, despite using same setting, Edge IE mode sometimes get redirected
to a different server that has not the v7/sites. This results into missing ability to import updates.
@Andrei Stoica have you heard about similar reports?
Do you know anyone that could check a potential redirection or inconsistency on the update catalog server?
Usecase:
Originally we would like to import 2022-01 updates into WSUS running on Windows Server 2019 to patch affected RDS Servers.
Jan 12 2022 01:58 AM
Jan 13 2022 06:50 AM - edited Jan 13 2022 06:53 AM
Jan 13 2022 06:50 AM - edited Jan 13 2022 06:53 AM
- If not already added, add SystemDefaultTlsVersions (and/or SchUseStrongCrypto) registry values to both .NETFramework\v4.0.30319 keys, and restart the system
- Add these URLs to IE mode pages, and remove any other catalog url
https://catalog.update.microsoft.com/
https://catalog.update.microsoft.com/v7/site/Home.aspx
- If not already installed, open https://catalog.update.microsoft.com/v7/site/Home.aspx and install ActiveX controller
Jan 13 2022 09:54 AM - edited Jan 13 2022 10:10 AM
Jan 13 2022 09:54 AM - edited Jan 13 2022 10:10 AM
@abbodi1406 I know you have deep knowledge about servicing.
We have already added both links according to my guide.
The TLS settings have been made earlier and as such are already correct.
Any other ideas?
edit: I still hope that the Microsoft Servicing team can respond on this post, why sometimes the browser does not get redirected to the /v7/site/Home.aspx when clicking import updates in the WSUS MMC. This should fix it, when the settings are applied.
Jan 13 2022 10:33 AM - edited Jan 13 2022 10:54 AM
Jan 13 2022 10:33 AM - edited Jan 13 2022 10:54 AM
Solution@abbodi1406
I have spent more time into the testing and found out that it worked in a VERY specific configuration. So to say must be exactly this configuration as you stated.
Bummer.
ONE MAY NOT USE https://www.catalog.update.microsoft.com/ in the exception
While these pages can be technically reached, they do not work correctly and will not redirect. Imho this is still a server-side config issue on the IIS 10.
1. It only works as expected when you use the link without www. It does not work with the www. anymore.
2. you need to actually add both links. One or the other won't be enough anymore.
Both was till November 2021. But no more.
3. really remove any other links in the scope of *.catalog.microsoft.com
4. close all catalog.microsoft.com tabs and restart the browser (just in case you have set that Edge should reopen all tabs on next start)
Thank you @abbodi1406 I will update my guide accordingly.
@Eds1989 can you please confirm this solution worked for you?
Jan 13 2022 11:03 AM
Jan 13 2022 02:05 PM
Jan 13 2022 04:32 PM
We use enterprise site manager to add our IE mode sites to a centrally stored XML files, that Edge group policies are set to load.
We have these two URLs configured as below:
We do not see these in Edge settings, but they should be effective:
When I click on the import updates button, it still loads a www. URL without the v7 in the path:
It's gone midnight now, so I'll try updating policies and from another machine in the morning to see what happens.
Thanks
Jan 13 2022 04:47 PM
Scratch that, just tried once more before bed, and can confirm this does now seem to be loading the correct URL, however....
When trying to complete the import process, it fails:
Error page:
Have I done something wrong?
Jan 13 2022 07:47 PM
Jan 13 2022 07:50 PM
Jan 14 2022 12:56 AM - edited Jan 14 2022 12:56 AM
Can you kindly elaborate on where this key needs to be created, what type it should be, and what value I need to set it to?
Thanks
James
Jan 14 2022 02:25 AM
@Eds1989Run these in command prompt as administrator
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SystemDefaultTlsVersions /T REG_DWORD /D 1 /F
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 /V SystemDefaultTlsVersions /T REG_DWORD /D 1 /F
more info
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions
Jan 14 2022 02:29 AM
@abbodi1406 @Eds1989 these are settings I would propose to deploy via Group Policy GPP across your organization not only for WSUS. There are many other settings in this regard, that should be checked I will try to blog about it on techcommunity on a later date.
Jan 14 2022 03:00 AM
I've added those entries to my WSUS server and am testing from there. It says that the ActiveX failed to run though:
If I re-run my test my from my client machine, I assume I also need to add those entries and reboot?
Cheers
James
Jan 14 2022 03:20 AM
Bingo!
Adding those keys to my client machine, I am able to now import:
Thanks for the help guys!
Jan 13 2022 10:33 AM - edited Jan 13 2022 10:54 AM
Jan 13 2022 10:33 AM - edited Jan 13 2022 10:54 AM
Solution@abbodi1406
I have spent more time into the testing and found out that it worked in a VERY specific configuration. So to say must be exactly this configuration as you stated.
Bummer.
ONE MAY NOT USE https://www.catalog.update.microsoft.com/ in the exception
While these pages can be technically reached, they do not work correctly and will not redirect. Imho this is still a server-side config issue on the IIS 10.
1. It only works as expected when you use the link without www. It does not work with the www. anymore.
2. you need to actually add both links. One or the other won't be enough anymore.
Both was till November 2021. But no more.
3. really remove any other links in the scope of *.catalog.microsoft.com
4. close all catalog.microsoft.com tabs and restart the browser (just in case you have set that Edge should reopen all tabs on next start)
Thank you @abbodi1406 I will update my guide accordingly.
@Eds1989 can you please confirm this solution worked for you?