Novell ZENworks Endpoint Security Management 4.1 Interim Release 1

April 16, 2010

Interim Release 1 (IR1) is the current release of ZENworks Endpoint Security Management 4.1. You can download IR1 here.

The issues included in this document were identified for Novell® ZENworks® Endpoint Security Management 4.1Interim Release 1.

1.0 Issues Resolved in IR1

In addition to issues uncovered during Novell-conducted testing, Interim Release 1 fixes the following customer-reported issues:

  • Installation of the Security Client on Windows Vista/7 appears to fail because it takes a long time (over 45 minutes).

  • After installation on Windows Vista/7, the Security Client (zesservice.exe) fails to start.

  • The Windows Vista/7 Security Client fails to decrypt removable storage device files that were password-encrypted by the Windows XP/2000 Security Client.

  • On Windows Vista/7, the File Decryption utility (stdecrypt.exe) fails to decrypt password-encrypted files stored on a removable storage device.

  • On Windows XP, a Security Client installation done via an MSI or setup.exe silent installation ignores the POLICYTYPE=3 (eDirectory user policies) and POLICYTYPE=4 (eDirectory workstation policies) settings and defaults to the POLICYTYPE=1 (Active Directory user policies) setting.

  • The Security Client installation fails for all languages other than English.

  • When installing all ZENworks services to a single server with a local SQL 2008 database, the installation displays “local instance of SQL cannot be found” and fails.

  • When running the Directory Service Configuration Wizard to connect to an Active Directory domain, the wizard fails if any detected Domain Controllers are unreachable.

  • The Device Scanner does not run on non-English operating systems.

    NOTE: The fix enables the Device Scanner to run on non-English operating systems. However, the Device Scanner dialogs still appear in English only.

  • In Windows XP Security Clients that are configured to retrieve policies from eDirectory workstation accounts (POLICYTYPE=4), the About box incorrectly displays the policy type as user-based policies instead of computer-based policies.

  • In the Management Console, loading an imported policy immediately after importing it takes a very long time.

  • On Windows Vista/7, inserting a removable storage device that has a password-encrypted files folder in which unencrypted (clear text) files reside might cause the machine to hang.

  • On Windows Vista/7, ignoring the decryption password prompt when copying a file to a safe harbor location (for example, copy the file, leave the password prompt open, then reboot the computer) causes the file to be stored as clear text in the safe harbor and never encrypted.

2.0 What’s New in Version 4.1

If you have ZENworks Endpoint Security Management 3.5, you should be aware of the following major enhancements to this 4.1 release:

  • Windows 7 Support: The Security Client can be installed on Windows 7 computers. For a list of Security Client features that are available on Windows 7, see Security Client Differences Based on Windows Version in the ZENworks Endpoint Security Management 4.1 Administration Guide.

  • Single-Sign On Support: The Security Client login (on Windows XP*) integrates with the Novell Client™ to provide single sign on. When a Windows XP user logs in through the Novell Client, he or she is also logged in to the Security Client.

    Single-sign on requires the Novell Client 4.91 SP5 for Windows XP with patch 491psp5_login_6.zip. You can download the client and the patch from the following sites:

    For additional information, see Novell TID 7005278.

  • Workstation Support in Novell eDirectory: If you have ZENworks 7 Desktop Management installed and have registered Windows 2000/XP workstations in Novell eDirectory, you can synchronize those workstations with your ZENworks Endpoint Security Management system. This enables publishing of workstation-based policies to Windows 2000/XP workstations.

    Because ZENworks 7 Desktop Management does not support Windows Vista/7 workstations, publishing of workstation-based policies to Windows Vista/7 workstations is not supported.

  • Device Scanner: This utility lets you scan an endpoint device to discover USB device data. You can then import the USB device data into the Management Console for use in Storage Device Control security policies.

    The Device Scanner is not included on the media image. You can download the utility from the Novell download site.

    For information about installing and using the Device Scanner after you have downloaded it, see the ZENworks Endpoint Security Management 4.1 Device Scanner Guide.

3.0 Known Issues

This section contains information about ZENworks Endpoint Security Management issues that might occur.

3.1 Size limit exceeded when synchronizing with Active Directory

The maximum number of users/computers that the Management Console can synchronize from a single Active Directory container is 1000. If any Active Directory container included in the synchronization exceeds the size limit, the entire synchronization operation fails.

Workaround: Have the users/computers log in through the Security Client. When the Security Client logs in, the user/computer is added to the Management database and is displayed in the Management Console.

3.2 CPU spikes with Client Self Defense enabled

To provide Client Self Defense, the Security Client accesses registry keys, files and folders, WMI, process information, and service information associated with the client. Windows Group Policy Object security policies and third-party software that control access to these locations can interfere with the Security Client and produce CPU spiking.

If CPU spiking occurs, make sure that GPO security policies do not prohibit the Security Client from reading and resetting registry keys and that antivirus and spyware software allow STEngine.exe and STUser.exe to run unrestricted.

3.3 Access denied when deleting folders from a safe harbor

If you receive an Access Denied message when deleting a folder from a safe harbor, you must use Shift-Delete to remove the folder or open a Command Prompt and use the rd command.

When you delete a folder from a safe harbor, Windows Explorer attempts to rename the folder to the Recycle Bin rather than moving the folder to the Recycle Bin. The Security Client does not allow this action because it would result in encrypted files in the Recycle Bin. The result is that you receive an Access Denied message. By using Shift-Delete or the rd command to remove the folder, you bypass the Recycle Bin and permanently delete the folder.

3.4 Cut and paste from RSD password folder to RSD root fails

On Windows Vista/7, if you cut a file from the password-encrypted folder on a removable storage device (RSD) and paste it to the root fo the RSD, the move fails. To perform the move, you must copy the file from the password-encrypted folder to another drive, then copy the file from the drive to the RSD.

3.5 Safely removing a busy RSD

If you try to safely remove a removable storage device and you receive a message stating that the device is busy, go ahead and remove the device. No data loss will occur. The message is caused by resident encryption processes.

3.6 Network devices that install as dual devices might not have the policy applied

Network devices that install as dual devices (for example, Modem and Wireless (802.11)) might not appear in the Windows registry and consequently do not have a policy applied to them (firewall or adapter control).

3.7 Network environments with invalid adapters

An adapter-specific network environment that becomes invalid can cause the Security client to continue to switch between the environment’s location and the Unknown location. To prevent this, configure the network environment with an adapter type that is enabled at the location.

3.8 CD/DVD devices added after client installation

If a CD/DVD burning device is added after the Security Client is installed, policies specifying Read Only to that device are not enforced if you are using third-party burning software such as Roxio* or Nero*.

3.9 Problem with FreeUSB Drive

At insertion of a FreeUSB 4GB (or larger) drive, the Windows operating system flashes a blue screen and shuts down. Novell has received one reported issue of this problem but has been unable to reproduce it. If you encounter this issue, please contact Novell Technical Services.

3.10 Controlling cellular phones

You might not be able to control Wireless connections made through cellular phones by using Wi-Fi control features in the Management Console. These devices are generally treated as modems by the operating system and, therefore, need corresponding policy changes to control them (for example, disable modems when wired through scripting).

3.11 Two Security Client icons display in the Windows Taskbar

When you boot your Endpoint Security Client 3.5 machine, you might see two Endpoint Security Client icons in the Windows taskbar. Mouse over one of the icons and it disappears.

3.12 Preferred devices comments removed during import of Storage Device Control settings

During import of a policy, the comments (in the Comments field) are removed from any preferred devices listed in the Storage Device Control settings. This does not affect the functionality of the preferred devices list because the Comments field is not used as part of the matching criteria for devices. To retain the comments, you must enter them again manually.

4.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark