Client Security Best Practices Analyzer tool: Topology check
Applies To: Forefront Client Security
Client Security supports deployment in six topologies. These topologies vary in the number of computers needed to deploy, the location of the Client Security databases, and the number of managed computers supported. For a detailed list of which topologies are supported, see Choosing your topology (https://go.microsoft.com/fwlink/?LinkID=91871).
To determine if a server is part of a supported topology, the Microsoft Forefront Client Security Best Practices Analyzer tool retrieves the following registry value:
HKLM\Software\Microsoft\Microsoft Forefront\Client Security\1.0\Config\InstalledRoles
If the registry value indicates that the components on the server are part of a supported topology, then the check passes. If the registry value is not allowed, then the check fails. If the check fails, you should verify that you have the correct components on your server and make sure to run the Client Security Best Practices Analyzer tool on the other servers in your topology.
The following table lists the registry values and the acceptable component combinations:
| Registry value | Server components | Supported topology |
|---|---|---|
0x1 |
Management component |
Four-, five-, and six-server |
0x2 |
Collection component |
Four-, five-, and six-server |
0x3 |
Management and collection components |
Three-server |
0x4 |
Distribution component |
Two-, three-, four-, five-, and six-server |
0x8 |
Reporting database |
Three-, five-, and six-server |
0xB |
Management and collection components and reporting database |
Two-server |
0xF |
All components |
Single-server |
Note
In some cases, the Client Security Best Practices Analyzer tool will indicate that a server is likely part of a supported topology, despite the fact that the topology itself is not supported. This can happen when each server in a topology includes supported components but the servers together are missing or duplicating components.