FCS: Troubleshooting Out of Date Policy Issues with Clients

  • Article

At times on the server may list clients as having an Out of Date policy.

The first step to troubleshooting this issue is understanding what this error message means:

The message results because the version # for a clients policy reported from the client does not match with the last version # that was deployed for the named policy from the FCS server.

When an FCS policy is created as part of the registry keys in the configuration are 2 that are specific to the policy naming/version

  • KeyName:     SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileID  (Policy Name GUID)
  • KeyName:     SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileInstanceID (Policy Version #)

These same 2 values are also saved in the database server side.

From a deployment perspective once you click deploy regardless of the target of the deployment the server considers that deployment version as the latest version.  If the client reports in before it has actually received that deployment version and applied it then the server will consider that client to be out of date from a policy perspective.

From a troubleshooting perspective when this issue happens what you are typically looking for is a breakdown between when you deployed policy and that latest revision of that policy being applied on the client.  This typically means the following scenarios:

  • Breakdown in Group Policy application this can be any number of things
    • Issues with the Group Policy engine on the client
    • Issues with FRS replication in the domain where the DC's haven't replicated the updated policy to the DC where the client is pulling policy from (Helpful tip make sure you have KB956123/KB953325 deployed to your DC's)
  • Policy deployed to file has not actually been delivered and applied to the client

Some other tips:

There isn't an easy way to see the ProfileInstanceID on the server side however it is stored in the fcs_ProfileDeployments in the Onepoint database.  The easier way to know what the ProfileInstanceID is on the server side is to also add a deployment target for a local file on the policy that way you can easily check the ProfileInstanceID in the file on the server and use that to compare to the client ProfileInstanceID to verify whether or not they match.