locked
Can't view client UI after install RRS feed

  • Question

  • I have a remote location with its own WSUS 3.0 sp1 server that gets its updates from my WSUS 3.0 SP1 server on site.  The client I installed is remote and I installed the client via command line as follows \\servername\sharename\client\clientsetup.exe /CG forefrontclientsecurity /MS localwsusserver.domain.com.  The client installs and after installation is looking for updates.  However, after a few minutes if you try to click on the orange exclamation point in the bottom corner or from program menu it does nothing.  On the bottom right corner it will read "A system Administrator manages Microsoft ForeFront Client Security for all users on this computer.  The program will notify you to take action only if malicious software is detected."  I have seen this on a few machines, but most machines, around 700, all work as expected.  You can access the UI on the client and scan and everything else on the good machines.  Any ideas what causes this behavior?  I have tried reinstall, reboot and still nothing.  The clients are set via GP to get their updates from their local WSUS server.  Thanks
    Friday, April 25, 2008 2:30 PM

Answers

  • Hi,

     

    There are a few things that you need to do.

    The first thing you need to do is correct the policy the clients get from the forefront management server (via GPO) to let users open the UI.

    1. Pick one client that is giving you trouble and run "gpresult" on it. check which Forefront client security policy it is getting.

    2. On the FCS management server edit that policy and on the "advanced" tab, at the bottom, you can change the setting to allow users to view the UI

    3. save the new settings and deploy the policy again from the managemant server.

    4. go back to the client and run "gpupdate". You should no be able to open the UI 

     

    ..now to the other issue.

    You are running the client setup installation manually with the /MS /CG parameters. Furthermore, by looking at the syntax i'm guessing that you specified the wrong server for the /MS parameter, it should point to the FCS server.

     You don't need to use the /MS /CG switches at all. The /MS /CG  settings will be deployed automatically with the policy you deployed from the management server.

    In this case i recommend that you uninstall the client and reinstall it just by running clientsetup.exe without any switches.

    1. on the same client as above, open regedit and search for the computername of your FCS management server. this is just to make sure you have the right /MS setting deployed to the client.

    2. install the client by running clientsetup.exe without the /MS /CG switches.

    3. On the management server, open the MOM admin console and approve the manual installation under "pending actions" 

     

    hope this helps!

    let me know :-)

    /Johan

    Sunday, April 27, 2008 7:17 AM

All replies

  • Hi,

     

    There are a few things that you need to do.

    The first thing you need to do is correct the policy the clients get from the forefront management server (via GPO) to let users open the UI.

    1. Pick one client that is giving you trouble and run "gpresult" on it. check which Forefront client security policy it is getting.

    2. On the FCS management server edit that policy and on the "advanced" tab, at the bottom, you can change the setting to allow users to view the UI

    3. save the new settings and deploy the policy again from the managemant server.

    4. go back to the client and run "gpupdate". You should no be able to open the UI 

     

    ..now to the other issue.

    You are running the client setup installation manually with the /MS /CG parameters. Furthermore, by looking at the syntax i'm guessing that you specified the wrong server for the /MS parameter, it should point to the FCS server.

     You don't need to use the /MS /CG switches at all. The /MS /CG  settings will be deployed automatically with the policy you deployed from the management server.

    In this case i recommend that you uninstall the client and reinstall it just by running clientsetup.exe without any switches.

    1. on the same client as above, open regedit and search for the computername of your FCS management server. this is just to make sure you have the right /MS setting deployed to the client.

    2. install the client by running clientsetup.exe without the /MS /CG switches.

    3. On the management server, open the MOM admin console and approve the manual installation under "pending actions" 

     

    hope this helps!

    let me know :-)

    /Johan

    Sunday, April 27, 2008 7:17 AM
  • Johan,
    Thank you for your knowledge.  It was a simple mistake of forgetting a checkbox under the advanced tab.  I appreciate it.  I have gotten the client view to show up now on my clients and everything is working as it should.  I appreciate it.  Have a great day!

    swordfish7769
    Tuesday, April 29, 2008 1:38 PM
  • How do I reset this policy without connecting the machine to the network? Basically it has a virus and I don't want to connect it up until it is cleared.

    I tried reinstalling Forefront but it still picks this setting up.  Is this stored in Registry?

    I just want to manually update the definitions and then kick off a scan.
    Thursday, February 12, 2009 2:43 PM
  • Hello!
    I have same problem too.
    I install manually fcs agent by clientsetup.exe without parameters, then I allow users use UI on Advanced tab in management console. I apply policy to OU with client computers. On Client computer I run gpupdate /force, then I check group policy correct applying by gpresult. its all ok. But users (administrators too) can not access to agent UI and run scan manually.

    there is any solutions for this problem?
    Руслан Разбежкин
    Wednesday, March 11, 2009 9:52 PM