Lumension Endpoint Management and Security Suite (L.E.M.S.S.) agent support for Microsoft Windows 8 and Windows Server 2012

Version 1

    Details

    Microsoft Windows 8
    Microsoft Windows Server 2012
    Lumension Endpoint Management and Security Suite (L.E.M.S.S.)

    On October 26, 2012 and September 4, 2012, Microsoft released the Windows 8 and Windows Server 2012 operating systems. HEATsoftware's new release, HEATsoftware Endpoint Management and Security Suite 7.2 Update 2, includes support for installing the LEMSS 7.2 Update 2 Agent on these operating systems.
    This knowledge base article includes frequently asked questions and known issues associated with LEMSS 7.2 Update 2 and these new operating systems. For additional information about the LEMSS 7.2 Update 2 release, refer to KB 23314 - L.E.M.S.S. 7.2 Update 2.

    FAQ

    Can I install the LEMSS server component on Windows Server 2012?

    You cannot install LEMSS on Windows Server 2012 at this time. Only agent installation is currently supported for the Windows 8 and Windows Server 2012 platforms.


    What editions of Windows 8 and Windows Server 2012 are supported for the LEMSS Agent?

    The LEMSS Agent is supported on the following Windows 8 and Windows Server 2012 operating systems:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
               

    Operating

               

    System

               
               

    Version

               
               

    Edition

               
               

    Data

               

    Width

               
               

    Proc.

               

    Family

               
               

    Software

               

    Prerequisites

               
               

    Agent Version

               
               

    Microsoft

               

    Windows 8(1)

               
               

    6.2

               
               

    Windows 8

               

    Professional

               

    Enterprise(2)

               
               

    32/64 bit

               
               

    Intel

               
               

    Microsoft .NET

               

    Framework 4.0+

               
               

    LEMSS 7.2

               

    Update 2 Agent

               
               

    Microsoft

               

    Windows Server

               

    2012(3)

               
               

    6.2

               
               

    Standard(2)(4)

               

    Datacenter(2)(4)

               

    Foundation

               

    Essentials

               
               

    64 bit

               
               

    Intel

               
               

    Microsoft .NET

               

    Framework 4.0+

               
               

    LEMSS 7.2

               

    Update 2 Agent

               
               

    Microsoft

               

    Windows Storage

               

    Server 2012

               
               

    6.2

               
               

    Standard

               

    Workgroup

               
               

    64 bit

               
               

    Intel

               
               

    Microsoft .NET

               

    Framework 4.0+

               
               

    LEMSS 7.2

               

    Update 2 Agent

               
               

    (1) The N editions of this family are supported. However, the RT edition of this family is not supported.

               

    (2) The evaluation version of this edition is supported.

               

    (3) The Hyper-V edition of this family is not supported.

               

    (4) Server Core mode for this edition is supported.

               
               

    Note: The Software Prerequisites column applies only to Patch and Remediation and Security

               

    Configuration Management endpoints. Agents without these modules do not require the software prerequisites.

               

    Microsoft .NET Framework 4.0 is installed on Windows 8 and Server 2012 by default.

               


    What modules are supported for Windows 8 and Windows Server 2012 endpoints?

    All currently supported product modules in LEMSS are supported in Windows 8 and Windows Server 2012. These modules include:

         
    • AntiVirus
    •    
    • Application Control
    •    
    • Device Control
    •    
    • Patch and Remediation
    •    
    • Power Management
    •    
    • Security Configuration Management
    •    
    • Wake on LAN


    How does agent installation change with Windows 8 and Windows Server 2012?

    The agent installation process is similar to prior releases. However, Windows 8 and Server 2012 introduces changes that slightly modify how the installer is downloaded.

         
    • When downloading the Agent installer from Modern interface, the Internet Explorer 10 App displays the LEMSS Web console differently. For additional information, refer to KB 23284 - L.E.M.S.S. Support for Internet Explorer 10.
    •    
    • Before logging into LEMSS, compatibility view must be enabled within Internet Explorer 10. For additional information, refer to KB 23284 - L.E.M.S.S. Support for Internet Explorer 10.


    Will Agent Notifications display in Modern interface?

    No agent notifications, regardless of module, will display in Modern interface. Any agent notifications sent to the endpoint (such as deployment notifications, reboot notifications, or AntiVirus definition update notifications) display on Desktop. Any notifications sent to endpoints when Modern interface is in use will display on Desktop when it is opened.


    What is the expected agent behavior on Windows Server 2012 when in Core mode?

    When the agent is installed on a Windows Server 2012 endpoints that is in Core mode, the HEATsoftware Agent Control Panel is unavailable and users have limited interaction with the agent. The following table lists each endpoint module behavior when the endpoint is in Core mode:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
               

    Module

               
               

    Feature

               
               

    Expected Behavior

               
               

    Core

               
               

    HEATsoftware

               

    EMSS Agent

               

    Control Panel

               
               

    Because Core mode disables the Windows Server 2012 GUI, the HEATsoftware Agent Control Panel and its functions are not available.

               
               

    Agent Version,

               

    Endpoint, and

               

    Server Details

               
               

    The Agent Version details, Endpoint details, and Server details that

               

    display on the HEATsoftware Agent Control PanelSummary are unavailable and cannot be accessed from the command line.

               
               

    Agent Restart

               
               

    The Restart Agent button on HEATsoftware Agent Control Panel Summary tab is unavailable. To start, stop, or restart the LMAgent.exe service, users must use command line.

               
               

    Proxy Server

               

    Definition

               
               

    The fields and check boxes used to define Proxy Settings on the HEATsoftware Agent Control Panel Proxy tab are unavailable and cannot be accessed from the command line.

               
               

    AntiVirus

               
               

    HEATsoftware

               

    EMSS Agent

               

    Control Panel

               
               

    When the AntiVirus endpoint module is installed, the HEATsoftware Agent Control Panel includes the following AntiVirus panels, which are not available without the Windows Server 2012 GUI.

               

    • The AntiVirus Panel, which includes AntiVirus policy information, AntiVirus version information, and virus and malware scan history.

               

    • The Quarantine Panel, which includes quarantine information, and functionality to clean, delete, or save quaratine information to another location.

               

    • The Scan Now and Scan Events Panel, which lists scan events and functionality to clear scan events and run an endpoint scan.

               

    Much of this information and functionality can still be accessed using the command line.

               
               

    Scan Now

               
               

    Scan Now functionality is not available. To run an immediate AntiVirus scan on an endpoint, use the HEATsoftware EMSS Web console.

               
               

    Quarantine

               
               

    The quarantine will be scanned in the next file, and if the contents are cleaned, they are automatically removed from quarantine.

               
               

    AntiVirus

               

    Notifications

               
               

    AntiVirus notifications are displayed on the endpoint. These notifications include AntiVirus engine and definition update notifications; scan start and stop notifications; and endpoint infection notifications. You can review notifications for Windows Server 2012 endpoint in Core mode using the HEATsoftware EMSS Web console.

               
               

    Application

               

    Control

               
               

    Local

               

    Authorization

               
               

    When Windows Server 2012 is in Core mode, the Local Authorization dialog is unavailable. Users who are assigned a Local Authorization policy need this dialog to authorize or deny applications locally. Therefore it is not possible to use Local Authorization in Core mode.

               
               

    Device

               

    Control

               
               

    HEATsoftware

               

    Endpoint

               

    Security Client

               

    Management

               

    Console

               
               

    Because a Windows Server 2012 endpoint in Core mode has no GUI, the HEATsoftware Endpoint Security Management Console is unavailable.

               
               

    Permissions

               
               

    Because HEATsoftware Endpoint Security Management Console is unavailable, endpoint users cannot access their permissions list.

               
               

    HEATsoftware

               

    Endpoint

               

    Security

               

    Notifications

               
               

    Notifications are not available.

               
               

    Device

               

    and Media

               

    Encryption

               
               

    Without a GUI, Windows Server 2012 Core mode users cannot encrypt devices or media using the HEATsoftware Endpoint Security client.

               
               

    Encrypted

               

    Device Data

               

    Access

               
               

    Without a GUI, users cannot access data on an encrypted device because they cannot access an interface to unlock it.

               
               

    Centralized

               

    Encryption

               
               

    Without a GUI, use of centralized encryption to encrypt a volume in ReFS file format on a mirrored virtual disk is unavailable.

               
               

    Secure

               

    Volume

               

    Browser

               
               

    Secure Volume Browser cannot be accessed without a GUI.

               

     

               
               

    Patch and

               

    Remediation

               
               

    Patch Agent

               

    Control Panel

               
               

    Windows Server 2012 has .NET Framework 4.0 installed by default to execute its GUI. Patch Agent also requires this software to execute AgentPanel.exe. However, when Windows Server 2012 has Core mode enabled, administrators can uninstall .NET Framework 4.0. When Windows Server 2012 is operating in Core mode without .NET Framework 4.0, you cannot execute AgentPanel.exe from command line.

               
               

    Deployment

               

    Notification

               
               

    No deployment notification opens regardless of the Deployment Notification Options defined during completion of the Deployment Wizard.

               

    The deployment installs immediately without prompting the user.

               
               

    Reboot

               

    Notification

               
               

    No reboot notification opens regardless of the Reboot Notification Options defined during completion of the Deployment Wizard. The reboot begins immediately without prompting the user.

               

     

    Can I install the LEMSS Agent using Modern interface?

    You cannot install the agent using Modern interface with HEATsoftware Endpoint Management and Security Suite 7.2 Update 2. You can download the installer using Modern interface, but any attempt to open the agent installer within Modern interface opens the agent installer on Desktop.


    After installation, can I access the HEATsoftware Agent Control Panel using Modern interface?

    You cannot access the HEATsoftware Agent Control Panel using Modern interface. Instead, you must open Windows Control Panel using Modern interface, click Programs, and then open HEATsoftware Agent Control Panel.


    KNOWN ISSUES

    The following table identifies all known issues associated with the LEMSS Agent on Windows 8 and Windows Server 2012 endpoints. The table lists the LEMSS module affected, a description of the issue, and the ID number of the issue (if available):

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
               

    ID

               
               

    Component

               
               

    Description

               
               

    N/A

               
               

    Core

               
               

    When using the Microsoft Internet Explorer 10 App within Modern interface to download an agent or run an agent management job, the Download Agent Installer dialog, Install Agents Wizard, and Uninstall Agents Wizard open to full page in the HEATsoftware EMSS Web console. These issues are by Microsoft design, and no action is planned to change this function.

               
               

    N/A

               
               

    AntiVirus

               
               

    When using Windows 8 within Modern interface, no AntiVirus notifications display. These notifications include:

               

    • Infected Files Detected

               

    • New AntiVirus Engine and Definitions Files Downloaded

               

    • Virus and Malware Scan Start

               

    • Virus and Malware Scan End

               

    • Virus and Malware Scan Summary Dialog

               

    All listed notifications still display from Desktop.

               
               

    N/A

               
               

    Application

               

    Control

               
               

    Some Windows Store (formerly Metro) apps are developed with JavaScript and HTML. These applications do not contain executable files, so they are not scanned (detected) by HEATsoftware Application Control. This means it is not possible to block them from running.

               
               

    N/A

               
               

    Application

               

    Control

               
               

    Windows 8 can run both Windows Store apps and conventional Windows applications. Windows Store apps are launched from the Modern interface but the Non-Authorized Application Detected dialog cannot be displayed there. If a user tries to launch a non-authorized application from the Modern interface, the display changes to the Desktop to show the dialog.

               
               

    N/A

               
               

    Application

               

    Control

               
               

    Windows 8 can run both Windows Store apps and conventional Windows applications. Windows Store apps are launched from the Modern interface, but the Local Authorization dialog cannot be displayed there. If users who are assigned a Local Authorization policy try to launch a non-authorized application from the Modern interface, they will not see the Non-Authorized Application Detected dialog unless they switch to Desktop.

               
               

    N/A

               
               

    Application

               

    Control

               
               

    Some Windows Store apps do not have signed executables. It is not possible to apply a Trusted Publisher policy to these applications.

               
               

    10710

               
               

    Device

               

    Control

               
               

    Use of centralized encryption to encrypt a volume in ReFS file format on a mirrored virtual disk is unsupported.

               
               

    155042

               
               

    Wake on LAN

               
               

    Due to changes made by Microsoft, Windows 8 endpoints do not respond to Wake on LAN wake requests if their last shutdown was initiated using the Windows 8 GUI. Shutting down Windows 8 using this method closes sockets used by Wake on LAN to initiate wake requests. Workarounds include:

               

    • Initiating Windows 8 endpoint shutdowns using the shutdown /s command from the command prompt. This shutdown method does not close the sockets used to initiate wake requests.

               

    • Disabling the Turn on fast startup option within the endpoint power settings.

               

    For additional information, refer to HEATsoftware Endpoint Management and Security Suite: Wake on LAN User Guide (http://portal.HEATsoftware.com).

               

    After applying one of these workarounds, wake requests will function.