Workaround - WSUS not downloading updates
Background:
I have been wrestling with Forefront Client Security and the fact that I cannot get my deployed clients to update their definition files from the server. If I take the distribution server offline, the clients will update from the web without issue. This is the expected process, outside of the failure to update fro my server to begin with.
After much troubleshooting, I was able to isolate one of my issues to a problem with WSUS not downloading updates. If the updates would sit long enough, they would eventually download, but since I have the server configured to sync updates four times a day and new definitions are being released frequently, the definitions would expire before they would finish downloading.
What I found in researching the download "failures" (it wasn't that it failed, they just never downloaded before they expired) I found that the BITS download process is using HTTP 1.1 and performing the downloads in a background process. Sometimes, firewalls or other security software/hardware can cause this process to appear flaky. In my environment I am using ISA 2004 and am not blocking any outgoing traffic, but there still seemed to be an issue with background downloading of updates in WSUS. Instead of opening a larger can of worms and tackling the ISA issues, I implemented this workaround that moves the WSUS BITS download process into a foreground process. By running the following command, it reconfigures the updates to run in the foreground and all of my updates completed quickly. I would probably not recommend this if you using WSUS for all of your security updates, but because mine are just Forefront definition updates, the impact to the server is negligible. The following fix assumes that you have the WSUS database locally on the WSUS server and are using WSUS 3.0 or higher. If the database is on a separate server, execute it on the server that you have the tools or database on.
From a command prompt, execute the following:
C:\>NET STOP WSUSSERVICE
C:\><path to SQL tools>\sqlcmd.exe -S <sqlserver\instance> -E -b -Q "USE SUSDB update tbConfigurationC set BitsDownloadPriorityForeground=1"
C:\>NET START WSUSSERVICE
You should see the approved updates start downloading within a few minutes. I am still waiting to see if that totally resolves my client update issues, but I can definitely say that clients are not going to update if they can get to the most recent definitions.