Planning integration with WSUS

Applies To: Forefront Client Security

Client Security uses WSUS to download the agent components and definition and engine updates from Microsoft Update and distribute the updates to the Client Security agents in your organization.

WSUS allows you to choose whether to store information about updates in a SQL Server database or in a Microsoft SQL Server Desktop Engine (MSDE) database. Due to the large number of Client Security updates that WSUS will be downloading from Microsoft Update, it is highly recommended that you install the WSUS server for Client Security to a SQL Server database.

Adding WSUS to your infrastructure

WSUS gives organizations the ability to automatically download Microsoft product updates and distribute these to clients within the organization. WSUS connects to Microsoft Update and synchronizes the available updates to the local server. After the installation and configuration of WSUS, you need to configure your clients to connect to the WSUS server to download updates. This can be accomplished via Group Policy. For more information about deploying Client Security to managed computers, see Deploying Client Security ( and Planning your deployment of Client Security.

For guidance about deploying WSUS 2.0, see Deploying Microsoft Windows Server Update Services ( For guidance about deploying WSUS 3.0, see Deploying Microsoft Windows Server Update Services 3.0 ( For more information about how to use WSUS, see Microsoft Windows Server Update Services (

WSUS must be able to connect to the Microsoft Update Web site via TCP port 80 or TCP port 443. You may need to modify firewall or router rules in your organization to allow this communication to occur. Additionally, you must synchronize your new WSUS server prior to beginning the installation of Client Security, because this may take some time. This synchronization adds additional update categories for Client Security that the distribution role installation activates.

The recommended method of deploying Client Security to target managed computers is through Group Policy. You can use the Microsoft Forefront Client Security Management console to deploy a Client Security policy to the targets. After the target computers receive the Client Security policy, they will contact the WSUS server and download the Client Security client components, which will have been downloaded from Microsoft Update by the WSUS server. For this to happen, the managed computers must be configured to connect to the WSUS server.

Adding Client Security to your WSUS infrastructure

The installation of the Client Security distribution component on your WSUS server adds a service called the Forefront Client Security Update Assistant. This service causes WSUS to query Microsoft Update for updates once an hour. This allows WSUS to obtain Client Security definition updates at intervals more frequent than the default configuration of WSUS.

Additionally, the installation of the distribution component configures your WSUS server to automatically synchronize the Client Security definition updates from Microsoft Update. Definition updates are also added to the Approve for Installation list in the WSUS Automatic Approval Options. This means that any definition updates downloaded by the WSUS server are automatically approved for installation by your managed computers.

WSUS allows administrators to manage approval settings for deployment of updates to client computers. You should consider the default Client Security configuration of setting definition updates as automatically approved. Although it is recommended that you allow the definition updates to remain automatically approved to distribute definition updates as quickly as possible, there may be reasons to not configure automatic approval:

  • Testing of definition updates

  • Staged roll out of definition updates to reduce network traffic

To make certain that your WSUS server synchronizes the Client Security client components and they can be downloaded and installed by your managed computers after you deploy your Client Security policy, you must add Updates to the Update classifications list in Synchronization Options in WSUS. For more information, see Approving the client components in WSUS (

Multiple WSUS servers

If your current WSUS infrastructure includes multiple WSUS servers, you need to install the Client Security distribution component on all the WSUS servers. The Client Security distribution component configures the WSUS server to query Microsoft Update hourly for definition updates, and it configures WSUS for automatic approval of the definition updates. Failing to install the distribution component on all WSUS servers will delay distribution of definition updates.

Additionally, if your WSUS infrastructure includes an upstream/downstream configuration of WSUS servers, approval options for definition updates on the upstream servers need to be equal to the approval options on the downstream server. Also, in an upstream/downstream configuration of WSUS servers, for each tier of WSUS servers in the chain, the latency of definition update distribution to managed computers is increased by one hour.