I have been testing out some different LiveUpdate settings and just got this message in the System log of a client-
"The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP."
The only change I made to our LiveUpdate policy was I enabled "Use a LiveUpdate server" in addition to the "Use the default management server" I also went into the Schedule options of the policy and unchecked "Enable LiveUpdate Scheduling"
My goal was to allow our technicians to manually run LiveUpdate when a client is behind on definitions. In this case the client was only 1 day old on definitions and was connected to the SEPM, so why did it decide to go out to the Internet for updates?