Forefront Client Security and Endpoint Protection both use WSUS infrastructure in different ways. This, unless your Forefront update policy uses a network share to deploy the updates. The goal of this article is not to explain the relationship between Forefront and WSUS in details, but to provide best practices regarding WSUS management and administration, that will surely ease FCS/FEP deployment, and even avoid certain issues (eg: updating failures).

The key point to remember is that FCS and FEP may really rely a lot on the WUA's (Windows Updates Agent) health and performance, on the client computers. Below are a few points, role-based: clients, and Server-based (mostly WSUS), that are known to ease Forefront deployment and updating.

Please Note:

Please keep in mind that even if you decide to deploy the Forefront definition updates through SCCM, the WSUS server and agent will still be needed for detection logic on the clients!
Please also note that those best practices also apply by default to WSUS, even if you do not run Forefront antivirus (FCS/FEP/SCEP) on your machines.

Client-based FEP/WSUS best practices

MSI is used during WUA operations, and Forefront uses it to check for definitions updates, and depending on the settings, also download them. It’s a known performance issue when MSI 3 is scanning against a bunch of Microsoft updates, including Forefront definitions.

Recommendation: always use the latest MSI Agent. Here is the URL to download the version 4.5: http://support.microsoft.com/kb/942288

Proxy settings:  if you're following security best practices and filter HTTP traffic with a proxy, most of the time it is not appropriate that your clients computers contact their WSUS server though your internal proxy.

Recommendation: Check that the Windows Update service is able to contact your WSUS server (or even Microsoft Updates online).

Nowadays malware often embed defences against security solutions. Deploying SCEP/FEP/FCS on a compromised machine may be more complex than expected.

Recommendation: Deploy at least the Malicious Software Removal tool, for instance through WSUS (see: http://support.microsoft.com/kb/891716 ), that will do a first clean against high profile malwares. And if you really suspect machines to be already compromised, please consider deploying the Windows Defender Offline, through SCCM (see:  http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx ).

WSUS server-based best practices

Amount of updates available on the WSUS Server:

This is a very important concept to understand. On the WSUS Server we have Updates which can have 3 states. DECLINED, NOT APPROVED, APPROVED. The client will parse APPROVED and NOT APPROVED Updates. This means that if updates are not specifically declined the Client needs to touch each update to check if it is applicable for him or not. This whole process takes time and computing power. For instance, if the WUA computes more than 80 updates, there will probably be a performance impact on the client, and even Forefront definitions updates failures. NB: This can be checked watching the windowsupdates.log file (located in the %windir% path).

Recommendation

1. Decline all Superseded Updates, as long as the superseeding updates are available and approved for installation. Superseeded updates have newer updates that replace them, thus making them obsolete. This is the most important tweak. Pay special attention to Forefront Definition updates. There is a quite big number of these updates, which could be the primary source for bad client performance 
2. Try to minimize the amount of Updates that have a NOT APPROVED state. Either decline them or approve them.

 

 WSUS Server maintenance: running monthly cleanup scripts will help eliminate expired updates and will also decline superseeded ones. Here are a few tools to help with the process:

1. The clean-up wizard (cf. http://technet.microsoft.com/en-us/library/cc708578%28v=ws.10%29.aspx) in WSUS should be run at least once per month. This can be automated using scripts: WSUS 3.0: http://wsus.codeplex.com/releases/view/17612
2. The related PowerShell script: http://www.peetersonline.nl/index.php/powershell/wsus-cleanup-with-powershell/
3. Below is a reindexing script that will help WSUS search faster through the database (also ran once a month): http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvvb01.mspx?mfr=true

Based on this TechNet blog article, related to WSUS and Office updates: http://blogs.technet.com/b/roplatforms/archive/2010/10/04/svchost-exe-uses-100-cpu-when-windows-xp-updates-via-wsus.aspx.


Keep WSUS server up to date:

1. Check you have SP2 of WSUS
2. Install KB2734608: http://support.microsoft.com/kb/2734608?wa=wsignin1.0 

that will help in solving (among other things) digital certificates issues.

Appendix

You might be interested in reading how to do the same with System Center Configuration Manager 2012: http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx?CommentPosted=true#commentmessage