Back in October, the Forefront Client Security product team made an announcement that WSUS 3.0 on 64bit OS would be a supported scenario and to not install the Distribution component on 64bit Operating systems.

"Also, we are announcing support for definition distribution via WSUS 3.0 installed on an x64-based platform. To support this configuration, the FCS distribution component must not be installed on the x64-based WSUS 3.0 server, as WSUS 3.0 does not require the installation of the FCS distribution component. Existing FCS documentation will be updated accordingly"

This announcement and WSUS 2.0 officially reaching end of life and no longer being supported have generated numerous questions on the distribution component. Is it still required to be installed on 32bit Operating systems now that all installs of FCS are on WSUS 3.0 or later? I wanted to take a minute and explain the purpose of the distribution component and if it is still required.

Forefront Client Security v1 was designed to take advantage of the WSUS 2.0 infrastructure to distribute the FCS anti-malware client and signature updates. The one drawback to this design was that WSUS 2.0 only synchronized updates once a day. With a goal of publishing definition updates approximately every 8 hours at a minimum, there needed to be a method of having WSUS 2.0 checking for updates multiple times a day. If nothing was done to change the synchronization behavior of WSUS 2.0, a FCS anti-malware client using that WSUS server for updates may not have the latest definition updates which would leave it at an increased risk of infection.

The Distribution component was released with Forefront Client Security v1 and was designed to address the issue of synchronizing updates multiple times in one day on WSUS 2.0. In addition, the Distribution component accomplished the three following tasks:

  • Adds the Forefront Client Security product to the list of products synchronized
  • Adds Definition Updates to the category of updates synchronized
  • Creates an Auto-Approve rule for “All Computer” for Definition Updates

With the release of WSUS 3.0 the ability to configure how often the server synchronizes the available updates (http://technet.microsoft.com/en-us/library/cc708616(WS.10).aspx) was included in the product. This removes the key reason for the distribution component. It can still be used but is no longer required on WSUS 3.0 or later to keep the server up-to-date.

When deploying WSUS 3.0 or later if you do not install the Distribution component you will need to accomplish the following tasks to receive the FCS Product and Anti-malware definition updates:

· Change the synchronization frequency to greater than once daily

image

· Add Forefront Client Security to the list of products to synchronize

http://technet.microsoft.com/en-us/library/cc708616(WS.10).aspx

image

· Add Definition Updates to the classifications of updates to be synchronized

image

· Create the Auto-Approval for the FCS and definition Updates.

image

* Because of Eula's On Client updates you may still have to manually approve certain non-definition updates.

http://technet.microsoft.com/en-us/library/cc708474(WS.10).aspx

Thanks and have a great Day,

Chris Norman
Senior Support Engineer