Forefront Endpoint Protection Blog

All the latest news and information on Forefront Client Security, Forefront Endpoint Protection and System Center Endpoint Protection 2012
Actions
Tags
Archive
Archives

FCS v1 March 2011 update

TechNet Blogs > Forefront Endpoint Protection Blog > FCS v1 March 2011 update

FCS v1 March 2011 update

8 Mar 2011 1:16 PM
  • Comments 3

Update 10 March 2011

We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used.  We wanted to be clear on the issue and exactly what steps we are taking to rectify it.


Symptom:

 A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1.   After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.

 

The problem:

 This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.   It does not occur on Windows XP, Windows Server 2003 or Windows 2000.  This issue was  not introduced in the March Update.  It is caused by a previously undetected problem in the October 2010 update.  Please review the steps below for what options you should take.

 For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”.   If the update is deployed or manually installed in other ways, this bug does not occur.   


Key facts:

  1. If you have already successfully installed the March update, you do NOT need to roll it back.
  2. This bug doesn’t apply to either Microsoft Security Essentials or Forefront Endpoint Protection in anyway.
  3. It can only occur if the option for “Install Updates and Shutdown” is selected by the user or is set by policy.
  4. On unaffected computers, it in no way impacts the ability to get definition updates to stay secure.

 
What can I do to address this issue myself?

There are a number of workarounds that can be used currently.

 

Avoiding the issue

  • WSUS administrators can decline or not approve for installation
  • Avoid installing KB2508823 with  “Install updates and shutdown”.   This may be accomplished by
    • a recommendation by administrators to user
    • enforcement by Automatic Updates group policy:  Computer Configuration/Administrative Templates/Windows Components/Windows Update- Do not display ‘Install Updates and shut down’ option in Shut Down Windows dialog box.
    • installing the update KB2508823 through WSUS deadlines.  That triggers to install immediately.


Issue correction

If you have computers which experience this issue and are now unprotected, there are a number of options

  • Download and install KB2508823 manually.  There are steps to do this in the KB: http://support.microsoft.com/kb/2508823  in the Hotfix information  section
  • Approve in WSUS “Client Update for Microsoft Forefront Client Security (1.0.1728.0)”  and decline both the March update(KB2508823) and the Client Update for Microsoft Forefront Client Security (1.0.1736.0) (2508824).  This will redeploy the prior update
  • Approve the “Client Update for Microsoft Forefront Client Security (1.0.1736.0)”   slipstream update.
    NOTE:  We have seen that in some cases this will fail with 0x666 ERROR_PRODUCT_VERSION 
    If you are seeing ERROR_PRODUCT_VERSION  failures installing the slipstream you can uninstall SSA and that should allow it to work.  To do this, choose to uninstall "Microsoft Forefront Client Security State Assessment Service" in Control Panel>Programs>Uninstall a program or by executing the command line: msiexec.exe /x {2AB5A838-9DAC-45F5-8EC2-019DDDC4B4F6} /quiet

 

What is Microsoft doing to address this?

 We are doing the following:

  1. We have already throttled downloads of KB2508823 on Microsoft update so that users connecting directly Microsoft Update, will not have the package proactively delivered. 
  2. We are changing the logic on Microsoft update to only allow the update to apply to Windows 2000, Windows XP, and Windows Server 2003 today.   That will prevent further incidents from occurring.   We are testing this change now, and will update the blog on when you can expect to see this change.
  3. We are authoring a patch update that will address this issue on Microsoft update.   This patch will supersede the current patches for all platforms.  We will provide more information soon on when you can expect to see that package. 

We take the support of our customers very seriously.   If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .

Sincerely, the Microsoft Forefront Client Security Engineering team.

 

Update 9 March 2011

 

 

Hello all,

 

 

Today (8 March 2011), we released an update to FCSv1.   Changes include:

  • This update enables computers running Forefront Client Security to update definitions at the scheduled time while running on battery power.
  • This update contains changes to allow computers running Forefront Client Security service to open files encrypted by Prim'X ZoneCentral that are located in a network shared folder.
  • This update corrects issues in the mpfilter.sys kernel component used by Client Security that causes real-time protection errors on computers running Windows 2000.

For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823).
For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2508824 (http://support.microsoft.com/kb/2508824).

For more information about the update, Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823) has the detail.

 

Thanks!

 

We have recieved reports that in some cases the FCS update fails to install correctly.   We are reviewing these reports now, and will update this blog when we have details we can share.   If you are a WSUS administrator you may want to hold off approving this update for the moment. 
, , ,
Comments
Comments
  • Andy
    9 Mar 2011 1:10 AM

    Windows Update tried to install this on my PC last night but ended up completely removing FCS!

  • Matto
    13 Mar 2011 7:53 PM

    Hi team,

    Any update on when we may see the new authored patch to resolve this problem? We currently have a large number of computers across all our sites experiencing this problem, which is having a considerable knock-on effect to our staff. We've followed the instructions above, but try as we might we can't get the broken machines to install the previous version.

    So far the only thing that's fixing them is manually un-installing the SSA, and then running an new WSUS detect/update cycle, which does work (and installs the previous version - 1.0.1728). Obviously we're not amazingly keen to have to do this by hand across the entire fleet of damaged Win7 machines, but it's looking more and more like it's going to be our only option.

    Is there anything else that you could suggest?

    Thanks for your help,

    Matt Russell

  • 14 Mar 2011 2:00 PM

    So we are working on a schedule as we speak and we will communicate it as soon as we have high confidence in it.   We have impacted quite a number of people unintentionally, and we don't want to make anything worse.    

    That said this specific issue is very well understood and the scope is only on Vista/Win2k8 and above OS.   However, we have had sporadic information on other OS platforms, which have had different errors than what is described above.   If you have an issue on those OS, please use the Support information above and let us know.

    Douglas Hill - MSFT  - Forefront Engineering.

Page 1 of 1 (3 items)
Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post