Last month in the Client Security blog the Forefront Client Security team announced the availability of a revised installation package, which is available via WSUS. More information about the new installation package is found in Microsoft Knowledge Base article 976669. In that article I wrote a section called WSUS Applicability Logic, which briefly discusses how and when the new package is installed. The English version of the article contains the following:

The policy contains certain registry values which are used in applicability. Additionally, when clientsetup.exe runs the settings will determine the Collection server to which the client reports.

The second sentence above has generated some additional questions, so let me provide a bit more detail.

The new update package referenced in KB976669 is a slipstream installation; it contains the latest updates for the Forefront Client Security client so that new agents do not need to be installed, and then subsequently updated. If you have existing Client Security clients, just apply the updates referenced in KB97669, for example KB976668. If you are not installing new clients through WSUS and you would like to create a slipstream installation, use the steps in our previous blog entry with these same updates. If you use WSUS to install new clients, the steps are:

  1. Associate the client computer to a WSUS server via WSUS policy, details here
  2. Create and deploy policy from the management server, details here
      a. All Client Security policies contain two registry keys: MOMServerName and MOMGroupName
      b. These values are set in the registry on the management server when the Configuration Wizard is run on the Management console. They are read and added to each policy during policy creation on the management server.
  3. Apply policy to clients; this can be either normally via AD policy or local policy imported with fcslocalpolicytool (tool found on CD media)
      a. When policy is applied, the local computer receives the MOMServerName and MOMGroupName described in #2a above.
  4. Approve the 1725.0 package described in KB976669 in WSUS

When the client computer does its next Automatic Updates detection cycle (frequency defined in #1 above) it will deem the deployment package as "Applicable", as described in the KB. It will then either notify, download and notify, or download and schedule the package to be installed (again, behavior set via the policy set in #1 above).

When the package installation is triggered, clientsetup.exe runs with zero command line switches. In the absence of /CG & /MS switches, clientsetup.exe will look in the registry for MOMServerName and MOMGroupName, which were set via policy. clientsetup.exe then uses those values, instead of the switches, to configure the new MOM agent to send information to the correct Collection server, specified in MOMServerName.

Note: the registry keys are only read by clientsetup.exe. Changing the policy by re-running the configuration wizard and redeploying policy does not redirect clients to report to a new Collection server. To do this you must choose one of the steps described in this blog entry.


Craig Wiand
Forefront Escalation Engineer