This document contains critical information that is required to successfully install and use Microsoft® Forefront™ Client Security. It is very important that you review the information contained in this document before you install Client Security.
It is highly recommended that you read the
For information about troubleshooting specific issues, see the
For details about the types of information collected or used by Client Security, see the
It is very important that you review the critical server and client deployment issues below before you begin installing Client Security. Failure to do so could result in a nonfunctional deployment. Many of these issues are also documented in the
Certain issues that were identified shortly before this release were not fixed. These known issues will be addressed in subsequent releases.
This section describes known issues for Client Security. These issues may impede your ability to use Client Security in the specified ways.
Critical server-deployment issues
Setup cannot be run from a network share
You cannot install Client Security from a network share unless you have granted permission to the application. For more information, see
Permissions for reporting database required
This version of Client Security requires that, in a three-server topology, you give permissions for the account under which the SQL Server Agent runs on the reporting database to the management, collection, and reporting server. By doing so, you enable the Client Security DTS account (which runs by default as a local system account on the reporting database server) to access the collection database (located on the management, collection, and reporting server).
To grant permissions:
On the management, collection, and reporting server, add the computer account for the reporting database server (if the SQL Server Agent runs under the local system) or the domain account that the agent runs under to the SQLServer2005ReportServerUser$computername$MSSQLSERVER group.
To find out what account the SQL Server Agent runs under:
On the reporting database server, open the Services console and double-click SQL Server Agent (MSSQLSERVER), and then click the Log On tab.
For more information about permissions, see the
Server account and DAS account must be in same domain
In a one-server topology, the DAS account must be part of the same domain as the server.
Configuration wizard fails with SSL-secured reporting server URL
After installing Client Security with SQL Server Reporting services secured via Secure Sockets Layer (SSL) security (https://servername/reports), you may find the following error in the results page in the Configuration wizard: "Failure to import reports." In this case, the log file for the Configuration wizard (ServerConfig_YYYYMMDD_HHMMSS.log) also contains the following error message: "The request failed with HTTP status 413: Request Entity Too Large".
To resolve this issue, on the reporting server, open a Command Prompt and run the following command:
cscript adsutil.vbs set w3svc/1/uploadreadaheadsize 500000.
For more information, see
Management server name cannot include international characters
Your reporting server will throw unhandled exceptions if your management server name contains international characters. To avoid this issue, do one of the following: name your management server using only ANSI characters, use "localhost," or if you use a static IP for your server, use the IP address.
If you already named your server using international characters, rename your server using only ANSI characters.
Trace-level logging issues
If you are installing Windows Server Update Services (WSUS) 2.0 for your distribution server, do not enable SetupAndConfigTracing during installation of the distribution server. Enabling SetupAndConfigTracing in this case will cause server setup to crash.
Furthermore, do not enable UpdateAssistantTracing and UpdateAssistantConfigTracing on the WSUS 2.0 distribution server at any point. Doing so may cause other services to crash.
Critical client deployment issues
64-bit Windows Vista client setup fails when UAC is enabled
When installing Client Security on a client computer with Windows Vista 64-bit operating system installed and User Account Control (UAC) enabled, you will receive the following error message: "Installation failed. Failed to initialize log file…Make sure that the log path and file and/or install path is valid and accessible." In this case, client setup will fail. To avoid this issue, you must run client setup from an elevated command prompt.
On the Start menu, click All Programs, and then click Accessories.
Right-click Command Prompt, and then click Run as administrator.
In the User Account Control dialog box, click Continue.
Update Rollup 1 must be installed on Windows 2000 clients
Before installing the Update Rollup 1 for Windows 2000 with SP4, make sure that you have installed Windows 2000 SP4.
To install Update Rollup 1:
On the client computer, download and install Update Rollup 1 for Windows 2000 with SP4 from
Client setup log: AM Install Failed. See FCSAM.log for details
If you see this log entry after installing the Client Security agent on a client computer, you need to reboot that computer. After installing the agent, you will receive a log report that the client setup failed and that you should look at fcsam.log. However, fcsam.log states correctly that the installation completed successfully. To verify that there are no failures, reboot the client computer.
The issue will occur if you recently installed the Filter Manager QFE but have not yet rebooted.
Critical operational issues
Security State Assessment (SSA) patch checks fail
If you currently use WSUS in your Client Security deployment to distribute only definitions and not patches, the SSA patch checks will fail.
To avoid this issue, you must configure WSUS to download and automatically approve installation of all patches. The level of control that the client has over installing patches is still based on the automatic update settings in the policy.
Events on Windows XP may be lost
A computer running Windows XP stops logging events when the log file exceeds 512KB. This issue occurs because the default event log size for Windows XP is 512KB. To avoid losing event data, change the default event log size on the computer.
14-Day History not displaying on Windows 2003 Server
The 14-Day History section of the Client Security Dashboard tab might not display when the reporting server role is on a separate server from the management server role.
There are two possible causes for this issue:
The user opening the Client Security console has not been granted Client Security Report Viewer permissions. For more information, see
Working with user rolesin the Client Security Administrator's Guide (http://go.microsoft.com/fwlink/?LinkID=86555).
The SQL Server Reporting Services site needs to be added to the list of trusted sites in Windows Internet Explorer®.
For more information, see
Windows Defender is not disabled during upgrade from Windows XP to Windows Vista
When upgrading a Client Security client computer from Windows XP to Windows Vista, you might find that the Windows Defender service remains enabled. Use Group Policy to disable Defender on the client computers.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
© 2007 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Windows, Forefront, Internet Explorer, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.