How to Prevent CAB Files from Being Deleted in WSUS with a Shared SUSDB

When managing a Windows Server Update Services (WSUS) environment, particularly with multiple servers sharing a SUSDB (Software Update Services Database), administrators may encounter an issue where update CAB files are unexpectedly deleted from the WSUSContent folder. This can cause problems, such as missing updates or failures in deploying patches across servers.

What is the issue?

In a WSUS deployment where multiple servers are using a shared SUSDB, update CAB files that are downloaded to the WSUSContent folder might be deleted unintentionally. This happens during the synchronization process between servers and the shared database.

Typically, when one WSUS server synchronizes and retrieves updates, it downloads CAB files containing the actual update data. If other servers share the same SUSDB, the shared database might delete these CAB files, assuming they are no longer needed for the other servers. This can result in missing update content for clients and failed update installations on other WSUS servers.

Why does this happen?

The issue occurs due to the way WSUS handles content in a shared database environment. When one WSUS server synchronizes, it manages update metadata and content, and the system may automatically remove CAB files that are no longer required. If this server shares a SUSDB with other WSUS servers, the update files may be deleted from the WSUSContent folder, causing unintended consequences.

This can happen because:

  • The shared SUSDB assumes that once an update is synchronized, its content is no longer required by other servers.
  • The deletion process can also impact servers that rely on those CAB files for update deployment, leading to errors or missing updates.

Update issue and its impact on SCCM Deployment

Due to this issue, Patch Connect Plus published third-party updates have been removed from the WSUSContent location. Consequently, update downloads fail in SCCM deployments.

Solutions to prevent CAB File Deletion

1. Copy the .CER Certificate File to Other WSUS Servers

First, locate the required .cer certificate file from the WSUS server where it is already installed. You can find the certificate in the following directory on the primary WSUS server:

<PCP Installed directory>\webapps\ROOT\server-data\certificate\

Copy the .cer file from this directory to each of your additional WSUS servers that are part of the shared SUSDB environment.

2. Import the Certificate into the Trusted Store on Other WSUS Servers

Next, you'll need to import the copied certificate into the Trusted Root Certification Authorities and Trusted Publishers stores on the other WSUS servers. Here's how to do it:

  • On each WSUS server, open the Certificate Import Wizard.
  • You can do this by running certmgr.msc or by navigating to Run > mmc, and then adding the Certificates snap-in for the local computer.
  • In the Certificate Import Wizard, choose Local Machine as the store location.
  • Import the .cer certificate into two locations:
    • Trusted Root Certification Authorities
    • Trusted Publishers

These stores will allow the WSUS server to recognize the certificate as trusted, ensuring smooth synchronization and content management across your WSUS servers.