none
Forefront Client Security windows update fails after FEP install... RRS feed

  • Question

  • We are running Forefront Endpoint Protection 2010 via SCCM and it has been working very well.  However we have 20 servers that have been upgraded to FEP 2010 and the old Forefront Client Security keeps trying to reinstall via Automatic Updates/Windows Update.  FEP automatically stops the installation of FCS as that is a built-in feature but it keeps trying over and over to install it.  The Group Policy object that was in place to install the old FCS has been removed from AD properly and it is NO longer applied to the computer as I verified by doing a gpresult.  The update name that shows up in Automatic Updates/Windows Update is "Client Update for Microsoft Forefront Client Security (1.0.1736.0)"  I've gone through the registry and searched for every FCS entry I could find and deleted them.  There is one registry entry that keeps coming back every time the server checks for updates from our WSUS server and then it trys to install.  The main registry entry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront
    and the specific stuff shows here:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "MOMServerName"="fcssever..edu"
    "MOMGroupName"="ForefrontClientSecurity"
    "AlertLevel"=dword:00000003
    "Name"="Inst_Forefront_Servers"
    "ProfileID"="5303cfa1-a5f4-442d-9557-08582ab7f66a"
    "ProfileInstanceID"="064da868-2808-4072-8e86-3748242e3cdc"
    "DeploymentMethod"=dword:00000001
    "DeploymentPath"="C:\\Documents and Settings\\Administrator\\Desktop\\Inst_Forefront_Servers.reg"

    What do I need to do to get it to stop trying to reinstall?

    Tuesday, January 31, 2012 5:14 PM

Answers

  • I was able to fix my issue by using the tool "FCSLOCALPOLICYTOOL.EXE /D" to remove the local policy that was hidden in the registry that was causing FCS to try to reinstall.  After I ran that command and ran "wuauclt /detectnow" to check in with our local WSUS server, everything cleared up.  The FCSLOCALPOLICYTOOL is included with the client installation for Forefront Client Security.
    • Marked as answer by wsual Friday, February 3, 2012 4:36 PM
    Friday, February 3, 2012 4:35 PM

All replies

  • Hi,

    Thank you for your post.

    What do I need to do to get it to stop trying to reinstall?

    You could rename/remove update download folder to remove the update list. Follow the step refer to KB958046:
    net stop wuauserv
    cd %systemroot%\SoftwareDistribution
    ren Download Download.old
    net start wuauserv

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Thursday, February 2, 2012 7:29 AM
    Moderator
  • We've been having the same problem.

    After some research I've found the solution:

    Remove the MOM client and the FCS Security State Assessment program before removing FCS:

    • MOM: MsiExec.exe /x{F692770D-0E27-4D3F-8386-F04C6F434040} /qn
    • SSA: MsiExec.exe /x{E8B56B38-A826-11DB-8C83-0011430C73A4} /qn

    In SCCM you can do this in two ways:

    1. In a script:
    • Create a script that does both at once (for example in a batch file):
      MsiExec.exe /x{F692770D-0E27-4D3F-8386-F04C6F434040} /qn
      MsiExec.exe /x{E8B56B38-A826-11DB-8C83-0011430C73A4} /qn
    • Create a program "Uninstall MOM and SSA" inside the "Microsoft Corporation FEP - Deployment 1.0" package which points to the script.
    • In the program called "Install" go the "Advanced" tab and enable "Run another program first".
    • Select "Uninstall MOM and SSA" inside the package "Microsoft Corporation FEP - Deployment 1.0".

    2. Subsequent programs:

    • Create a program "Uninstall MOM" inside the "Microsoft Corporation FEP - Deployment 1.0" package which points to:
      MsiExec.exe /x{F692770D-0E27-4D3F-8386-F04C6F434040} /qn
    • In the program called "Install" go the "Advanced" tab and enable "Run another program first" and select "Uninstall MOM" in the same package.
    • Create a program "Uninstall SSA" inside the "Microsoft Corporation FEP - Deployment 1.0" package which points to:
      MsiExec.exe /x{E8B56B38-A826-11DB-8C83-0011430C73A4} /qn
    • In the program called "Uninstall MOM" go the "Advanced" tab and enable "Run another program first" and select "Uninstall SSA" in the same package.

    If these programs have not been removed before installing, remnants stay behind in registry and filesystem.

    What I did, is execute these cleanup commands (try this at your own risk!):

    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Microsoft Forefront\Client Security" /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security" /f
    reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Microsoft Forefront\Client Security" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{69523C08-7167-4B36-BD00-C94F26DA5998}" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D010F7E5-E256-4746-9B8C-40B8EEC3B9E9}" /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D63C9D7A-EB97-40BB-A92A-425D17C306CD}" /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security" /f
    
    rd /s /q "C:\Program Files\Microsoft Forefront\Client Security"
    rd /s /q "C:\ProgramData\Microsoft\Microsoft Forefront\Client Security"
    
    NET STOP wuauserv
    DEL /Q /S "%WINDIR%\SoftwareDistribution"
    NET START wuauserv
    
    NET STOP CcmExec
    DEL /Q /S "%WINDIR%\System32\CCM\Cache
    NET START CcmExec


    For a complete and supported way to remove Forefront Client Security, check this article.

    Good luck!






    • Edited by ZarcoZ Thursday, February 2, 2012 10:55 AM
    Thursday, February 2, 2012 10:38 AM
  • I was able to fix my issue by using the tool "FCSLOCALPOLICYTOOL.EXE /D" to remove the local policy that was hidden in the registry that was causing FCS to try to reinstall.  After I ran that command and ran "wuauclt /detectnow" to check in with our local WSUS server, everything cleared up.  The FCSLOCALPOLICYTOOL is included with the client installation for Forefront Client Security.
    • Marked as answer by wsual Friday, February 3, 2012 4:36 PM
    Friday, February 3, 2012 4:35 PM