locked
Forefront Client is not deploying, and not even showing up to be approved in WSUS RRS feed

  • Question

  • I have setup Forefront Management in a two server topology, using SBS 2008 as the wsus computer, and a second server running server 2008 standard x86 version to be the forefromt management and sql.

    I have created the GPO from forefront management, and went to the GPO management console on the SBS machine and enforced the policy for computers.  The Forefront Client installed right away on the management server, but did not deploy to any other computer.  in addition, no updated client definitions etc deployed to the Management server, although it did get updates for the management portion, windows, sql etc.

    in the SBS console, there are not updates "needing approval" or "failed"  when I go to the WSUS managment console there are many updates that are not approved, including the definitions for the forefront client, but not the actual client install package itself.

    I assume that I could manually install the clienton all machines, and approve the updates from WSUS instead of the SBS console, but this is not ideal.  anyone have any suggestions?

     

    Thanks,

    Paul

    Tuesday, July 12, 2011 3:44 PM

Answers

  • Hi Pisteuon,
     
    Sorry to confuse you, please install MOM agent manually or configure clients windows firewall refer to KB885726.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    • Marked as answer by Rick Tan Thursday, August 4, 2011 4:04 AM
    Friday, July 22, 2011 8:19 AM
  • Here's how it work:

    • Forefront Management is used to deploy the GPO
    • WSUS must approve the package in order to deploy FCS
    • MOM : the computer must be approved in order to be authorised to install and download FCS through WSUS
    • GPO : must be applied, so the computer got all the settings to install FCS

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    • Marked as answer by Rick Tan Thursday, August 4, 2011 4:04 AM
    Wednesday, July 27, 2011 3:02 PM
  • Hi Pisteuon,
     
    there are not updates "needing approval" or "failed"  when I go to the WSUS managment console there are many updates that are not approved, including the definitions for the forefront client, but not the actual client install package itself.

    To approve the client components in WSUS:

    1.In the WSUS console, click Options, and then click Products and Classifications.
    2.On the Product Tab, Select Forefront CLient Security; On the Classifications Tab, Select Definition Updates and Updates,Click OK.
    3.Click Synchronizations, click Synchronize Now, wait Synchronize complete
    4.Click Updates--All Updates, Click Group By Classification, select filter Approval Unapproved and Status Any, Click Refresh option, find Client Update for Microsoft Forefront Client Security(1.0.1736.0) in Classification:Updates group, Select and approve this updates 
    5. Click Synchronizations, click Synchronize Now, wait Synchronize complete
    6. On your client, run command wuauclt /detectnow to down and install FCS

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    • Marked as answer by Pisteuon Wednesday, August 24, 2011 2:52 PM
    Thursday, July 28, 2011 2:06 AM

All replies

  • Hello,

    What is the state of your client computer on the MOM Operation console?


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Wednesday, July 13, 2011 7:17 AM
  • Looks like that may be the issue, it seems the agent installation is failing. also it is not finding all machines. 

    here is the error:

    The MOM Server failed to install agent on remote computer client1.acme.local.

     

    Error Code: -2147023174

    Error Description: The RPC server is unavailable.

    Microsoft Installer Error Description: No Description Available

     

    It appears to me RPC is running fine on the DC

     


    Wednesday, July 13, 2011 1:00 PM
  • Hi Pisteuon,

    Thank you for your post.

    Please follow deploying client security guide to install your FCS client from WSUS.
    FCS was not deployed to any other computer via WSUS, please check steps below:
    1. In WSUS console, find if it exists "Client Update for Microsoft Forefront Client Security" in Updates Classification and already approved for all computers.
    2. To deploy Client Security to the client computers, you must first deploy a policy to those computers, refer to Deploying Client Security to the client computers article
    3. Run command "wuauclt.exe /detectnow" to immediately synchronize with your WSUS server on your client computer

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Tuesday, July 19, 2011 9:59 AM
  • I think the problem is that the MOM agent is not installing on any machines.
    Thursday, July 21, 2011 7:14 PM
  • Hi Pisteuon,
     
    Sorry to confuse you, please install MOM agent manually or configure clients windows firewall refer to KB885726.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    • Marked as answer by Rick Tan Thursday, August 4, 2011 4:04 AM
    Friday, July 22, 2011 8:19 AM
  • so the firewall is certainly what is stopping the MOM Agent Install.  Can I bring down the firewall on the server and the clients just long enought to deploy the clients and then turn the firewall back on?  or will the firewall interfere on an ongoing basis?

    Monday, July 25, 2011 3:09 PM
  • Hello,

    You could find on the [Ports used] Forefront Client Security article the required port to open for this.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    Monday, July 25, 2011 3:12 PM
  • Hi Pisteuon,

    These ports are still required to open to communicate with FCS Collection/Management server, you could use GPO to deploy the firewall policies in your domain.

     


    Regards,
    Rick Tan
    Tuesday, July 26, 2011 3:01 AM
  • ok, well with the firewalls down the agent deploys fine, and I am sure that was the issue with the MOM Agent not deploying.

     

    However, the mom agents have been deployed and the firewalls have been down for a few days now and the forefront client has still not been deployed.

    I have already created and deployed the group policy, and even went and verified that it was enabled in the GP managment console.

    What actually deploys the Forefront Client?  is it MOM, WSUS, or Forefront Management?

    Wednesday, July 27, 2011 2:36 PM
  • Here's how it work:

    • Forefront Management is used to deploy the GPO
    • WSUS must approve the package in order to deploy FCS
    • MOM : the computer must be approved in order to be authorised to install and download FCS through WSUS
    • GPO : must be applied, so the computer got all the settings to install FCS

    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/
    • Marked as answer by Rick Tan Thursday, August 4, 2011 4:04 AM
    Wednesday, July 27, 2011 3:02 PM
  • Hi Pisteuon,
     
    there are not updates "needing approval" or "failed"  when I go to the WSUS managment console there are many updates that are not approved, including the definitions for the forefront client, but not the actual client install package itself.

    To approve the client components in WSUS:

    1.In the WSUS console, click Options, and then click Products and Classifications.
    2.On the Product Tab, Select Forefront CLient Security; On the Classifications Tab, Select Definition Updates and Updates,Click OK.
    3.Click Synchronizations, click Synchronize Now, wait Synchronize complete
    4.Click Updates--All Updates, Click Group By Classification, select filter Approval Unapproved and Status Any, Click Refresh option, find Client Update for Microsoft Forefront Client Security(1.0.1736.0) in Classification:Updates group, Select and approve this updates 
    5. Click Synchronizations, click Synchronize Now, wait Synchronize complete
    6. On your client, run command wuauclt /detectnow to down and install FCS

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    • Marked as answer by Pisteuon Wednesday, August 24, 2011 2:52 PM
    Thursday, July 28, 2011 2:06 AM