Applies To: Forefront Client Security
This document contains critical information that is required to successfully install and use Microsoft® Forefront™ Client Security. It is very important that you review the information contained in this document before you install Client Security.
The following table lists critical updates to this guide.
If you are installing multiple Client Security deployments, it is strongly recommended that you use a unique Management group name for each Client Security deployment.
August 10, 2007
It is highly recommended that you read the Client Security Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=73723) before installing Client Security or any of the software prerequisites. The guide steps through the hardware and operating system requirements, installation of the software prerequisites, and deployment of Client Security.
It is very important that you review the critical server and client deployment issues below before you begin installing Client Security. Failure to do so could result in a nonfunctional deployment. Many of these issues are also documented in the Client Security Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=73723).
Certain issues that were identified shortly before this release were not fixed. These known issues will be addressed in subsequent releases.
This section describes known issues for Client Security. These issues may impede your ability to use Client Security in the specified ways.
Critical server-deployment issues
Setup cannot be run from a network share
You cannot install Client Security from a network share unless you have granted permission to the application. For more information, see How to deploy a .NET Framework application to run from a network location (http://go.microsoft.com/fwlink/?LinkID=87921). Instead of granting permission, you can copy Client Security to your local server before installing it.
Server account and DAS account must be in same domain
In a one-server topology, the DAS account must be part of the same domain as the server.
Configuration wizard fails with SSL-secured reporting server URL
After installing Client Security with SQL Server Reporting services secured via Secure Sockets Layer (SSL) security (https://servername/reports), you may find the following error in the results page in the Configuration wizard: "Failure to import reports." In this case, the log file for the Configuration wizard (ServerConfig_YYYYMMDD_HHMMSS.log) also contains the following error message: "The request failed with HTTP status 413: Request Entity Too Large".
To resolve this issue, on the reporting server, open a Command Prompt and run the following command:
cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 500000.
For more information, see Client cannot renegotiate request and returns an HTTP 413 error (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=87921)).
Management server name cannot include international characters
Your reporting server will throw unhandled exceptions if your management server name contains international characters. To avoid this issue, do one of the following: name your management server using only ANSI characters, use "localhost," or if you use a static IP for your server, use the IP address.
If you already named your server using international characters, rename your server using only ANSI characters.
Trace-level logging issues
If you are installing Windows Server Update Services (WSUS) 2.0 for your distribution server, do not enable SetupAndConfigTracing during installation of the distribution server. Enabling SetupAndConfigTracing in this case will cause server setup to crash.
Furthermore, do not enable UpdateAssistantTracing and UpdateAssistantConfigTracing on the WSUS 2.0 distribution server at any point. Doing so may cause other services to crash.
Critical client deployment issues
64-bit Windows Vista client setup fails when UAC is enabled
When installing Client Security on a client computer with Windows Vista 64-bit operating system installed and User Account Control (UAC) enabled, you will receive the following error message: "Installation failed. Failed to initialize log file…Make sure that the log path and file and/or install path is valid and accessible." In this case, client setup will fail. To avoid this issue, you must run client setup from an elevated command prompt.
To run an elevated command prompt
On the Start menu, click All Programs, and then click Accessories.
Right-click Command Prompt, and then click Run as administrator.
In the User Account Control dialog box, click Continue.
Update Rollup 1 must be installed on Windows 2000 clients
Before installing the Update Rollup 1 for Windows 2000 with SP4, make sure that you have installed Windows 2000 SP4.
To install Update Rollup 1:
- On the client computer, download and install Update Rollup 1 for Windows 2000 with SP4 from Windows Update (http://go.microsoft.com/fwlink/?LinkId=87920).
Client setup log: AM Install Failed. See FCSAM.log for details
If you see this log entry after installing the Client Security agent on a client computer, you need to reboot that computer. After installing the agent, you will receive a log report that the client setup failed and that you should look at fcsam.log. However, fcsam.log states correctly that the installation completed successfully. To verify that there are no failures, reboot the client computer.
The issue will occur if you recently installed the Filter Manager QFE but have not yet rebooted.
Critical operational issues
Security State Assessment (SSA) patch checks fail
If you currently use WSUS in your Client Security deployment to distribute only definitions and not patches, the SSA patch checks will fail.
To avoid this issue, you must configure WSUS to download and automatically approve installation of all patches. The level of control that the client has over installing patches is still based on the automatic update settings in the policy.
Events on Windows XP may be lost
A computer running Windows XP stops logging events when the log file exceeds 512KB. This issue occurs because the default event log size for Windows XP is 512KB. To avoid losing event data, change the default event log size on the computer.
14-Day History not displaying on Windows 2003 Server
The 14-Day History section of the Client Security Dashboard tab might not display when the reporting server role is on a separate server from the management server role.
There are two possible causes for this issue:
The user opening the Client Security console has not been granted Client Security Report Viewer permissions. For more information, see Working with user roles in the Client Security Administrator's Guide (http://go.microsoft.com/fwlink/?LinkID=86555).
The SQL Server Reporting Services site needs to be added to the list of trusted sites in Windows Internet Explorer®.
Windows Defender is not disabled during upgrade from Windows XP to Windows Vista
When upgrading a Client Security client computer from Windows XP to Windows Vista, you might find that the Windows Defender service remains enabled. Use Group Policy to disable Defender on the client computers.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Windows, Forefront, Internet Explorer, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.