Policy issues

Applies To: Forefront Client Security

This section contains the following topics:

Policy is not applied to the agent

Incorrect Client Security policy applied to the agent

Client Security can deploy configurations to agents via policies. These policies are deployed directly to an organizational unit (OU) via a Client Security–created Group Policy object (GPO), or they can also be added to an existing GPO that an administrator has previously created.

The following sections supplement the standard Group Policy troubleshooting topics. For information about general Group Policy troubleshooting, see Troubleshooting Group Policy in Microsoft Windows Server (http://go.microsoft.com/fwlink/?LinkId=86299).

Policy is not applied to the agent

Client Security agents might not be receiving the configured Client Security policy.


For the agent to receive the configuration from a Client Security policy, the computer that the agent is running on must receive the GPO that contains the Client Security policy. There can be a variety of causes for the GPO not applying to the target computer, many of which are covered in the document referenced previously. The following are some additional scenarios, specific to Client Security:

  • The target computer is not a member of a security group to which the Client Security policy has been deployed.

  • The target computer does not reside in the OU to which the Client Security policy has been deployed.

  • The target computer is a member of a different domain.


To determine which of these issues is causing the problem, run gpresult.exe from a command prompt under the user's security context. This tool generates much useful information, but for troubleshooting purposes, you will focus on the sections described in the following table.

Label Description

Computer settings

The computer's OU location in the domain and its domain membership

The computer is a part of the following security groups

Each group to which the computer belongs (listed after the Applied and Filtered Group Policy sections)

Examine these areas to determine if the computer is a member of the correct group and if the computer is located in an OU that has a Client Security policy deployed to it.

Incorrect Client Security policy applied to the agent

A Client Security agent might have received the wrong Client Security policy.


There are two possible causes for this problem that are specific to Client Security:

  • The client computer is not in the expected security group or OU. To verify the computer's security group membership and OU location, run gpresult.exe.

  • Policy inheritance has overridden the policy expected to be applied to the agent.

Additionally, issues such as Active Directory replication and network connectivity problems can interfere with the application of Client Security policy. For more information about these larger issues, see the document referenced previously.


To address this cause, you need to determine the GPO from which the computer is receiving its Client Security configuration.

To determine which GPO controls Client Security configuration

  1. In the Run dialog box, type rsop.msc and press ENTER.

  2. After the analysis process completes, under Computer Configuration, expand Administrative Templates and click Extra Registry Settings.

  3. In the details pane, look for the settings with the following registry path:

    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0

    The GPO Name column identifies the GPO from which Client Security settings originate.


Client Security policy is applied as a discrete unit. Unlike the rest of Group Policy, the settings in Client Security policy are applied as a unit, with inheritance overriding all or none of the settings.