locked
FCS vs. IT-designed GPO settings RRS feed

  • Question

  •  

    working on an FCS deployment. We're in testing and have some questions. First, we're struggling with getting consistent downloads of the client from WSUS. The GPO looks fine, the clients see the WSUS server fine, but the download isn't consistent. Any advice?

     

    Second, the company uses GPO's to force IE settings on their desktop. Post FCS installation, FCS is alerting the user of this registery change by popping up the dashboard. Obviously this isn't a good thing. What is the recommended method for balancing FCS settings with GPO settings to ensure a seemless user experience WHILE allowing IT to do it's job and make changes as needed????

     

    thx.

    Friday, April 13, 2007 2:23 PM

All replies

  • Hello!

     

    As for the WSUS deployment, what information do you see in the WSUS reports for the clients that aren't performing the install?  Is WSUS reporting the install as Not Needed? 

     

    For the GPO settings, do you have "notify about unknowns" set in the policy?  If so, you may wish to disable that and see if that is triggering the alerts

     

    Thanks

    Chris

    Forefront Client Security PM

    Saturday, April 14, 2007 5:39 AM
  • We will often see the client listed in the WSUS server as needing the install. So the client is reporting correctly, WSUS sees that it needs the install, but the install never gets completed (WSUS 2.x sp1, Windows XP SP2).

     

    I'll double check the policy setting, but your answer brings up a management question. There are going to be known and managed changes to the computers via GPO's (and potentially other IT-generated means). Turning off notifications will have the potentially ill effect of a client not being aware of a virus and delaying notification to the help desk, information security and all other required/interested parties. So I see a question of balance here; how do we determine the difference between a managed change and a change brought about by malware? Ideally, as I said, we'd want clients to see changes introduced by malware, but not those introduced by IT.

     

     EDIT: Additional information....

     

    Two machines are currently not receiving the client. WSUS says one still needs the client installed, the other says the client install failed with errors 0x80070643 which directs me back to a WSUS installation problem (http://technet2.microsoft.com/WindowsServer/en/library/c1c07604-2fca-4410-81f6-c02d2fb5c3141033.mspx?mfr=true). That doens't make too much sense to me.

     

    The other machine says the client isn't installed yet. Both are visible via MOM.

     

    On the Policy, there isn't an option that I see to not notify about unknowns; just to not log.

    Saturday, April 14, 2007 6:40 PM