none
Repeated reinstallation for Forefront CS Client update after hotfix KB971026

    Question

  • After installing the above Windows Update for Forefront Client Security, the next Windows Update / Automatic Updates scan offers the original Forefront Client Security install (1.0.1703.0).  This is offered repeatedly after it is installed.

    In other words, it just loops back to scanning and offering the initial Forefront installation, as if Forefront CS has been uninstalled.  With KB971026 installed, Windows Update seems to no longer detect the existance of Forefront on your machine.

    Please also see posts for the last 12hrs here:


    Environment Details:

    Forefront Client Security (v1)
    Windows XP Pro SP3 and Vista Business SP2 (both 32bit)
    Forefront Client Security single-server topology on Windows Server 2003 32bit
    Forefront CS software updates are delivered in the usual way, with Server Update Services and group policy, using our Forefront CS server.

    "Keep a cool head and always carry a lightbulb."
    Friday, June 19, 2009 12:20 PM

Answers

All replies

  • I'm also having this exact issue.

    /bump

    -Mike Tanis
    Friday, June 19, 2009 12:40 PM
  • I'm seeing  a similar problem.

    It keeps asking me to apply update 'Client Update for Microsoft Forefront Client Security (1.0.1703.0)'.  I do this, it says it's completed and then withint a few moments the update icon is back with the same update.

    Interestingly I managed to capture the update it 'thought' was 1.0.1703.0 and it's actually version 1.0.1710.15.

    Most odd.

    Pete
    Friday, June 19, 2009 12:41 PM
  • We have the same problem after installing KB971026...
    please help!


    Thanks

    Friday, June 19, 2009 12:41 PM
  • We are have denied the update, experiecing same issue.

    Friday, June 19, 2009 12:47 PM
  • The same problem on all my Enterprise computers.
    I temporary disabled "Client Update for Microsoft Forefront Client Security (1.0.1703.0)" update on my server.
               
    Friday, June 19, 2009 12:50 PM
  • Same problem here.
    Friday, June 19, 2009 12:58 PM
  • I am seeing the same thing. Have denied that update for now. Anyone heard anything about why this is happening and what they are doing to fix it?
    Friday, June 19, 2009 1:52 PM
  • Same problem here - while investigating why it would think it needs to install over and over again, I found this:
    In the Forefront Client "about" section, it is reporting client version 1.5.1972.0 and engine version 1.1.4701.0 (and the latest defs.)

    The client version of 1.5.1972.0 is what is indicated in the kb article associated with this update, but in the list of files for the updates, the version for mpengine.dll in that kb article indicates 1.1.3520.0 - which is OLDER?

    I then found that MpEngine.dll located at "C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Default" shows a version of 1.1.3520.0

    However, that file also exists at "C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{6DA00ECD-0D0A-47EE-B038-6D189844FAFE}" and "C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup" - but that file in those locations are the newer version, 1.1.4701.0.

    Has anyone tried manually updating this or monkeying with this?
    I've tried setting the update to "not approved" and it is still trying to install on my clients, and I have already done "wuauclt /detectnow" several times.

    Maybe they slipped up and put an old file version in this update, and as a result it is stuck in a loop in trying to get up to the "latest" version?
    Friday, June 19, 2009 1:58 PM
  • Hi everyone...

    Sorry about this.. They identified this yesterday evening and have been working most of the night trying to get it fixed.  There was an issue with the detection logic for the new update that was released that is causing this reoffer.  From what I understand it has been fixed and is going through testing however I don't have any eta on when it's going to get pushed out through MU->WSUS

    Here are the workarounds that I currently have for this issue:

    1.  Unapprove KB971026 on the WSUS server.  This will not stop systems from being offered the Client Update for Microsoft Forefront Client Security (1.0.1703.0) Package, but will keep systems that do not already have it from running into the issue.

     

    2.  Unapprove the Client Update for Microsoft Forefront Client Security (1.0.1703.0) Package on the WSUS server.  This will workaround the re-offer issue, however, any new systems that are brought online will not get the FCS Client package so will obviously not be protected.

     

    3.  Just leave it as is.  Besides getting the install failures and reports on the install failure, there should be no effect on getting Definition Updates or the AM engine.  Note that this workaround has not been tested, it is possible it could have some other negative effect.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, June 19, 2009 2:02 PM
  • Hi everyone...

    Sorry about this.. They identified this yesterday evening and have been working most of the night trying to get it fixed.  There was an issue with the detection logic for the new update that was released that is causing this reoffer.  From what I understand it has been fixed and is going through testing however I don't have any eta on when it's going to get pushed out through MU->WSUS

    Here are the workarounds that I currently have for this issue:

    1.  Unapprove KB971026 on the WSUS server.  This will not stop systems from being offered the Client Update for Microsoft Forefront Client Security (1.0.1703.0) Package, but will keep systems that do not already have it from running into the issue.

     

    2.  Unapprove the Client Update for Microsoft Forefront Client Security (1.0.1703.0) Package on the WSUS server.  This will workaround the re-offer issue, however, any new systems that are brought online will not get the FCS Client package so will obviously not be protected.

     

    3.  Just leave it as is.  Besides getting the install failures and reports on the install failure, there should be no effect on getting Definition Updates or the AM engine.  Note that this workaround has not been tested, it is possible it could have some other negative effect.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde

    I'm seeing a issue with the Definitions updating, I manually downloaded the defintion from here:
    http://technet.microsoft.com/en-us/forefront/clientsecurity/bb508812.aspx 
    And it shows my system to be at these versions

    Windows XP without 971026 installed with definiton 1.61.23.0 installed manually

    Client Version: 1.5.1972.0
    Engine Version: 1.1.4803.0
    Antivirus definition: 1.61.23.0
    Antispyware definition: 1.61.23.0

    But other systems are showing;

    Windows 2993 server with 971026 installed from MS Update web page.

    Client Version:  1.5.1972.0
    Engine Version: 1.1.4701.0
    Antivirus definition: 1.59.1491.0
    Antispyware definition: 1.59.1491.0

    Definition 1.61.23.0 is dated 6/19/2009 2:25am
    Defintion 1.59.1491 is dated 6/18/2009 6:32am

    Are you sure the defintions are working?

    Friday, June 19, 2009 2:44 PM
  • Sorry for pushing this, but my server has not synched with MS for the last 4 hours and I have it setup to synch hourly. Anyone else notice rhis?
    Friday, June 19, 2009 4:26 PM
  • Just manually synched my WSUS server with MS and it picked up the FCS definition 1.61.23.0

    I have confirmed that a system with the looped update received today's definition.
    Friday, June 19, 2009 4:49 PM
  • We are getting same issue here I have stopped KB97106 on my WUS server and can confirm that our WUS server is still pushing defintition updates as we got FCS definition 1.61.23.0 too.

    Friday, June 19, 2009 6:05 PM
  • Are you saying there is a new version of Client Update for Microsoft Forefront Client Security that was just released at 3pm CST? otherwise I was saying in my reply we chose optoin 1 on your work around post from this morning.
    Friday, June 19, 2009 8:39 PM
  • At 3:12 Central Time, our server updated the original installer. It says now that the "Client Update for Microsoft Forefront Client Security (1.0.1703.0)" was released today. This usually means that they have released the installer with some minor changes. But haven't changed the actual application. I assume this means that they are hard at work, and this is a step in the resolution.
    Friday, June 19, 2009 8:45 PM
  • OK we just got it to on our WSUS server too.
    Friday, June 19, 2009 8:53 PM
  • Friday, June 19, 2009 10:25 PM
  • This issue has been resolved.  Please see our blog posting on this issue - http://blogs.technet.com/fcsnerds/archive/2009/06/19/after-install-of-kb971026-for-fcs-the-full-client-package-for-fcs-is-re-offered-from-wsus.aspx

    Thanks,
    Shain
    Thanks Shain.  It's synced and the old release is no longer being offered.  Sorted!
    "Keep a cool head and always carry a lightbulb."
    Monday, June 22, 2009 3:45 PM
  • I can confirm things are sorted out here in Texas. Thanks all
    Monday, June 22, 2009 6:18 PM
  • Yup, we're good to go here as well, Thanks for following up Shain.
    Monday, June 22, 2009 8:44 PM
  • The issue is not resolved for us yet. I synchronized the WSUS around 20 times since the new revision of the update was released but I still only get offered the old revision of the update.

    We are in Germany and the Update is called 'Clientaktualisierung für Microsoft Forefront Client Security (1.0.1703.0)'. When I right-click on the update and choose revision history there is still only one revision available: Revision 104 released at 22.01.2009

    Any suggestions ? We synchronize our WSUS directly with Microsoft Update.

    Regards,
    Thorsten

    Tuesday, June 23, 2009 11:19 AM