Deploying and undeploying policies
Applies To: Forefront Client Security
To implement a new or edited policy, you must deploy it. Deployment is the process of applying a Client Security policy to the client computers that you intend to protect with the policy. Each client computer can have only one Client Security policy applied to it.
Note
Client Security policies apply only to computers, not to user accounts. If you want to use custom policies to protect specific users, you must apply those policies to the computers accessed by those users.
When a client computer receives a new or edited policy, the policy settings are saved as registry settings on the client computer. If you change or modify the policy later, client computers do not know of the changes until you deploy the policy.
Additionally, if you no longer want a previously deployed policy to protect client computers, you must either deploy a different policy to the computer or you must undeploy the unwanted policy. When you undeploy a policy, the registry settings representing the undeployed policy are removed from the computers from which you undeploy the policy.
Group Policy object deployment
You can deploy a policy to an existing GPO. Client Security merges the Client Security policy to a GPO that you specify. The GPO must already exist in Active Directory. When you deploy to an already existing GPO, the Client Security policy settings merge with the settings already defined in that GPO.
Important
Deploying to an existing GPO requires that you have permissions to edit the GPO.
If you deploy to an existing GPO that has a Client Security policy already deployed to it, a message informs you that the new Client Security policy settings will replace the currently deployed Client Security policy settings. It is not possible to deploy or merge two Client Security policies to the same GPO. You are required to either cancel the deployment of the new policy or click Continue to replace the original Client Security policy with the new policy. Settings already created in the existing GPO, which Client Security did not create, remain.
Note
To identify a Client Security–created GPO, in the AD GPMC, look for GPOs with the naming convention: FCS-policy-GUID-deploymentMethod
Domain and organizational unit deployment
You can deploy a policy to computers in Active Directory OUs and domains. OU and domain deployment relies on Client Security to create a GPO and link it to the existing OU or domain that you specify.
Important
To deploy to an OU or domain you must have permission to both create GPOs in Active Directory and to link a GPO to the OU or domain you wish to apply the policy to.
If you deploy to an OU or domain that already has a Client Security policy deployed to it, a message informs you that the new policy will replace the currently deployed policy. You cannot merge policy settings or link multiple Client Security policies to the same OU. You are required to either cancel the deployment of the new policy or click Continue to replace the currently linked policy with the new policy.
Security group deployment
You can deploy a policy to computers in Active Directory security groups. This method relies on Group Policy to deploy the policy to computers in a security group that you have previously configured in Active Directory. Policies deployed to security groups override policies deployed to OUs. This lets you apply different policies to subsets of computers that belong to OUs. For example, you may want to apply more secure policies to computers used by executives in your organization, but those computers may belong to an OU with many more computers. You can deploy one policy to the OU and another policy to a security group consisting of computers used by executives. The security group policy settings take precedence.
Note
When you deploy a policy to a security group, Client Security links the policy to the domain and sets the Enforced option on the GPO. The Enforced option allows the GPO to take precedence over other GPOs that would otherwise override it.
Important
Deploying to a security group requires that you have permissions to create GPOs and link GPOs to the domain.
If you deploy to a security group that currently has a Client Security policy deployed to it, a message informs you that the new policy will replace the currently deployed policy. You cannot link multiple Client Security created policies to the same security group or merge policy settings. You are required to either cancel the deployment of the new policy or click Continue to replace the currently linked policy with the new policy.
GPOs created by Client Security
When you deploy policies to OUs or to security groups, Client Security creates the GPO using the permissions of the user who is running the Client Security console. Client Security names the GPOs using information about the policies that the GPOs are created to deploy. Client Security adheres to the following naming conventions for GPOs that it creates:
FCS- policy - GUID - deploymentMethod
Where the parameters are as follows:
policy—The name manually assigned to the policy in the Client Security console.
GUID—The globally unique identifier (GUID) automatically assigned to the policy when Client Security created it.
deploymentMethod—A number that indicates the deployment method of the policy. Valid values are as follows:
2—OU deployment
3—Security group deployment
For example, if you created a policy named OurServers and deployed it to an OU, the GPO that Client Security creates would be named as follows (with a random GUID included):
FCS-OurServers-{ea0961d2-f992-4624-9857-d51ca23f6179}-2
When you undeploy a policy that you previously deployed to an OU or a security group, Client Security deletes the GPO that it created for the OU or security group deployment.
Policy deployment rate
When you deploy by OU, security group, or GPO, client computers receive the policy during the standard Group Policy refresh, which may take several hours. To make the policy apply immediately to a client computer, you can do one of the following:
Restart the computer.
Force a GPO refresh:
In Windows Vista™ or Windows XP, run the following command:
gpupdate /force
In Windows 2000, run the following command:
secedit /refreshpolicy machine_policy /enforce
Registry file deployment
You can deploy a policy by registry file. This method exports the policy to a .reg file that you can distribute to client computers. Client Security does not distribute the .reg file. You must determine the means for distributing the .reg file. This can be as simple as making the .reg file available in a shared folder.
To apply the registry file to client computers, you must use fcslocalpolicytool.exe, a tool provided on the Client Security disc. Each client computer with which you use registry file deployment must have access to fcslocalpolicytool.exe.
Note
It is recommended that you keep Client Security registry files and fcslocalpolicytool.exe in a central location and that you limit all permissions to them so that only users who must use fcslocalpolicytool.exe have access to the program and to registry files.
You can use the Deployment Summary report to see the names of computers that receive policies by registry file deployment. After a registry-based policy is deployed to a computer, the Client Security agent on the computer sends the collection server information about the policy it is now enforcing.
When you undeploy or delete a policy that was deployed to a registry file, the console shows the change to the policy but Client Security does not delete the registry file. The policy needs to be accessible to client computers on which you haven't run fcslocalpolicytool.exe to undeploy the registry-file policy. When you are sure that no client computers are using a particular registry-file policy, you can safely delete it.
To deploy a policy
In the Client Security console, click the Policy Management tab, and then click the policy you want to deploy.
Note
When you work with policies, only one instance of the console should be open. Client Security does not support concurrent policy editing in more than one console at a time.
Click Deploy.
The Deploy dialog box appears. You use the Deploy dialog box to specify deployment targets.
Select the targets to which you want to deploy the policy. You can add multiple targets to deploy the policy.
If you want to deploy to an Active Directory OU or domain:
Click Add OU. The Active Directory dialog box appears and lists the top-level OUs.
Under Select a target, find an OU to which you want to deploy the policy and select it. If you want to deploy a policy to all the managed computers in a domain, you can select the domain instead of an OU.
Click OK. The OU or domain is listed in the Deploy dialog box.
If you want to deploy to an Active Directory security group:
Click Add Group. The Select Groups dialog box appears.
Use the Select Groups dialog box to specify the security group. To search for security groups in the domain displayed in the From this location box, click Advanced and use the second Select Groups dialog box.
If you want to deploy to a GPO:
Click Add GPO. The Add GPO dialog box appears.
Under Select a target, find the GPO to which you want to deploy the policy and select it.
Click OK. The GPO is listed in the Deploy dialog box.
If you want to deploy to a .reg file:
Click Add File. The Save As dialog box appears.
Select a location to save the .reg file.
In File name, type the name you want to give the policy .reg file.
Click Save. The file is listed in the Deploy dialog box.
Click Deploy. If you are deploying the policy to a GPO, OU, or security group that is already targeted by another deployed policy, Client Security prompts you to confirm the decision to deploy the current policy to the GPO, OU, or security group. To continue deploying the policy, click OK on the confirmation message.
Client Security deploys the policy in the targets you selected.
If you deployed the policy to an OU and you want the policy to take effect immediately, you can run the gpupdate /force command on each client computer in the OU or restart each client computer. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.
If you deployed the policy to a security group and you want the policy to take effect immediately, you can restart each client computer in the security group. The command gpupdate /force does not update policies for client computers in security groups. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.
Note
The gpupdate command is not available in Windows 2000. To apply the policy immediately on a client computer running Windows 2000, run the following command: secedit /refreshpolicy machine_policy /enforce
If you used registry file deployment for the policy, you must perform the following steps on all client computers to which you want to deploy the policy:
Distribute the .reg file to the computer or make the .reg file accessible in a shared folder.
Use fcslocalpolicytool.exe to apply the policy to the computer:
fcslocalpolicytool.exe /i policyname**.reg**
For automated deployments, you can use the /f option to suppress the confirmation message.
To undeploy a policy
In the Client Security console, click the Policy Management tab, and then click the policy you want to undeploy.
Click Undeploy. A confirmation message appears.
Click Undeploy. Client Security undeploys the policy.
If you deployed the policy to an OU and you want the policy to take effect immediately, you can run the gpupdate /force command on each client computer in the OU or restart each client computer. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.
If you deployed the policy to a security group and you want the policy to take effect immediately, you can restart each client computer in the security group. The command gpupdate /force does not update policies for client computers in security groups. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.
If you used registry file deployment for the policy, you must run fcslocalpolicytool.exe on each client computer that you distributed the policy to by registry file. At the command prompt, type the following:
fcslocalpolicytool.exe /d
For automated deployments, you can use the /f option to suppress the confirmation message.