WSUS - EXE Downloads Fail

Server 2012 R2 Datacenter

I just recently got WSUS installed and thought it was working properly - numerous computers have successfully downloaded and installed updates over the past couple weeks.  But I've discovered over 60 computers have failed to install the April Malicious Software Removal Tool - the only update I had set to be automatically approved.

After digging, I found this in the WindowsUpdate.log file on one of the clients:

2015-04-17	09:29:56:356	 648	18bc	AU	  # Pending download calls = 1
2015-04-17	09:29:56:356	 648	18bc	AU	<<## SUBMITTED ## AU: Download updates
2015-04-17	09:29:56:356	 648	2278	DnldMgr	WARNING: BITS job {3D1754F8-5402-4D5E-8C52-DAC29420FD09} failed, updateId = {E81EF184-68D7-4C63-BFBD-2CB133D7E920}.200, hr = 0x80190194, BG_ERROR_CONTEXT = 5
2015-04-17	09:29:56:356	 648	2278	DnldMgr	  Progress failure bytes total = 10052792, bytes transferred = 0
2015-04-17	09:29:56:356	 648	18bc	AU	Successfully wrote event for AU health state:0
2015-04-17	09:29:56:387	 648	2278	DnldMgr	  Failed job file: URL = http://wsus.orgname.org:8530/Content/FE/0778261D05230C920973A626AED374BC531C2FFE.exe, local path = C:\Windows\SoftwareDistribution\Download\9d6385c2ab2e50f5d28d7ba59ad3bf7d\0778261d05230c920973a626aed374bc531c2ffe
2015-04-17	09:29:56:387	 648	2278	DnldMgr	Error 0x80244019 occurred while downloading update; notifying dependent calls.
2015-04-17	09:29:56:449	 648	18bc	AU	>>##  RESUMED  ## AU: Download update [UpdateId = {1DE9E76A-4E0B-4EE3-B2B2-CCCD08F4FF59}]
2015-04-17	09:29:56:449	 648	18bc	AU	  # WARNING: Download failed, error = 0x80244019
2015-04-17	09:29:56:465	 648	27e4	Report	REPORT EVENT: {3F3362A8-5CE5-43CE-A598-C6C245109094}	2015-04-17 09:29:56:137-0500	1	147	101	{00000000-0000-0000-0000-000000000000}	0	0	AutomaticUpdates	Success	Software Synchronization	Windows Update Client successfully detected 1 updates.
2015-04-17	09:29:56:465	 648	27e4	Report	REPORT EVENT: {3E884BC9-B9C7-4E3E-B501-59A5EEA7C624}	2015-04-17 09:29:56:153-0500	1	156	101	{00000000-0000-0000-0000-000000000000}	0	0	AutomaticUpdates	Success	Pre-Deployment Check	Reporting client status.
2015-04-17	09:29:56:465	 648	27e4	Report	REPORT EVENT: {FCDFC1D6-0656-47BA-91A2-3456F1FB369D}	2015-04-17 09:29:56:449-0500	1	161	101	{1DE9E76A-4E0B-4EE3-B2B2-CCCD08F4FF59}	200	80244019	AutomaticUpdates	Failure	Content Download	Error: Download failed.

I attempted to accesshttp://wsus.orgname.org:8530/Content/FE/0778261D05230C920973A626AED374BC531C2FFE.exe through the browser on that client, which just resulted in a generic 404.  SO I went to the server and ran it there....

HTTP Error 404.2 - Not Found

The page you are requesting cannot be served because of the ISAPI and CGI Restriction list settings on the Web server.

Detailed Error Information:



Module
   CgiModule

Notification
   ExecuteRequestHandler

Handler
   CGI-exe

Error Code
   0x800704ec



Requested URL
   http://localhost:8530/Content/FE/0778261D05230C920973A626AED374BC531C2FFE.exe

Physical Path
   D:\WSUS\WsusContent\FE\0778261D05230C920973A626AED374BC531C2FFE.exe

Logon Method
   Anonymous

Logon User
   Anonymous

I go into IIS and look at the ISAPI and CGI Restrictions, and there's no entry there for CGI-exe.  I found CGI-exe in Handler Mappings, set to Disabled.  I enabled it by by selecting it and going to Edit Feature Permissions, then checking Execute.  But that made no difference; I get the same error when accessing that URL, and it's still not listed in the ISAPI and CGI Restrictions.  I went ahead and manually added it...  Path %windir%\System32\inetsrv\cgi.dll, Description CGI-exe, Allow checked.  No change.

It would seem that something has changed on the server, since this worked before - but I haven't been able to determine what changed.  Any suggestions on further troubleshooting?  It seems to be IIS related.  A coworker had previously attempted (and failed) to get Systems Center running on this server in the past, I don't know if that might have anything to do with it.