If you are experiencing issues with downloading Forefront Updates from WSUS to your Windows 2000 server, you may find the below error within your WindowsUpdate.log folder.
WARNING: Digital Signatures on file C:\WINNT\SoftwareDistribution\SelfUpdate\Default\wuident.cab are not trusted: Error 0x800b0109
Ensure you have a recent backup of your server. I always advise this whether the fix is small or large.
Download the below .exe and run.
Now, restart your automatic updates service and check your WindowsUpdate.log file. If there are no errors, the updates should start to pull down within 10 minutes
The reason for this issue, is because Microsoft have started using a new certificate that is issued from a newer trusted root authority to digitially sign the update files. Windows 2000 machines do not have the trusted root cert installed, so they will not install the updates as they are considered untrusted.