Archive for the ‘KB’ Category

FCS – Upcoming solution for installation issues with March 2011 Update

March 31st, 2011 Comments off

We have been working hard on a solution for customers that encountered issues with our update in March. I wanted to let you know what we are planning to address this.

We are authoring a package that is specifically designed to find systems that have a failed upgrade to our March update. To do this, we will be pushing a package from Microsoft Update that looks for several specific conditions:

  1. The SSA package from Forefront Client Security to be present.

  2. Several Antimalware registry keys are present, even though Antimalware software had been removed due to an upgrade.

  3. You are running Vista or higher OS (including Server OS like Windows Server 2008)

If all of these items are true, then we will reinstall the update package and return the system to normal.

If a system fails any one of these conditions, we aren’t going to install. The first case is a safe check because only FCSv1 customers have this particular package. The second one is equally important, because if a admin has actually intentionally removed FCSv1, the Antimwalware keys we are looking for would no longer exist. The third obviously focuses the package on machines that it applies to.

We are planning to release this package on 4/5. Our intention is to make this available and visible before the upcoming patch Tuesday window so administrators and users can choose to deploy it ahead of any other updates pending the following Tuesday. WSUS admins will be able to find this package by its KB number 2524280.

Please note that this package is intended to fix only a very specific case of an upgrade failure. There are many technical reasons that a package may fail to upgrade that we cannot address in this manner. Examples include a damaged registry, Windows installer repository issues or binaries being held by external processes beyond our control. If you need additional assistance please contact your support professional or visit .

Forefront Client Security Engineering team

Categories: FCS, FCS Support, Forefront, KB, known issue, WSUS Tags:

FCS v1 March 2011 update

March 8th, 2011 Comments off

Update 10 March 2011

We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used.  We wanted to be clear on the issue and exactly what steps we are taking to rectify it.


 A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1.   After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.


The problem:

 This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.   It does not occur on Windows XP, Windows Server 2003 or Windows 2000.  This issue was  not introduced in the March Update.  It is caused by a previously undetected problem in the October 2010 update.  Please review the steps below for what options you should take.

 For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”.   If the update is deployed or manually installed in other ways, this bug does not occur.   

Key facts:

  1. If you have already successfully installed the March update, you do NOT need to roll it back.
  2. This bug doesn’t apply to either Microsoft Security Essentials or Forefront Endpoint Protection in anyway.
  3. It can only occur if the option for “Install Updates and Shutdown” is selected by the user or is set by policy.
  4. On unaffected computers, it in no way impacts the ability to get definition updates to stay secure.

What can I do to address this issue myself?

There are a number of workarounds that can be used currently.


Avoiding the issue

  • WSUS administrators can decline or not approve for installation
  • Avoid installing KB2508823 with  “Install updates and shutdown”.   This may be accomplished by
    • a recommendation by administrators to user
    • enforcement by Automatic Updates group policy:  Computer Configuration/Administrative Templates/Windows Components/Windows Update- Do not display ‘Install Updates and shut down’ option in Shut Down Windows dialog box.
    • installing the update KB2508823 through WSUS deadlines.  That triggers to install immediately.

Issue correction

If you have computers which experience this issue and are now unprotected, there are a number of options

  • Download and install KB2508823 manually.  There are steps to do this in the KB:  in the Hotfix information  section
  • Approve in WSUS “Client Update for Microsoft Forefront Client Security (1.0.1728.0)”  and decline both the March update(KB2508823) and the Client Update for Microsoft Forefront Client Security (1.0.1736.0) (2508824).  This will redeploy the prior update
  • Approve the “Client Update for Microsoft Forefront Client Security (1.0.1736.0)”   slipstream update.
    NOTE:  We have seen that in some cases this will fail with 0x666 ERROR_PRODUCT_VERSION 
    If you are seeing ERROR_PRODUCT_VERSION  failures installing the slipstream you can uninstall SSA and that should allow it to work.  To do this, choose to uninstall “Microsoft Forefront Client Security State Assessment Service” in Control Panel>Programs>Uninstall a program or by executing the command line: msiexec.exe /x {2AB5A838-9DAC-45F5-8EC2-019DDDC4B4F6} /quiet


What is Microsoft doing to address this?

 We are doing the following:

  1. We have already throttled downloads of KB2508823 on Microsoft update so that users connecting directly Microsoft Update, will not have the package proactively delivered. 
  2. We are changing the logic on Microsoft update to only allow the update to apply to Windows 2000, Windows XP, and Windows Server 2003 today.   That will prevent further incidents from occurring.   We are testing this change now, and will update the blog on when you can expect to see this change.
  3. We are authoring a patch update that will address this issue on Microsoft update.   This patch will supersede the current patches for all platforms.  We will provide more information soon on when you can expect to see that package. 

We take the support of our customers very seriously.   If you need additional assistance please contact your support professional or visit .

Sincerely, the Microsoft Forefront Client Security Engineering team.


Update 9 March 2011



Hello all,



Today (8 March 2011), we released an update to FCSv1.   Changes include:

  • This update enables computers running Forefront Client Security to update definitions at the scheduled time while running on battery power.
  • This update contains changes to allow computers running Forefront Client Security service to open files encrypted by Prim’X ZoneCentral that are located in a network shared folder.
  • This update corrects issues in the mpfilter.sys kernel component used by Client Security that causes real-time protection errors on computers running Windows 2000.

For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (
For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article
2508824 (

For more information about the update, Microsoft Knowledge Base article 2508823 ( has the detail.




We have recieved reports that in some cases the FCS update fails to install correctly.   We are reviewing these reports now, and will update this blog when we have details we can share.   If you are a WSUS administrator you may want to hold off approving this update for the moment. 

Categories: FCS, KB, QFE, update Tags: