Interim Release 1 (IR1) is the current release of ZENworks Endpoint Security Management 4.1. You can download IR1 here.
The issues included in this document were identified for Novell® ZENworks® Endpoint Security Management 4.1Interim Release 1.
For installation instructions, see the ZENworks Endpoint Security Management 4.1 Installation Guide.
For administrative tasks, see the ZENworks Endpoint Security Management 4.1 Administration Guide.
In addition to issues uncovered during Novell-conducted testing, Interim Release 1 fixes the following customer-reported issues:
Installation of the Security Client on Windows Vista/7 appears to fail because it takes a long time (over 45 minutes).
After installation on Windows Vista/7, the Security Client (zesservice.exe) fails to start.
The Windows Vista/7 Security Client fails to decrypt removable storage device files that were password-encrypted by the Windows XP/2000 Security Client.
On Windows Vista/7, the File Decryption utility (stdecrypt.exe) fails to decrypt password-encrypted files stored on a removable storage device.
On Windows XP, a Security Client installation done via an MSI or setup.exe silent installation ignores the POLICYTYPE=3 (eDirectory user policies) and POLICYTYPE=4 (eDirectory workstation policies) settings and defaults to the POLICYTYPE=1 (Active Directory user policies) setting.
The Security Client installation fails for all languages other than English.
When installing all ZENworks services to a single server with a local SQL 2008 database, the installation displays “local instance of SQL cannot be found” and fails.
When running the Directory Service Configuration Wizard to connect to an Active Directory domain, the wizard fails if any detected Domain Controllers are unreachable.
The Device Scanner does not run on non-English operating systems.
NOTE: The fix enables the Device Scanner to run on non-English operating systems. However, the Device Scanner dialogs still appear in English only.
In Windows XP Security Clients that are configured to retrieve policies from eDirectory workstation accounts (POLICYTYPE=4), the About box incorrectly displays the policy type as user-based policies instead of computer-based policies.
In the Management Console, loading an imported policy immediately after importing it takes a very long time.
On Windows Vista/7, inserting a removable storage device that has a password-encrypted files folder in which unencrypted (clear text) files reside might cause the machine to hang.
On Windows Vista/7, ignoring the decryption password prompt when copying a file to a safe harbor location (for example, copy the file, leave the password prompt open, then reboot the computer) causes the file to be stored as clear text in the safe harbor and never encrypted.
If you have ZENworks Endpoint Security Management 3.5, you should be aware of the following major enhancements to this 4.1 release:
Windows 7 Support: The Security Client can be installed on Windows 7 computers. For a list of Security Client features that are available on Windows 7, see ZENworks Endpoint Security Management 4.1 Administration Guide.
Single-Sign On Support: The Security Client login (on Windows XP*) integrates with the Novell Client™ to provide single sign on. When a Windows XP user logs in through the Novell Client, he or she is also logged in to the Security Client.
Single-sign on requires the Novell Client 4.91 SP5 for Windows XP with patch 491psp5_login_6.zip. You can download the client and the patch from the following sites:
For additional information, see Novell TID 7005278.
Workstation Support in Novell eDirectory: If you have ZENworks 7 Desktop Management installed and have registered Windows 2000/XP workstations in Novell eDirectory, you can synchronize those workstations with your ZENworks Endpoint Security Management system. This enables publishing of workstation-based policies to Windows 2000/XP workstations.
Because ZENworks 7 Desktop Management does not support Windows Vista/7 workstations, publishing of workstation-based policies to Windows Vista/7 workstations is not supported.
Device Scanner: This utility lets you scan an endpoint device to discover USB device data. You can then import the USB device data into the Management Console for use in Storage Device Control security policies.
The Device Scanner is not included on the media image. You can download the utility from the Novell download site.
For information about installing and using the Device Scanner after you have downloaded it, see the ZENworks Endpoint Security Management 4.1 Device Scanner Guide.
This section contains information about ZENworks Endpoint Security Management issues that might occur.
The maximum number of users/computers that the Management Console can synchronize from a single Active Directory container is 1000. If any Active Directory container included in the synchronization exceeds the size limit, the entire synchronization operation fails.
Workaround: Have the users/computers log in through the Security Client. When the Security Client logs in, the user/computer is added to the Management database and is displayed in the Management Console.
To provide Client Self Defense, the Security Client accesses registry keys, files and folders, WMI, process information, and service information associated with the client. Windows Group Policy Object security policies and third-party software that control access to these locations can interfere with the Security Client and produce CPU spiking.
If CPU spiking occurs, make sure that GPO security policies do not prohibit the Security Client from reading and resetting registry keys and that antivirus and spyware software allow STEngine.exe and STUser.exe to run unrestricted.
If you receive an Access Denied message when deleting a folder from a safe harbor, you must use Shift-Delete to remove the folder or open a Command Prompt and use the rd command.
When you delete a folder from a safe harbor, Windows Explorer attempts to rename the folder to the Recycle Bin rather than moving the folder to the Recycle Bin. The Security Client does not allow this action because it would result in encrypted files in the Recycle Bin. The result is that you receive an Access Denied message. By using Shift-Delete or the rd command to remove the folder, you bypass the Recycle Bin and permanently delete the folder.
On Windows Vista/7, if you cut a file from the password-encrypted folder on a removable storage device (RSD) and paste it to the root fo the RSD, the move fails. To perform the move, you must copy the file from the password-encrypted folder to another drive, then copy the file from the drive to the RSD.
If you try to safely remove a removable storage device and you receive a message stating that the device is busy, go ahead and remove the device. No data loss will occur. The message is caused by resident encryption processes.
Network devices that install as dual devices (for example, Modem and Wireless (802.11)) might not appear in the Windows registry and consequently do not have a policy applied to them (firewall or adapter control).
An adapter-specific network environment that becomes invalid can cause the Security client to continue to switch between the environment’s location and the Unknown location. To prevent this, configure the network environment with an adapter type that is enabled at the location.
If a CD/DVD burning device is added after the Security Client is installed, policies specifying Read Only to that device are not enforced if you are using third-party burning software such as Roxio* or Nero*.
At insertion of a FreeUSB 4GB (or larger) drive, the Windows operating system flashes a blue screen and shuts down. Novell has received one reported issue of this problem but has been unable to reproduce it. If you encounter this issue, please contact Novell Technical Services.
You might not be able to control Wireless connections made through cellular phones by using Wi-Fi control features in the Management Console. These devices are generally treated as modems by the operating system and, therefore, need corresponding policy changes to control them (for example, disable modems when wired through scripting).
When you boot your Endpoint Security Client 3.5 machine, you might see two Endpoint Security Client icons in the Windows taskbar. Mouse over one of the icons and it disappears.
During import of a policy, the comments (in the Comments field) are removed from any preferred devices listed in the Storage Device Control settings. This does not affect the functionality of the preferred devices list because the Comments field is not used as part of the matching criteria for devices. To retain the comments, you must enter them again manually.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (® , ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2007-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.