forefront client is not deploying to domain pc's...any ideas why? RRS feed

  • Question

  • Hi all,

    I recently purchased Forefront Security Client to replace a dated AV product on our work domain and I have ran into an issue where I am expecting the client to deploy to my domain pc's but I am not seeing anything even when I force a policy update and force WUAUCLT to look for updates.

    I am not sure how to figure out what step I missed so I will list what I think is important..

    - I chose to do the two server topology to integrate with an existing WSUS installation on the domain. Verified reports were working correctly on Collection/Rpt/mgmt server interface and enabled DAS acct permissions as specified by technet article

    - I set up two policies in Forefront Security Mgmt Console and pointed them to OU's in my domain. ("server" policy was pointed to <domain>/Domain Controllers, and the "standard client" policy was pointed to the domain root OU.)     

                 > I previously tried to set these policies directly on GPO objects instead of OU's. The GPO's were newly created and only applied to a security group which contained the machine names of my servers, and workstation names respectively. When I determined that deployment was not working correctly I swapped over to the OU policy pointing because of my noob understanding of Group Policy.

    - I set "Enabled" to the Forefront-generated GPO and bumped it to the top of the list of policy inheritance in GP Mgmt. Link Enabled was already set to true for this auto-generated GPO. I can look at settings for the GPO and see that it contains client settings so it makes me wonder if my "Authenticated Clients" that it applies to are somehow ignoring the new GPO.

    - I added the Forefront Client to the "Products and classifications" inside of WSUS.

    - I set a firewall rule on the forefront collection/mgmt/reporting server so that WSUS could communicate correctly with it (because I didn't use port 80).

    - I raised my forest and domain functional levels from 2000 level to 2008 level. This likely doesn't matter at all for this issue though, but I thought it might be slightly relevant.


    I've already had to overcome a lot of hurdles just getting the sql instance with reporting services installed and configured correctly and I am running out of time to chase issues on the deployment of the product. My fallback plan is to manually install the client to my pc's but I really would like to do the deployment method of install.  Hopefully this issue wont be too difficult to figure out.

    If I left out any needed info just post back and I will gather it for you. I'll be watching the thread all evening and into tomorrow before I ultimately run out of time and must manually install the client.


    Thanks to anyone who has time to help!

    • Edited by Tanner Wood Tuesday, August 17, 2010 9:04 PM added more info
    Tuesday, August 17, 2010 8:57 PM


  • Turns out that some forefront client updates were still waiting on approval in WSUS. I thought I got them all the first time but apparently not.

    I've deployed to a couple of pc's so far. Having an issue getting the winXP machines to find the update but I am sure that will be resolved shortly.

    • Marked as answer by Tanner Wood Wednesday, August 18, 2010 2:29 PM
    Wednesday, August 18, 2010 2:29 PM