Client deployment using WSUS not working RRS feed

  • Question

  • Hi, we have configured the WSUS 3.0 to store updates on Microsoft site, and only the definitions of those updates are to be stored locally. We could not get the FCS client to be deployed on the client machines. Is this by design?



    Monday, May 14, 2007 2:46 AM

All replies

  • Hello!

    I don't believe you need them to be stored locally, but you do need to distribute an FCS policy to the targeted machines before they can detect the package and install it. 




    Forefront Client Security PM

    Wednesday, May 16, 2007 9:33 PM
  • Hi,
    I have the wsus with the updates and client stored, also I have deployed the policy to the machines but I still can't install the client in the computers via wsus, I have a lab enviroment, with 3 Servers
    1- FCS (DB, FCS)
    1- Domain Controller
    1- Wsus 2.0 Sp1

    2 Clients

    When I deploy the policy as the deployment guide says, it should appear in the mom installed with the fcs, but it never shows up and my client pc's never get the policy so they never install the client.
    Tuesday, June 12, 2007 3:17 PM

    1. have you installed the Distrbution Role on the WSUS server ? this installs update assistant that is required for proper work with FCS.

    2. did you sync the WSUS server?

    3. on the sync options, which categories and product did you check for ? you must check for "forefront client security" on the products tab and on the categories tab both "definitions" and "updates" must be check. definitions are for the normal signiture updates, and "updates" is for downloading the client itself and having the package available for WSUS deployment.




    Monday, June 18, 2007 7:46 PM
  • Hi Ricardo

    Thanks for your questions - from your post, I'm not sure if the client machines are getting the policy or not?  You can verify that the policy has been received by the client machines by checking for this reg key:  HKLM\Software\Policies\Microsoft\Microsoft Forefront\Client Security\1.0


    If that key exists, then your machines ARE receiving the FCS policy (I assume you are distributing it via AD/GP)


    If the policy is received and the client can successfully check into WSUS (and you've downloaded and approved the package), check the local windows update log (c:\windows\windowsupdate.log for any errors)


    Hope this helps


    Forefront Client Security PM

    Tuesday, June 19, 2007 5:39 PM
  • After 5 days trying to get that working, it did finally start working, and I did sync the wsus, I did Approve the FC updates and definitions, I deploy and re deploy the policy, I ran the gpupdate /force command to force to policy to be applyed, and at the end it start working by it self, but after 5 days.


    Now I have another question, I don't know if is duable, but I want to replace the distribution server (wsus), because I want to use sce in the infrastructure, I don't know if is possible to have the sce that comes with a wsus embeded as the distribution server instead have a separate wsus server, this is because I want to take advantage of the features of the sce and from the fcs, is this possible?





    Tuesday, June 19, 2007 9:59 PM
  • technincly there should be not problem using any WSUS in your organization. even by my knowledge knowledge and experience with SCE there should be no problem with this scenario. just check that you apply the WSUS policy to your entire org so there won't be client left which are directed to the old server.
    Wednesday, June 20, 2007 5:25 AM
  • Hi Chris,

    Can you give us a write up or documentation guide regarding on this matter?

    I already try all of the documents on how to deploy Forefront client security, but non of them was working.

    I can only deploy FCS client using manual deployment. I also try the sample script you had provided but using this to ordinary users the installation failed due to insufficient permission previlage. we would like to try this remote client deployment even you logon as ordinary user.

    Hope you could help us.


    Thanks & regards,




    Wednesday, February 6, 2008 1:12 AM
  • Hey Alex,


    First, I recommend you go through all the steps in: http://technet.microsoft.com/en-us/library/bb404255.aspx

    it explains the procedure of working with WSUS in order to deploy FCS Client Agents...


    if you still need further help, feel free to post a more specific question and explain a bit more about the specific problem and what phase you are running into it.



    Thursday, February 7, 2008 2:08 AM
  • I have a similar problem. I have done all the steps set out in the document, and have checked that the key exists in the registry. To my knowledge everything is as it is supposed to be. I have gone and approved the Forefront updates in the WSUS (Definition and HTTP definitions and one or 2 updates) but still the clients are not downloading from WSUS. In the wsus log it just says 0 updates found. I am at a dead end. Can anybody help please?
    Thursday, May 8, 2008 5:10 AM
  • Sorry, one thing I forgot to mention is that I am trying this on a couple of PC's which have not yet been activated. Would this maybe be the problem? I am also thinking that it might be because Windows Genuine advantage has not yet been installed on the machine.....can this be a problem?
    Thursday, May 8, 2008 5:13 AM
  • I have a similar problem when trying to deploy the client using WSUS 3.0. The client seems to be reporting okay and everything to WSUS, but it shows the updates as "not needed."


    I have approved the following updates to be installed:






    Here is an excerpt of my Windowsupdates.log


    08-05-19 23:18:55  856 428 PT +++++++++++  PT: Synchronizing server updates  +++++++++++
    2008-05-19 23:18:55  856 428 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://compfcs:8530/ClientWebService/client.asmx
    2008-05-19 23:18:55  856 428 PT Initializing simple targeting cookie, clientId = b543ebe2-0239-47d2-9d53-d7ed373da48c, target group = , DNS name = fcs-xp.completelab.com
    2008-05-19 23:18:55  856 428 PT   Server URL = http://compfcs:8530/SimpleAuthWebService/SimpleAuth.asmx
    2008-05-19 23:19:38  856 428 Agent   * Found 0 updates and 7 categories in search
    2008-05-19 23:19:38  856 428 Report ***********  Report: Initializing static reporting data  ***********
    2008-05-19 23:19:38  856 428 Report   * OS Version = 5.1.2600.2.0.65792
    2008-05-19 23:19:38  856 428 Report   * Computer Brand = Microsoft Corporation
    2008-05-19 23:19:38  856 428 Report   * Computer Model = Virtual Machine
    2008-05-19 23:19:38  856 428 Report   * Bios Revision = 080002
    2008-05-19 23:19:38  856 428 Report   * Bios Name = BIOS Date: 08/14/03 19:41:02  Ver: 08.00.02
    2008-05-19 23:19:38  856 428 Report   * Bios Release Date = 2003-08-14T00:00:00
    2008-05-19 23:19:38  856 428 Report   * Locale ID = 3082
    2008-05-19 23:19:38  856 428 Agent *********
    2008-05-19 23:19:38  856 428 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2008-05-19 23:19:38  856 428 Agent *************
    2008-05-19 23:19:38  856 730 AU >>##  RESUMED  ## AU: Search for updates [CallId = {74CED80B-D0F0-4ABE-BF64-8E0F12A7AFE3}]
    2008-05-19 23:19:38  856 730 AU   # 0 updates detected


    All my servers are in English, my client in Spanish. I am synchronizing updates in all languages.



    Tuesday, May 20, 2008 4:38 AM
  • Inevitably, all I had done was applied a filter to the Updates screen - it should show Update under Classifications, and not Critical Updates as I had.


    As an aside - why can you filter using the title of the update in the updates screen, but not when viewing the status of computers in a group in the WSUS 3 console? For example, I can search for all types of updates in the WSUS console in the list of updates downloaded etc and also by name, but not by the product name in the list of updates associated with a computer group in the Reports section.


    Wednesday, May 21, 2008 4:30 AM
  • I have the same problem. I have spent days on this. Still my clients do not get the FCS agent installed via WSUS.


    I have a 1 server (32 bits Windows 2003R2SP2) FCS server scenario. So my FCS server is also the WSUS 3.0SP1 server. This WSUS server works ok for many months now and I have succesfully deployed XP SP3 last week with it.


    I'am using a 32 bits localized (Dutch) version of Windows XP SP3 on my clients. So I do not need update KB914882 anymore, do I? My server is an English version. ( The AD server is 64 bits).


    I deployed the FCS policy via GPO. When I check the registry of my clients I can see the FCS registry keys. So the policy is applied correctly.These are the settings I see from my Group Policy Management Console:


    Setting State
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AlertLevel 3
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableAntiSpyware 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableAntiVirus 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableLocalAdminMerge 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Quarantine\PurgeItemsAfterDelay 21
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\AutomaticallyCleanRealTimeAfterDelay 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\DisableAntiSpywareRealtimeProtection 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\DisableAntiVirusRealtimeProtection 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\EnableUnknownPrompts 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Reporting\DisableLoggingForUnknown 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\AutomaticallyCleanAfterScan 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\CheckForSignaturesBeforeRunningScan 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\DisableArchiveScanning 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\DisableHeuristics 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\QuickScanInterval 8
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\ScanParameters 2
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\ScheduleDay 3
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\ScheduleTime 660
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\ServiceKeepAlive 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\CheckAlternateDownloadLocation 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\ScheduleDay 8
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\SignatureUpdateInterval 4
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\SpyNet\SpyNetReporting 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\AllowNonAdminFunctionality 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\AlwaysShowTaskTrayIcon 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\ConsoleFunctionalityAvailable 3
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\DeploymentMethod 4
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\DeploymentPath LDAP://uck-s011.uck.local/CN={E030724E-A40D-47C7-BE1A-89D50B014673},CN=Policies,CN=System,DC=uck,DC=local
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\MOMGroupName ForefrontClientSecurity
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\MOMServerName UCK-S001
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\Name UCK Forefront basis policy voor desktops
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileID a55ee6a3-2720-4e3e-bbd7-cd037ff3863c
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileInstanceID ba2cbce0-7ab7-4cb4-848a-ba87536ae0a9
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\OptIntoMU 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\Parameter <ScanJob Version='1.0' Culture='1033'> <Manifest ConfigFile='VulnerabilityDefinitions.manifest' ConfigVersion=''/> </ScanJob>
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\ScanWhenMissed 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\Time 13
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\TimeType


    I have also checked WSUS that alle FCS updates are approved, that license agreements have been accepted and that the updates are downloaded and available on the WSUS server.


    WSUS is telling for update "Client Update for Microsoft Forefront Client Security (1.0.1703.0)" : "The update is not applicable on 32 computers". We have 43 computers connected to the WSUS server. None of them have the client agent installed. So 32 computers must have decided that this update is "not applicable" for them, why? And why do the 11 other computers make no descision?


    My clients report 0 updates in the WindowsUpdate.log file. What I am doing wrong? I have no idea!


    Please help, since my clients are unprotected since I removed Etrust Anti virus last week.


    Thanks in advance,







    Wednesday, May 28, 2008 11:49 AM



    Have you tried a manual installation of FCS klient on one of the computers giving you problems,

    just to make sure they have all of the prereqs installed?




    Thursday, May 29, 2008 2:27 PM
  • I just started a new thread http://forums.technet.microsoft.com/en-US/Forefrontclientsetup/thread/f3438952-1e78-4b1d-9d64-b10ea96dae64 describing a similar issue with SP3. I also see my client reporting as "not needed." The Windows XP SP2 client I had did install the agent.

    Would be nice to find some kind of justification as to why a client decides an update shouldn't be applied to him. Will this same FCS Client update package also be valid for SP3?
    Friday, May 30, 2008 4:41 AM
  • Dear Johan and Johnny,

    Thanks for your response, yes If I do a manual installation of FCS client, than the GPO FCS policies are applied correctly and the updates are downloaded fron WSUS. From Johnny Mango's post I read that SP3 might be the problem. And I think that that indeed might be the case.

    I have no XP2 client available anymore. I will install one on Monday and see what happens.

    Furthuremore I have opened  a  support case at Microsoft. As soon as I know more, I will post here again. Thanks for thinking with me.


    Friday, May 30, 2008 12:59 PM
  • Hi all,

    I was able to reproduce this issue with a Dutch verison of XPSP3 and break it down to the root cause.
    We currently seem to have an issue with the detection logic for those versions of XPSP3 that are other than English, French, German, Italian, Spanish, Korean, Japanese, Chinese (Simplified) or Chinese (Traditional). The issues is now known and I expect a timely resolution.

    Thanks all for the details, especially Danny for raising the support case,

    (This information is provided "as is" and confirms no rights)
    This information is provided "as is" and confers no rights
    Monday, June 2, 2008 6:07 PM
  • Hi,

    Thanks for the info about SP3.
    I have detected, not just about SP3 de Windows XP, that many clients report "Not applicable" when the client is moved from the OU which had the GPO applied. It seems to me that clients mark "Not applicable" if the are not subject to any FCS policy, even an empty one, so the idea would be add the client to the OU, create the WSUS GPO and then create any FCS policy for the same OU.

    Am i correct in thinking this is absolutely necessary?

    Over the next week or two I hope to try out installations in Windows XP SP3, so we shall see. Any special steps required to install on Windows Vista?

    Friday, June 6, 2008 4:44 PM
  • Just to give a quick update, I managed to install an English Windows XP SP3 client with the FCS servers in English without any problems using WSUS.

    We shall see what happens with Spanish WSUS clients.

    • Edited by johnny mango Monday, June 9, 2008 4:24 PM Correction of previous post where I had put &quot;Spanish client&quot; and not &quot;English client&quot;
    Friday, June 6, 2008 6:05 PM
  • It may be possible that the update detection logic was already modified and pushed out to MU/WU/WSUS which would mean your WSUS server had the new detection logic that allowed it to install properly.. The issue wasn't with the installer itself just the detection rules that let the client/server know whether the install was applicable to the system.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response)
    Friday, June 6, 2008 6:37 PM
  • You need to have the appropiate updates approved for the Spanish clients.  In WSUS, there should be a setting on approve all locales.  Make sure that is selected.  Then run a syncronization with WSUS, and once that is completed, then you can try running wuauclt /detectnow on one of the problem clients.
    MCSA Windows 2003 MCP Windows NT 4 Workstation
    Tuesday, April 6, 2010 6:26 PM
  • I have found that the forefront client will get pushed out - it just takes a while.  It seems to take 4 or 5 update cycles, then it gets pushed.  I have a small virtual environment that I have been using to test. I have created 4 XP clients and used the wuauclt \updatenow command to simulate daily update cycles.  On a fresh install of XP w/SP2 - it first gets the new installer, then all the critical updates, then SP3, then finally the forefront client will install.  Why is it so slow?  Don't know - it seems very strange that it should take so long to deploy. WSUS seems a bit flaky - and i hate the reporting.
    Monday, May 31, 2010 10:01 PM