Client/Server data issues

Applies To: Forefront Client Security

This topic contains the following sections:

Exclamation-point alert icon in the notification area after installation

Client computers do not appear under Pending Actions

Delay in managed computer appearing on the management server

MOM server not communicating with agents

Agent data no longer being reported

Safe Mode results in no events reported

Exclamation-point alert icon in the notification area after installation

After Client Security is installed, the Client Security notification icon on the management server might be yellow with an exclamation point. Additionally, error 0x80240016 is logged in the WindowsUpdate.log file.

Background

This icon indicates that the Client Security agent is unable to download definition updates. However, the system does have the correct definitions.

Solution

Open the Client Security user interface and click Check for Updates Now. If this does not resolve the issue, either log off and log back on, or right-click the exclamation-point icon and choose exit, and then restart the Client Security program from the Start menu. This will launch the notification icon again.

Client computers do not appear under Pending Actions

Client computers might not be listed under Pending Actions in the MOM Administrator console.

Background

To view client computers, expand Administration, expand Computers, and then click Pending Actions.

Solution

Verify that the management server meets all of the following conditions:

  • If there is a firewall installed on the computer, ensure UDP/TCP port 1270 is open.

  • The computer’s security policy allows "Access this computer from the network" permissions to either Everyone (in the case of clients that are not members of the domain) or Authenticated Users (for domain members).

For more information, see Knowledge Base article 823659 (https://go.microsoft.com/fwlink/?LinkId=86293).

If you see event ID 26017 in the Application log of Event Viewer, see "Agents are rejected with event ID 26017" in Event IDs.

Delay in managed computer appearing on the management server

When deploying the Client Security agent to computers that already have the MOM agent installed, you may experience a delay in those computers being listed as Agent-managed in the MOM 2005 Administrator Console, under Administration, Computers, All Computers.

Background

The multihomed agents will appear in the MOM Administrator console in 2 hours.

Solution

To speed up the appearance of the multihomed agents, run a manual Computer Discovery.

To run a manual Computer Discovery

  1. In the MOM Administrator console, expand Administration and expand Computers.

  2. Right-click Computer Discovery Rules, choose Run Computer Discovery Now, and click OK.

MOM server not communicating with agents

After installing Client Security, you might notice that the MOM server is not receiving events from the MOM agents on the client computers.

Background

MOM uses TCP/UDP on port 1270 to communicate with the agents.

Solution

Check the collection server and ensure that a firewall is not blocking this port.

Agent data no longer being reported

When you rename a computer that has the Client Security agent installed, or when you move it to another domain, the computer stops reporting data to the management server.

Background

MOM data is associated with the name of the computer from which the data originates. Renaming a computer or changing its domain membership breaks this association.

Solution

You must remove and reinstall the MOM agent from the affected systems. For details, see Migrating Agents Across Domains (https://go.microsoft.com/fwlink/?LinkId=86557).

Note

Data is not lost in this procedure. MOM treats the two different names as two entirely different computers. To view data from the computer before the rename or move procedure, query for the old name of the computer.

For more information regarding Client Security best practices, see the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86657).

Safe Mode results in no events reported

Client computers running in Safe Mode might not report events to the reporting server.

Background

The MOM agent cannot be started in Safe Mode. This service must be running for events to be reported to the reporting server.

Solution

To begin receiving events, restart the client computer in normal mode.