Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Client Security antimalware agents running on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, may be removed when using the Windows install updates and shut down feature to apply the Forefront Client Security March 2011 antimalware update described in the following article:

2508823 Forefront Client Security anti-malware client update: March 2011
The installation log file for the update, typically located at %ProgramFiles%\Microsoft Forefront\Client Security\Client\Logs\mp_ambits.log, contains information similar to the below.

MSI (s) (90:84) [14:44:28:764]: Product: Microsoft Forefront Client Security Antimalware Service -- Error 1923. Service 'Microsoft Forefront Client Security Antimalware Service' (FCSAM) could not be installed. Verify that you have sufficient privileges to install system services. MSI (s) (90:84) [14:44:28:951]: Executing op: ActionStart(Name=ExecSecureObjects,,)

MSI (s) (90:84) [14:44:29:013]: Executing op: CustomActionSchedule(Action=ExecServiceConfig,ActionType=3073,Source=BinaryData,Target=ExecServiceConfig,CustomActionData=FCSAM€restart€restart€none€1€15€€) MSI (s) (90:50) [14:44:29:013]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI255E.tmp, Entrypoint: ExecServiceConfig ExecServiceConfig: Error 0x80070430: Cannot change service configuration. Error: The specified service has been marked for deletion
In this situation, the Security State Assessment(SSA) and Microsoft Operation Manager components remain installed.


Microsoft has identified an issue in the Forefront Client Security agent when running on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, which prevents it from upgrading to the March 2011 update properly when the Windows feature "Install updates and shut down" is used to install the update.

Note: the symptom "Error: The specified service has been marked for deletion" may also occur due to different causes.


Avoiding the issue

  • WSUS administrators can decline or not approve KB2508823 for installation

  • Avoid installing KB2508823 with “Install updates and shutdown”. This may be accomplished by

    • a recommendation by administrators to users

    • enforcement though Automatic Updates group policy: Computer Configuration/Administrative Templates/Windows Components/Windows Update- Do not display ‘Install Updates and shut down’ option in Shut Down Windows dialog box.

    • installing the update KB2508823 through WSUS deadlines; this triggers its installation immediately. For more information on WSUS deadlines, see the TechNet article Client Behavior with Update Deadlines

Issue correction

For automated correction through Microsoft Update and WSUS, see More Information section below.

For manual correction, there are a number of options  

  • Download and install KB2508823 manually. There are steps to do this in the Hotfix information section of the article:

  • Approve in WSUS “Client Update for Microsoft Forefront Client Security (1.0.1728.0)” and decline both the March update(KB2508823) and the Client Update for Microsoft Forefront Client Security (1.0.1736.0) (2508824). After the next Automatic Updates detection and installation cycle, this will redeploy the prior antimalware agent

  • Approve the “Client Update for Microsoft Forefront Client Security (1.0.1736.0)” slipstream update.
    NOTE: In some cases this will fail with 0x666 ERROR_PRODUCT_VERSION
    If you are seeing ERROR_PRODUCT_VERSION failures installing the slipstream you can uninstall SSA and that should allow it to work. 


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

A supported fix is now available from Microsoft for computers that encountered installation issues with the Forefront Client Security March 2011 update. The fix is a new software update package designed to correct these computers by re-deploying the March 2011 update described in the following article: 

2508823 Forefront Client Security anti-malware client update: March 2011
This fix is available from Microsoft Update and from Windows Server Update Services (WSUS). The update uses the following conditions to determine if it should apply the March 2011 update. If all conditions are met the update will be installed:

  1. The Forefront Client Security State Assessment (SSA) agent is installed

  2. The Forefront Client Security Antimalware agent is not installed.

  3. Specific antimalware agent registry keys are present.

  4. The computer operating system is Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2.

This fix is intended to correct only a very specific case of an upgrade failure. There are many technical reasons that an upgrade may fail to install which are not addressed. Examples include a damaged registry, Windows installer repository issues or binaries being held by external processes beyond our control. If you need additional assistance please contact your support professional or visit

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!