Deploying Client Security to the client computers

Applies To: Forefront Client Security

To deploy Client Security to the client computers, you must first deploy a policy to those computers. After a client computer has a policy, the computer will automatically download Client Security from your distribution server.

Keep the following issues in mind when deciding how to deploy Client Security policies to your client computers:

• For a policy to take effect, you must deploy it to one or more target organizational units (OUs), security groups, or GPOs.

• If you deployed to a file as a target, then the policy is marked as deployed. However, you still need to apply the policy to the appropriate client computers. To do so, it is recommended that you use fcspolicytool.exe, a tool provided on the Client Security CD.

After the client components are deployed, the client computers must be approved in MOM before they begin to report data. The clients are usually automatically approved within an hour. If you want them to begin reporting data sooner, you can approve them manually. For detailed steps, see Approving clients through the MOM server, later in this topic.

For more detailed information about creating and deploying policies, including descriptions of all of the settings available in the policy, see Working with policies in the Client Security Administration Guide.

Creating and deploying a policy

To create a policy

1. In the Client Security console, click the Policy Management tab.

2. On the Policy Management tab, click New.

3. In the New Policy dialog box, enter the settings you want for this policy.

4. After you finish creating the policy, click OK.

To deploy a policy

1. In the Client Security console, click the Policy Management tab, and then click the policy you want to deploy.

2. Click Deploy.

3. In the Deploy dialog box, select the targets to which you want to deploy the policy. You can add multiple targets to deploy the policy.

   If you want to deploy to an Active Directory OU or domain:

   1. Click Add OU. The Active Directory dialog box appears and lists the top-level OUs.

   2. Under Select a target, find an OU to which you want to deploy the policy and select it. If you want to deploy a policy to all of the managed computers in a domain, you can select the domain instead of an OU.

   3. Click OK.

   If you want to deploy to an Active Directory security group:

   1. Click Add Group.

   2. Use the Select Groups dialog box to specify the security group.

   If you want to deploy to a GPO:

   1. Click Add GPO.

   2. Under Select a target, select the GPO to which you want to deploy the policy.

   3. Click OK.

   If you want to deploy to a .reg file:

   1. Click Add File. The Save As dialog box appears.

   2. Select a location to save the .reg file.

   3. In File name, type the name you want to give the policy .reg file.

   4. Click Save.

4. Click Deploy. Client Security deploys the policy to the targets you selected.

5. If you deployed the policy to an OU and you want the policy to take effect immediately, you can run the gpudate /force command on each client computer in the OU or restart each client computer. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.

   If you deployed the policy to a security group and you want the policy to take effect immediately, you can restart each client computer in the security group. The command gpudate /force does not update policies for client computers in security groups. Otherwise, the policy is applied to client computers when the standard Group Policy refresh occurs.

   The gpudate command is not available in Windows 2000. To apply the policy immediately on a client computer running Windows 2000, run: secedit /refreshpolicy machine_policy /enforce

   If you used registry file deployment for the policy, you must perform the following steps on all client computers to which you want to deploy the policy:

   1. Distribute the .reg file to the computer or make the .reg file accessible in a shared folder.

   2. Use fcslocalpolicytool.exe to apply the policy to the computer. For detailed instructions, see the following section.

Deploying policies by using fcslocalpolicytool

When deploying to a file as a target, you must still apply the policy to your client computers. To do so, it is recommended that you use fcslocalpolicytool, a tool provided on the Client Security CD. By using this tool, you ensure that the Client Security settings in the policy are updated correctly.

To deploy a policy by using fcslocalpolicytool

1. On the client computer, insert the Client Security CD.

2. Open a Command Prompt window.

3. At the command prompt, type:
   cd [cd drive]\Client

4. Press ENTER.

5. Type the following information, which is required to run the script: fcslocalpolicytool.exe /f /i filename

   in which the filename is the .reg file that you want to deploy to the client computer. Any previous Client Security policies will be deleted.

   For automated deployments, you can use the /foption to suppress the confirmation message.

6. Press ENTER.

Approving clients through the MOM server

After being deployed, the clients are usually automatically approved within an hour. If you want them to begin reporting data sooner than that, you can approve them manually.

To approve clients manually through the MOM server

1. On the Client Security management server, click Start, click All Programs, click Microsoft Operations Manager, and then click Administrator Console.

2. In the MOM 2005 Administrator Console, under Console Root, expand Administration, expand Computers, and then click Pending Action.

3. In the Pending Action list, right-click the client computer, and then click Approve Manual Agent Installation Now. If you do not see the client in the Pending Action list, wait a few minutes, and then on the Action menu, click Refresh.

4. In the Microsoft Operations Manager dialog box, click Yes to confirm approval. The client computer will disappear from the Pending Action list.