Planning your deployment of Client Security
Applies To: Forefront Client Security
To plan your deployment of Client Security to the client computer, you should understand the client components of Client Security, deployment methods, and supported languages.
System requirements for the Client Security agent
The Client Security agent can be installed only on computers meeting the requirements in this section.
Operating system requirements
For operating system requirements for the client security agent, see Verifying your system requirements.
Although Client Security supports client computers with 64-bit processors, Itanium (IA-64) processors are not supported.
The Client Security agent requires the following software on each client computer:
Windows Update Agent 2.0
Windows Installer 3.1
Hard disk requirements
The Client Security agent requires 350 MB of hard disk space on each client computer.
Software installed by Client Security client component setup
Client Security client component setup installs two agents on each client computer:
The Client Security agent, which includes two services:
The Microsoft Forefront Client Security Antimalware Service, which scans for malware. The service name is FCSAM and its process is MsMpEng.exe.
The Microsoft Forefront Security State Assessment Service, which scans for potential vulnerabilities. The service name is FcsSas and its process is FcsSas.exe.
The MOM 2005 agent, which collects and sends data to the Client Security collection server. The service name for the MOM agent is MOM, and its two processes are MOMService.exe and MOMHost.exe.
In addition, for the applicable operating system, the Client Security client component setup installs a hotfix for the issue described in The filter manager rollup package for Windows XP SP2 (https://go.microsoft.com/fwlink/?LinkId=89211).
Default installation paths
The following table specifies the default installation paths for parts of the client components for Client Security.
|Program||Default installation path|
Client Security agent
%program files%\Microsoft Forefront\Client Security\Client
%Program Files%\Microsoft Forefront\Client Security\Client\Antimalware
Client Security agent logs
%program files%\Microsoft Forefront\Client Security\Client\Logs
%program files%\Microsoft Forefront\Client Security\Client\SSA
SSA results files
%program files%\Microsoft Forefront\Client Security\Client\SSA\results
%program files%\Microsoft Forefront\Client Security\Client\SSA\updates
SSA client trace logs
%allusersprofile%\Application Data\Microsoft\Microsoft Forefront\Client Security\SSA\Logs\ssa_log number .etl
MOM 2005 agent
%program files%\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005
Client deployment using WSUS
Using WSUS is an easy method for deploying the Client Security client components to a large number of computers. It is the recommended method for deploying the client components.
Deploying using WSUS depends on deploying a Client Security policy to each computer on which you want to install the agent. Embedded in a Client Security policy is the information required to install and configure the client components, including a marker that indicates the computer needs to receive the components using the Automatic Updates feature. When a computer with a Client Security policy but without the client components synchronizes with its WSUS server, it receives client components and installs them.
This same method is effective for adding single computers to existing deployments. For example, if you add a computer to an OU to which you've previously deployed a Client Security policy, the new computer receives group policies at the regular policy refresh rate. Included in the group policies it receives is the Client Security policy for that OU. At the next scheduled Automatic Updates synchronization, the client computer receives the Client Security client components and, depending on Automatic Updates settings, either installs the agents or notifies the user that the agents are available for installation.
Requirements for deploying with WSUS
Client deployment using WSUS requires the following:
Automatic Updates on client computers is configured to use WSUS on the Client Security distribution server. You can use Group Policy to configure this on client computers.
The WSUS administrator has approved the Client Update for Microsoft Forefront Client Security update.
You have deployed a Client Security policy to computers on which you want to install the Client Security client components. For more information about planning policy deployment, see Planning integration into your Active Directory environment.
Client deployment rate
Two factors affect how quickly client deployment occurs: policy deployment rate and update synchronization rate.
Client computers receive Client Security policies during the standard Group Policy refresh, which may take several hours. This likely means that client computers are not protected against malware during this time. If this delay is unacceptable, you can make the policy apply immediately to a client computer by doing one of the following:
Restart the computer.
Force a GPO refresh:
In Windows Vista or Windows XP, run the following command:
In Windows 2000 Server, run the following command:
secedit /refreshpolicy machine_policy /enforce
Automatic updates occur daily, at a configurable time; however, you can force a client computer to synchronize immediately with its WSUS server. To do so, enter the following command at a command prompt on the client computer:
You can also manually deploy the Client Security client components to client computers. This deployment method may be more desirable in some scenarios, such as:
You don't use WSUS in your organization, or WSUS is temporarily unavailable.
You are creating a new operating system installation and want the client components on the computer immediately.
You want to install the English version of the Client Security client components on a computer running an operating system that supports localized Client Security agents.
Manual deployment requires using the Client Security CD at each client computer and running client setup using local administrator permissions.
Transitioning to Client Security
If Client Security is replacing other antimalware applications, prior to deploying the Client Security client components to that computer, be sure those applications are removed from each client computer.
To best protect your client computers during the transition, it is recommended that you:
Install the Client Security client components soon after removing other antimalware applications, to minimize how long client computers are not protected against malware.
Run a full scan on each client computer soon after the Client Security client components is deployed to the computer.
Client Security agent support in other languages
When using WSUS to deploy the Client Security client components, Client Security automatically detects the language of the operating system and loads the localized version of the Client Security agent (when a localized version exists). For example, WSUS would install the French version of the Client Security agent on a computer running the French version of Windows.
The Client Security agent is available in the following languages:
If you wish to install the English version of the Client Security agent instead of the localized version, you should not approve the updates in WSUS and should instead manually install the English version of the agent on each computer. If you have a mix of computers where some should receive the localized version of the Client Security agent and others should receive the English version, you may wish to consider using target groups in WSUS. For more information, see Create the Computer Groups (https://go.microsoft.com/fwlink/?LinkId=102988).
If you use operating systems for which there is no localized version of the Client Security agent, the English version will be installed.
For non-FCS localized Windows languages, the new installation package does not automatically install the required KB914882 update on x86 Windows XP SP2. Therefore, prior to WSUS deployment, you must deploy the correct OS language version of update (found in the \client folder on the FCS CD media) to XP computers.
You should be aware of the following additional language restrictions for the Client Security agent:
The English version of the Client Security agent is supported on Windows operating systems for all the languages listed previously. For example, you can run the English version of the Client Security agent on a computer running an Italian version of Windows.
Only the English version of the Client Security agent is supported on English versions of Windows operating systems. For example, you cannot run the Korean version of the Client Security agent on a computer running an English version of Windows.
Bi-directional languages, such as Hebrew or Arabic, are not supported and no Client Security agent is installed, even if updates are approved through WSUS.