Forefront client computers not schedule scanning
Hello fellow Forefronters:
I have looked and looked before I made a new post with no results. And I have been going back and forth where to put this post here or in the group policy forum.
My client computers are not scanning when scheduled to. I have several policies created in Forefront Client Security "Policy Management" and I have confirmed that my policies are making it to my Active Directory Organizational Units. Now the problem is that my clients registry entries are broke. HKLM\Software\Policies\Microsoft\Microsoft Forefront\Client Security\1.0. I have over 1000 computers so un-joining and rejoining them one by one isn't an option. GPUPDATE /Force also don’t work. Making a test policy in "Policy Management" and a test Organization Unit in Active Directory and adding a single computer also doesn't work. I know that the problem is that my client registry isn't correct. Is there a place in Start\Run\gpedit.msc on a client where I can find the break down? Is there a way to see the Forefront Policy as you would the Group Policy MMC? Or can someone help me with this? Thank you very much for your time and interest.Jake
Answers
I would like to give a big time THANK YOU to Kurt Falde!!!
Here is the solution to my problem that Kurt has helped me find.All computers are XP Pro SP3
The Problem:
I have 1000 computers that wasn't scanning according to my Microsoft Forefront Client Security / Policy Management / Policy Settings
The Forefront Client Icon would go amber with a black exclamation mark and status would state "Hasn't been scanned in 3+ days"
The Cause:
We take a base image of a computer with Forefront Client already installed and image several other computers off of
that image created "Ghosting" so to speak. After the new computer is cloned we run a newsid, reboot, join the computer
into our domain, and reboot. The computers will get the FCS updates and the computers will scan when I force them to
using Microsoft Forefront Client Security Console. After following Kurt’s several suggestions I looked at the hidden items
in Task Scheduler and found of the three jobs two of them were marked "Status: Could not Start"
MP Scheduled Quick Scan
MP Scheduled Scan "Could not start"
MP Scheduled Signature Update "Could not start"
The Solution:
Delete all the MP Scheduled scan jobs and reboot. Once Group Policy is applied back to the computer the MP Scheduled
tasks will reappear and work! So what about the 999 other computer that are broke? Copy and paste the following into
a .txt file and save it as a .bat file (Batch File)
@echo off
%windir%\system32\attrib.exe -h -r -s %windir%\Tasks\MPSCH*.job
del /f %windir%\Tasks\MPSCH*.job
exit
I will be using Systems Management Server "SMS" to push the batch file at a one time event to the remaining 999 computers.
Releasing the batch file in a controlled process of course.
Thank you again Kurt for your massive amounts of help, assistance, and emails.
:::HIGH FIVE:::
Jake- Edited byJacob Heriges Friday, November 06, 2009 3:08 PMFixing Typos
- Marked As Answer byJacob Heriges Thursday, November 05, 2009 3:29 AM
- Edited byJacob Heriges Thursday, November 05, 2009 3:33 AMCorrecting Typos
All Replies
- un-joining/re-joining would not fix a GPO not applying anway so not a route to consider regardless.
cmd line on clients try running gpresult /z > gpresult.txt and looking through this file to see if the FCS policy is being applied to the client. Could be you either have a GP processing issue on clients or possibly some FRS replication issue on your DC's.
Try running SONAR for FRS and checking your DC's frs replication. You might need to apply kb956123/953325 on your DC's if you are running FCS clients on the DC's.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde - Thank you Kurt,
I have ran the gpresult /z > gpresult.txt command and I am shocked at the results. I am seeing a lot of duplicate Administrative Templates GPO:
If it is ok with you can I can email the txt file to you.
Jake
Under my computers registry HKLM\Software\Policies\Microsoft\Microsoft Forefront\Client Security\1.0 I am seeing that my registry entry does not look right.
(Default) REG_SZ (value not set)
Alertlevel REG_DWORD 0x00000001 (1)
DeploymentMethod REG_DWORD 0x00000002 (2)
DeploymentPath REG_SZ LDAP://CN={DDC9EF97-60B9-4BEF-A8B7-839B6615A705},CN=Policies,CN=System,DC=server-name,DC=com
MOMGroupName REG_SZ ForefrontClientSecurity
MOMServerName REG_SZ ServerName
Name REG_SZ PC951 to PC1000
ProfileID REG_SZ b5c728c8-2f24-41b7-a69a-a58acd730020
ProfileInstanceID REG_SZ 375003d0-7722-4879-9a05-f45e8f699cd2
I should also mention that when I run a quick or a full scan from Forefront Client Security all 1000 of the computers scan with no problems.
All of the computers are reporting back and getting the updates from my WSUS server also.
SONAR doesn't show any minor or major errors (zero errors to be exact) from both domain controllers.- Edited byJacob Heriges Tuesday, November 03, 2009 6:59 PMMore details to be added.
- Edited byJacob Heriges Tuesday, November 03, 2009 7:09 PMSONAR update
- sure email address is kfalde/microsoft/com
those reg keys look fine. Do you have scheduled scans defined?
If so the reg keys fro them should be under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan on your systems.
CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde I would like to give a big time THANK YOU to Kurt Falde!!!
Here is the solution to my problem that Kurt has helped me find.All computers are XP Pro SP3
The Problem:
I have 1000 computers that wasn't scanning according to my Microsoft Forefront Client Security / Policy Management / Policy Settings
The Forefront Client Icon would go amber with a black exclamation mark and status would state "Hasn't been scanned in 3+ days"
The Cause:
We take a base image of a computer with Forefront Client already installed and image several other computers off of
that image created "Ghosting" so to speak. After the new computer is cloned we run a newsid, reboot, join the computer
into our domain, and reboot. The computers will get the FCS updates and the computers will scan when I force them to
using Microsoft Forefront Client Security Console. After following Kurt’s several suggestions I looked at the hidden items
in Task Scheduler and found of the three jobs two of them were marked "Status: Could not Start"
MP Scheduled Quick Scan
MP Scheduled Scan "Could not start"
MP Scheduled Signature Update "Could not start"
The Solution:
Delete all the MP Scheduled scan jobs and reboot. Once Group Policy is applied back to the computer the MP Scheduled
tasks will reappear and work! So what about the 999 other computer that are broke? Copy and paste the following into
a .txt file and save it as a .bat file (Batch File)
@echo off
%windir%\system32\attrib.exe -h -r -s %windir%\Tasks\MPSCH*.job
del /f %windir%\Tasks\MPSCH*.job
exit
I will be using Systems Management Server "SMS" to push the batch file at a one time event to the remaining 999 computers.
Releasing the batch file in a controlled process of course.
Thank you again Kurt for your massive amounts of help, assistance, and emails.
:::HIGH FIVE:::
Jake- Edited byJacob Heriges Friday, November 06, 2009 3:08 PMFixing Typos
- Marked As Answer byJacob Heriges Thursday, November 05, 2009 3:29 AM
- Edited byJacob Heriges Thursday, November 05, 2009 3:33 AMCorrecting Typos
