Release Note

Release Notes

This download includes FactoryTalk Services Platform, FactoryTalk Linx, and FactoryTalk Alarms & Events. Additional keywords:
Version 6.40.00 (released 11/2023)

Catalog Number FactoryTalk Services

These release notes describe version information for FactoryTalk Services, version 6.40.00 (released 11/2023).

Requirements

This release has the following requirements.

FactoryTalk Services Platform version 6.40.00 (CPR 9 SR 14)

To run FactoryTalk Services Platform, the host computer must meet the hardware, software, and firmware requirements. For the latest compatibility information, refer to the Product Compatibility and Download Center.

Hardware requirements

FactoryTalk Services Platform requires the following hardware:

Intel^®Core^™i5 Standard Power processor
4 GB of memory (RAM)
16 GB free hard disk space
1024x768, True Color graphics device

Software requirements

FactoryTalk Services Platform has been tested on the following operating systems:

Windows Server^®2022
Windows Server 2019
Windows Server 2016
Windows 11 (v21H2 and v22H2)
If you use FactoryTalk Services Platform on Windows 11, you must update Windows 11 with patch KB5008215.
Windows 10 (v21H2 and v22H2)
FactoryTalk Services Platform adopts .NET 4.8 which is only supported on Windows 10 v1803 and later.
Windows 10 IoT Enterprise 2021 Long-Term Servicing Channel (LTSC)
Windows 10 IoT Enterprise 2019 Long-Term Servicing Channel (LTSC)

High Resolution Display Support

Windows 10 v1803 or later is the recommended operating system if running this software with a 2K or 4K High Resolution Display with scaling up to 125%.

Rockwell Automation Test Environment

Rockwell Automation tests software products under a standard configuration of operating systems and antivirus software. For additional information, see the Knowledgebase Document ID: PN24 - Rockwell Software Products and Antivirus Software.

Security requirements

To help meet secure system design requirements, review these publications:

Configure System Security Features User Manual (publication SECURE-UM001)
System Security Design Guidelines Reference Manual (publication SECURE-RM001)
Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (publication ENET-TD001)

To learn about implementing CIP Security, see CIP Security with Rockwell Automation Products Application Technique (publication SECURE-AT001).

Firmware requirements

FactoryTalk Services Platform does not have any firmware requirements. Hardware and software products that use FactoryTalk Services Platform might place limits on firmware versions. Read release notes for each product in the FactoryTalk system to determine firmware requirements.

Features

This release includes the following system features.

FactoryTalk Services Platform version 6.40.00 has the following new and enhanced features:

New features

Support a Socket.IO communication channel for all FactoryTalk Directory operations that can be used in parallel with or replace the existing DCOM communication channel.

You must ensure the FactoryTalk Web Event Server installation option is selected when installing or updating your FactoryTalk Directory Server to version 6.40.00 to use the Socket.IO communication channel.
Support Microsoft Azure Active Directory user authentication and options for multi-factor authentication.
Support for an on-premises third-party OpenID Connect (OIDC) Identity Provider (IDP) used in conjunction with a Microsoft Active Directory. The OIDC IDP authentication can support a variety of multi-factor authentication options.
Support on-demand language switching for the Administration Console user interface.
Support new security policies:
Encryption Settings: Selects the encryption and decryption algorithm used by FactoryTalk-enabled products. Enhanced provides a more secure and modern algorithm. When Enhanced is selected, all clients are required to be upgraded to version 6.40.00 or later.

Web Authentication Settings: Specifies settings for the Microsoft Azure Active Directory user sign-in.

Service token: Selects the service token signature method. Enhanced provides more secure communications. When Enhanced is selected, all clients are required to be upgraded to version 6.40.00 or later.
Support for a new command-line parameter:
systemstatusportal: Specifies the installation of the FactoryTalk System Status Portal.
Support to configure the IIS server communication port during installation.

Enhanced features

The Verify Publisher Info option is enabled by default in FactoryTalk Service Application Authorization.

Corrected Anomalies in This Release

This release corrects the following anomalies.

A second instance of FactoryTalk Live Data Test Client cannot open in Windows 8. In Windows 8 operating systems, if a FactoryTalk Live Data Test Client is already open, a second instance cannot open when selecting Start > All Programs > Rockwell Software > FactoryTalk Tools > FactoryTalk Live Data Test Client. First identified in FactoryTalk Services Platform version 2.60.00. [340939]
Corrected in FactoryTalk Services Platform version 6.40.00.

FactoryTalk Directory does not work after updating from Windows 8.0 to Windows 8.1 through Windows Update. First identified in FactoryTalk Services Platform version 2.74.00. [355780]
Corrected in FactoryTalk Services Platform version 6.40.00.

FactoryTalk Directory does not work after updating from Windows 10 v1511 to Windows 10 v1607 through Windows Update. First identified in FactoryTalk Services Platform version 2.90.00. [363599]
Corrected in FactoryTalk Services Platform version 6.40.00.

If a Non-Built in Administrator windows user, such as a Standard windows user or other users in Administrator User Group, uninstalls FactoryTalk Services Platform by selecting Control Panel > Programs and Features > Change > Remove. The Uninstall will fail as a fatal error. First identified in FactoryTalk Services Platform version 6.11.00. [Jira 1042846]
Corrected in FactoryTalk Services Platform version 6.40.00.

When restoring the FactoryTalk Directory configuration, if the status of the Verify Publisher Info check box is different from that in the BAK file, the status of Verify Publisher Info check box will be incorrect after restoration. First identified in FactoryTalk Services Platform version 6.30.00. [Jira 1512688]
Corrected in FactoryTalk Services Platform version 6.40.00.

In the system, if you install any FactoryTalk-enabled software using HTTPS, a port conflict (port 443) will be created when FactoryTalk Batch View was installed first. As a result, FactoryTalk Batch View client and HMI user controls cannot communicate with the FactoryTalk Batch View server. First identified in FactoryTalk Services Platform version 6.30.00. [Jira 1536376]
Corrected in FactoryTalk Services Platform version 6.40.00.

The tool’s name “FTExportPolicy.exe” in the examples of exporting policies via commands is not correct in Help. First identified in FactoryTalk Services Platform version 6.30.00. [Jira 1560960]
Corrected in FactoryTalk Services Platform version 6.40.00.

Known Anomalies in This Release

This release has the following known anomalies.

When the FactoryTalk Directory system’s System communication type is configured as Auto or Socket.IO, Microsoft IIS will generate large activity logs, for example, hundreds of MB, each day when using the default IIS settings. First identified in FactoryTalk Services Platform version 6.40.00. [Jira 3077816]
To avoid this problem, configure Microsoft IIS settings to control the IIS logging, for example, disable logs, set log size limitation, or remove old logs. For more information, see:
- IIS Logging.
- IIS Best Practices.

Restoring a FactoryTalk Directory backup, which includes the FactoryTalk Linx configuration, the system may report an error that an object is in use. The FactoryTalk Directory restoration was successful; however, the FactoryTalk Administration Console cannot show all of the directories contents. First identified in FactoryTalk Services Platform version 6.31.00. [Jira 3126799]
To avoid this problem, restarts the FactoryTalk Administration Console after restoring a FactoryTalk Directory backup.

When backing up a running FactoryTalk system, for example backing up the FactoryTalk Directory, restarting a FactoryTalk Directory client computer during the backup process may cause that computer’s FactoryTalk Directory cache to expire. First identified in FactoryTalk Services Platform version 6.40.00. [Jira 3136113]
To resolve this problem, restart the affected FactoryTalk Directory client computer.

When prompted to log in to FactoryTalk while using FactoryTalk View SE Application Manager, such as restoring an application with FactoryTalk Directory or opening the SE Application Manager via a remote session, logging in with OpenID Connect causes the login dialog box to stop responding. This problem will influence FactoryTalk Services Platform version 6.40.00 and FactoryTalk View SE version 14.00.00 and earlier. First identified in FactoryTalk Services Platform version 6.40.00. [Jira 3150723]
Corrected in FactoryTalk Services Platform version 6.50.00.

When upgrading FactoryTalk Services Platform to version 6.40.00 or later on a computer installed with FactoryTalk View version 13.00 or earlier, the following documents cannot be opened from the FactoryTalk View Studio Help menu:
- FactoryTalk Services Platform Help
- FactoryTalk Services Platform Release Notes
- FactoryTalk Security System Configuration Guide
- FactoryTalk Alarms and Events System Configuration Guide

First identified in FactoryTalk Service Platform version 6.40.00. [Jira 3289981]

These documents are renamed with the latest version of FactoryTalk Services Platform, and the older version of FactoryTalk View is hard-coded to previous names. You can view these documents in C:\Program Files (x86)\Common File\Rockwell\Help:

FactoryTalk Services Platform\Help\ENU\index.html
FactoryTalk Services Platform\Release Notes\ENU\index.html
ftsec-qs001_-en-e.pdf
ftae-rm001_-en-e.pdf

You can also view the FactoryTalk Services Platform Help and Release Notes from the FactoryTalk Administration Console Help menu.

Known Anomalies from Previous Releases

These anomalies are from previous releases but are still known in this release.

For an application created in FactoryTalk View, denying the Write action does not prevent users from modifying properties of a logical name in the application. Users limited only by the Common Write action can modify logical name properties. First identified in FactoryTalk Services Platform version 2.80.00. [357366]
To resolve this problem, use the Common Configure Security action to secure logical name properties.

For an application created in FactoryTalk View, allowing the Create Child action but denying the Delete action prevents users from creating a logical name in the application, while allowing the Delete action but denying the Create Child action prevents users from deleting a logical name in the application. Users without both Create Child and Delete actions cannot create or delete logical names in an application. First identified in FactoryTalk Services Platform version 2.80.00. [357393]
To resolve this problem, ensure that users which need to create or delete logical names have permissions for both Create Child and Delete actions.

Permissions for new Windows-linked users are not applied until the FactoryTalk Services Platform service is restarted. First identified in FactoryTalk Services Platform version 2.61.00. [356086]
To resolve this problem, restart the FactoryTalk Services Platform service, restart the computer, or log off and on to FactoryTalk using Log On to FactoryTalk.

Restarting primary and redundant servers at the same time might cause the servers to become unresponsive. It affects all FactoryTalk servers that support redundancy, including RSLinx Enterprise, FactoryTalk Alarms and Events, and HMI servers. First identified in FactoryTalk Services Platform version 2.74.00. [354965]
To avoid this problem, or to recover from the problem after it occurs, restart one server from a redundant pair at a time. Wait for the first server to completely startup, and then enter Active or Standby status before restarting the second server in the redundant pair.

Changes made to redundant server switchover settings when the FactoryTalk Directory server is offline are not applied when the FactoryTalk Directory server returns online. It affects all FactoryTalk servers that support redundancy, including RSLinx Enterprise, FactoryTalk Alarms and Events, and HMI servers. First identified in FactoryTalk Services Platform version 2.90.00. [363071]
To avoid this problem, only change server switchover settings when the FactoryTalk Directory server is online.
To resolve this problem, restart all servers connected to the FactoryTalk Directory server. Restart one server from a redundant pair at a time. Wait for the first server to completely startup, and then enter Active or Standby status before restarting the second server in the redundant pair.

After switching the authentication mode from LDAP over SSL to other modes, it cannot log on with a domain user account. First identified in FactoryTalk Services Platform version 6.20.00. [Jira 562100]
To resolve this problem, reload the runtime application in FactoryTalk View ME Station.

When running the FactoryTalk Directory Configuration Wizard on a computer named service4 or service, the wizard stops responding after clicking Next on the first dialog box, and the FactoryTalk Event system doesn't work correctly. First identified in FactoryTalk Services Platform version 6.11.00. [Jira 794606]
To avoid this problem, ensure that the computer name is not service4 or service. Service4 and service are reserved characters by the Windows registry.

When you use FactoryTalk Directory client version 6.11 or earlier with FactoryTalk Directory server version 6.20 or later:

If the minimum password length is set to more than 16 characters, you cannot create any user on the client, or change the user password to more than 16 characters.
If the existing user password is 64 characters, you cannot change the password by clicking Change Password in the Log On to FactoryTalk dialog box.
These problems happen because FactoryTalk Services Platform supports 64-character passwords starting from version 6.20, while previous versions support 16-character passwords. First identified in FactoryTalk Services Platform version 6.20.00. [Jira 804511]
To avoid this first problem, make sure the minimum password length is set to 16 characters or less.

To solve the second problem, in the Password box of the Log On to FactoryTalk dialog box, enter the existing password, and then click Change Password. The existing password will be automatically filled in the Old password box of the Change Password dialog box.

After starting a computer and opening a FactoryTalk View application, FactoryTalk Linx and FactoryTalk Alarms and Events servers may remain in the starting status and may not become active. First identified in FactoryTalk Services Platform version 6.20.00. [Jira 825594]
To solve this problem, restart the computer.

When earlier version FactoryTalk Services Platform clients (for example, version 2.74) work with a FactoryTalk Services Platform server version 6.21, encrypted BAK file from FactoryTalk Services Platform clients might not be recognized. First identified in FactoryTalk Services Platform version 6.21.00. [Jira 1002540]
To avoid this problem, upgrade the FactoryTalk Services Platform client to the corresponding later version, and restore the encrypted BAK file on the later version client.

When importing a large number of users and groups, the Import Users and Groups tool displays the error "Cannot resolve path:/(null)/(null) Cause: The specified path is invalid". First identified in FactoryTalk Services Platform version 3.00.00. [365193]
To avoid this problem, use the Windows Registry Editor to increase the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERPostMessageLimit value from 10000 to a higher value.

When multiple applications, such as FactoryTalk View applications, are hosted on the same computer, the messages displayed in the diagnostic list do not distinguish the source application. First identified in FactoryTalk Services Platform version 6.10.00. [102339]
There is no workaround for this issue.

When a remote FactoryTalk Linx data server is running on a CompactLogix 5480 Windows user core, the connection between the remote data server and the FactoryTalk Directory server may not be restored following frequent power cycles of the CompactLogix 5480 controller. First identified in FactoryTalk Services Platform version 6.31.00. [Jira 1875476]
To avoid this problem, locate the FactoryTalk Linx data server on a computer within your control system and directly connect to the CompactLogix 5480 Logix core. This is the recommended architecture.

When signing in to FactoryTalk using a user account configured to use an RFID badge from a computer hosting Remote Desktop Protocol (RDP) sessions, or from one of the remote sessions, the Badge Log On dialog box appears on all remote sessions and the hosting computer. First identified in FactoryTalk Services Platform version 6.20.00. [Jira 1697465]
There is no workaround for this issue.

When configuring a FactoryTalk user to use an RFID badge to sign in from a computer hosting Remote Desktop Protocol (RDP) sessions, or from one of the remote sessions, the Badge Log On dialog box appears on all remote sessions and the hosting computer. First identified in FactoryTalk Services Platform version 6.20.00. [Jira 1697465]
There is no workaround for this issue.

When removing FactoryTalk Linx from a FactoryTalk View SE Client, if you run the CurrentLanguage command (for example, &stringtag = CurrentLanguage()), an error occurs indicating that the language switching service is unavailable. First identified in FactoryTalk Services Platform version 6.31.00. [Jira 1837668]
To avoid this problem,
1. Run Command Prompt as administrator.
2. Enter C:\Program Files (x86)\Common Files\Rockwell.
3. Enter regsvr32 RnaClientCore.dll.

Functional Changes

This release has the following functional changes from the previous release.

FactoryTalk Services Platform version 6.40.00 has the following changes in functionality since the last release.

Support the Socket.IO channel for all FactoryTalk Directory operations between the clients and servers.

Application Notes

This release has the following application notes.

These application notes apply to FactoryTalk Services Platform version 6.40.00.

CIS Benchmarks test results

Rockwell Automation conducts tests using domain-joined computers configured according to the Center for Internet Security (CIS) operating system benchmarks to help assure that software products perform as expected on computers that are hardened following industry best practices.

For more information about the guidelines, see the Knowledgebase Document ID: QA63609 - Recommended guidelines for hardening software, computer, device, and network systems and infrastructure (CIS Benchmarks).

FactoryTalk Services Platform version 6.40.00 has been tested on CIS Microsoft Windows 10 Enterprise (Release 22H2) Benchmark v2.0.0, CIS Microsoft Windows 11 Enterprise (Release 22H2) Benchmark v2.0.0, CIS Microsoft Windows Server 2019 Benchmark v2.0.0, and CIS Microsoft Windows Server 2022 Benchmark v2.0.0.

Exceptions settings for FactoryTalk Services Platform version 6.40.00 are listed.

FactoryTalk Directory Server

CIS Microsoft Windows 10 Enterprise (Release 22H2) Benchmark v2.0.0

2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' - When using the DCOM communication channel the system requires the NETWORK service account to be added to this policy. The Socket.IO channel does not require policy modification.
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' - The system uses IIS for proper operation; it must be installed and enabled.

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows 11 Enterprise (Release 22H2) Benchmark v2.0.0

2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' - When using the DCOM communication channel the system requires the NETWORK service account to be added to this policy. The Socket.IO channel does not require policy modification.
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' - The system uses IIS for proper operation; it must be installed and enabled.

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows Server 2019 Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows Server 2022 Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

FactoryTalk Directory Client

CIS Microsoft Windows 10 Enterprise (Release 22H2) Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows 11 Enterprise (Release 22H2) Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows Server 2019 Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

CIS Microsoft Windows Server 2022 Benchmark v2.0.0

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' - Enabling these policies prevents Rockwell Automation’s Windows Firewall Configuration Utility (WFCU) from turning the firewall off and on during operation.

Full OS backup

Rockwell Automation does not test any third-party software to perform the full Windows operating system backup, for example, Veritas Backup Exec. When performing a computer backup on a running virtualized system, it is recommended the system is stopped before performing a backup.

Application(client) Secret

If you want to use the web applications and Azure AD authentication, you must provide a Client Secret from the Azure AD App Registration when configuring the Azure AD Authenticate Site in FactoryTalk Administration Console.

Application(client) Secret

Installation

The system will modify the access control list (ACL) of RNAServer’s subfolders, including Global, Local, and Backups, and give the Write permission to the administrator and services only during the FactoryTalk Services Platform installation. After installation, if you need the Write permission to these subfolders in ProgramData\Rockwell\RNAServer in the installation drive, go to C:\Program Files (x86)\Common Files

\Rockwell and then run ChangeACE.exe as administrator to modify permissions. The command-line parameters and their meanings are as follows:

\a
Add the Write permission to all users.

\r
Remove the Write permission of all users except for the administrator and services.

FactoryTalk Diagnostics

FactoryTalk Diagnostics cannot log to a remote database using Microsoft Access. You can only log to a local database using Microsoft Access.

Product Updates and Patches

For the latest Product Updates and Patches, refer to Knowledgebase Document ID: IN1983 - Firmware and Software Updates. To be notified when new Product Updates or Patches are released, click the ADD TO FAVORITES link at the top of the Knowledgebase Answer.

For additional information about changes to communications software after the writing of these Release Notes, refer to Knowledgebase Document ID: IN7550 - FactoryTalk Linx Patch and Release Information.

To download software updates, firmware updates, or patch roll-ups, refer to the Product Compatibility and Download Center.

Mitigation for Microsoft DCOM Hardening patch

In response to Microsoft Distributed Component Object Model (DCOM) Hardening patch (MS KB5004442), the minimum DCOM authentication level used by Rockwell Automation products was raised to Packet Integrity.

IMPORTANT

Installing this product’s latest version with earlier unpatched versions of other FactoryTalk products or products using Classic OPC DA connections may cause a loss of connectivity due to the difference in DCOM authentication level used. For additional information, see the Knowledgebase Document ID: IN39461 - Microsoft DCOM Hardening Information TOC.

Microsoft releases the DCOM Hardening patch in response to CVE-2021-26414. This patch elevates the minimum DCOM authentication level that is required to establish a DCOM connection. DCOM is used by many Rockwell Automation products and may be affected by the change that is made by the Microsoft patch. For additional information about the affected Rockwell Automation products, see the Knowledgebase Document ID: PN1581 - Product Notification 2022-01-001 - Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (MS KB5004442).

Windows Administrator permissions

When performing some actions with a user account that is not a member of the Windows Administrators group, Windows prompts for the username and password of a Windows administrator. This Windows administrator credentials prompt cannot be disabled. This prompt appears even when User Account Control (UAC) is disabled.

The actions that require Windows administrator actions are:

This action	Commonly started this way	Requires administrator access before running this program
Viewing or changing the name of the computer hosting the FactoryTalk Directory Server in FactoryTalk Administration Console or Running the FactoryTalk Directory Server Location Utility	In FactoryTalk Administration Console, Tools > FactoryTalk Directory Server Options or Start > All Programs > Rockwell Software > FactoryTalk Tools > Specify FactoryTalk Directory Location	FTSetDirSrv.exe
Setting up or changing settings related to FactoryTalk Diagnostics	In FactoryTalk Administration Console, Tools > FactoryTalk Diagnostics > Setup	DiagnosticsSetup.exe
Running the Windows Firewall Configuration Utility	Start > All Programs > Rockwell Software > FactoryTalk Tools > Windows Firewall Configuration Utility	WFCU.exe
Installing FactoryTalk Services Platform, which silently runs the FactoryTalk Directory Configuration Wizard or Running the FactoryTalk Directory Configuration Wizard	Installation or Start > All Programs > Rockwell Software > FactoryTalk Tools > FactoryTalk Directory Configuration Wizard	FTDConfigurationUtility.exe
Installing the RSSecurity Emulator to allow existing RSSecurity Server clients to access FactoryTalk Security	Start > All Programs > Rockwell Software > FactoryTalk Tools > RSSecurity Emulator Install	RSSecurity Emulator 6.30 (CPR 9 Service Release 13).msi

Server Status display

If the FactoryTalk Linx server service is explicitly stopped using the Windows Services control panel the service will automatically restart to respond to client requests. If using redundant servers, stopping the service will cause a switchover to the secondary server.

In both situations, a standalone server and a redundant server configuration, if the Server Status dialog box is open when the service is stopped the status of the server displays Ready to provide service instead of Active.

Closing the Server Status dialog box and reopening it updates the status displayed accordingly.

Unattended or silent install

Use command-line parameters to perform an unattended or silent installation of the software.

Installation Command-line parameters

The following table identifies the installation command-line parameters. Command-line parameters are case-insensitive. However, if a specified value includes a space, be sure to enclose the value in quotation marks (for example, "value with spaces").

Parameter	Description
/?	Displays the usage options for installation parameters.
/Q	Silent Install, install runs in a quiet mode without any user interface. This parameter is recommended when deploying the software installation using an IT tool or script, and don’t expect any error or restart messages. When using this parameter, check the error codes, and respond as needed. For example, if the installation returns error code 1641, then the IT tool or script should restart the computer and relaunch the installation after restart. This parameter is required if /QS is not specified.
/QS	Unattended Install, install runs in a quiet simple mode and shows progress through the UI, it does not accept any input but still shows errors or restart messages. When using this parameter, the installation will stop and display a prompt if there are errors or restart messages. For example, if an immediate restart is required to complete the install, a restart message will be displayed to confirm the restart. Installation resumes automatically from the point of interruption after restart. This parameter is required if /Q is not specified.
/IAcceptAllLicenseTerms	Acknowledges acceptance of the license terms. This parameter is required for /Q or /QS parameters.
/AutoRestart	Automatically restarts the computer after the installation is complete. Used when a restart is required to complete the installation. This parameter is optional. If this parameter is not used silent install (/Q) will return either error code 1641 or 3010 if a restart is required, and unattended install (/QS) will result in a confirmation prompt that must be agreed to before the installation is completed.
/Record	Records the installation options chosen to a recording file. This parameter is optional.
/Playback	Plays back a recording file to specify the installation options. This parameter is optional.
/SetupLanguage="value"	Specifies which language will be displayed during the install process. The value must be one of the following: ENU CHS DEU ESP FRA ITA JPN KOR PTB This parameter is optional. If this parameter is not used, the default language is the current user or operating system user interface language.
/IgnoreWarning	Specifies that the setup ignores warnings and continues. This parameter is optional. If it is not specified, the setup exits when a warning occurs.
/ftsp-s	Specifies the FactoryTalk directory scope for restore. Only "Global" and "Local" scopes are supported. This parameter is optional.
/ftsp-bak	Specifies the location where the restore file can be found. This parameter is optional.
/ftsp-pp	Specifies the plain text used to decrypt the backup file. This parameter is optional.
/ftsp-value=enable/disable	Specifies to enable or disable the option Require computer accounts for all client machines in Security Policy. The option is used to determine whether or not a client computer account must exist in the directory to log in. This parameter is optional.
/FTSPWebAuth="value"	Specifies that the installation includes the FactoryTalk Web Authentication Server. This parameter is optional. The value must be one of the following: Yes If the value is Yes, the FactoryTalk Web Authentication Server will be installed. The FactoryTalk Reverse Proxy will also be installed as it is required for operation of the FactoryTalk Web Authentication Server. No If the value is No, the FactoryTalk Web Authentication Server will not be installed.
/ReverseProxy="value"	Specifies that the installation includes the FactoryTalk Reverse Proxy. This parameter is optional. The value must be one of the following: Yes If the value is Yes, the FactoryTalk Reverse Proxy will be installed. No If the value is No, the FactoryTalk Reverse Proxy will not be installed.
/FTSPWebEventServer="value"	Specifies that the installation includes the FactoryTalk Web Event Server. This parameter is optional. The value must be one of the following: Yes If the value is Yes, the FactoryTalk Web Event Server will be installed. No If the value is No, the FactoryTalk Web Event Server will not be installed.
/SystemStatusPortal="value"	Specifies that the installation includes the FactoryTalk System Status Portal. This parameter is optional. The value must be one of the following: Yes If the value is Yes, the FactoryTalk System Status Portal will be installed. The FactoryTalk Reverse Proxy and FactoryTalk Web Authentication Server will also be installed as it is required for operation of the FactoryTalk System Status Portal. No If the value is No, the FactoryTalk System Status Portal will not be installed.
/DirectoryServer	Specifies the directory server name. This parameter is optional. If it is not specified, the setup turns on HTTPS for communication, and a TLS certificate must be configured after installation.
/NoHTTPS	Specifies that the setup turns off HTTPS. This parameter is optional. If it is not specified, the setup turns on HTTPS for communication, and a TLS certificate must be configured after installation.
/Repair	Runs a repair operation on the installed products. This parameter is optional.
/InstallDrive="value"	Specifies the install drive. This parameter is optional. If this parameter is not used, the default install location is "C:\Program Files (x86)\Rockwell Software". Some software restricts the installer to only change the drive the software is installed on. Use /? to determine which parameter is supported.
/Uninstall	Use to uninstall the product. This parameter is optional.

Examples

The following examples show how to use the installation commands.

To install the software with no user interface using the default settings during the installation process. (Silent install)

Setup.exe /Q /IAcceptAllLicenseTerms

To install the software with Chinese displayed during the install process and restart the computer if necessary. (Unattended install)

Setup.exe /QS /IAcceptAllLicenseTerms /AutoRestart /SetupLanguage=CHS

To install the software with FactoryTalk security policy value specified.

Setup.exe /Q /IAcceptAllLicenseTerms /ftsp-value=enable

To perform a restore during the install process.

Setup.exe /Q /IAcceptAllLicenseTerms /ftsp-bak="C:\aa.bak"

To specify the FactoryTalk Directory machine.

Setup.exe /Q /IAcceptAllLicenseTerms /DirectorySever=severname

Error codes

The following table identifies the error codes that can be returned by an installation.

Error Code	Value	Description
ERROR_SUCCESS	0	The installation completed successfully.
ERROR_INVALID_PARAMETER	87	One of the parameters was invalid.
ERROR_INSTALL_USEREXIT	1602	The installation was canceled by the user.
ERROR_INSTALL_FAILURE	1603	A fatal error occurred during installation.
ERROR_BAD_CONFIGURATION	1610	The configuration data for this product is corrupt. Contact your support personnel.
ERROR_REBOOT_CONTINUE	1641	A restart is required to continue the installation.
ERROR_SUCCESS_REBOOT_REQUIRED	3010	A restart is required to complete the installation. After restarting, the product is successfully installed.
ERROR_REBOOT_PENDING	3012	Restart is pending. Restart the computer to continue the installation.
ERROR_SUCCESS_NOT_APPLICABLE	3013	The installation cannot proceed because the products are already installed.
ERROR_SUCCESS_WARNING_REBOOT	3014	The installation succeeded with warnings. Check the installation log file for details. To complete the installation, restart the computer.

Certificates

The following certificates are installed when installing Rockwell Automation software.

Use Microsoft Management Console (MMC) to view the certificates in Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
- 2016-Rockwell-Driver-SHA1.cer
- 2016-Rockwell-SHA256.cer
- DriverCodeSigning2012-1.cer
- Drivers-10-10-2018.cer
- Drivers-11-03-2017.cer
- Drivers-12-06-2016.cer
- DriversSHA1-10-10-2018.cer
- Drivers-SHA1-11-27-2017.cer
- Logix-11-04-2016.cer
- Rockwell_2013.cer
- Rockwell_2014.cer
- Rockwell_2015.cer
- rockwellcert2010.cer
- rockwellcert2013.cer
- VeriSign Class 3 Public Primary Certification Authority -G5 2036.cer
Use Microsoft Management Console (MMC) to view the certificates in Console Root > Certificates (Local Computer) > Trusted Publishers > Certificates.
- MicRooCerAut2011_2011_03_22.cer
- RA - Enterprise Root Certification Authority.cer
- VeriSign Universal Root Certification Authority.cer

FactoryTalk Services Platform and Sophos Anti-Virus

Rockwell Automation® does not formally test with Sophos Anti-Virus®, but has received reported issues with it and the FactoryTalk Services Platform. Specifically, Sophos Anti-Virus functionality has resulted in FactoryTalk process crashes due to the loading of Sophos Anti-Virus DLLs in the RSVCHOST process space. The resolution to these reported issues was to disable Sophos Anti-Virus, which allowed for proper functionality of the FactoryTalk Services Platform. Other workarounds may have resolved the problem, such as allowing FactoryTalk Services Platform within the Sophos Anti-Virus application, but these were not tested. Only a small number of these cases have been reported, meaning it is not clear if all Sophos Anti-Virus deployments will experience issues.

FactoryTalk Services Platform and Microsoft XML Core Services (MSXML)

Due to the end of the Microsoft product support lifecycle, all Microsoft XML Core Services (MSXML) 3.0 and 4.0 libraries have been removed from FactoryTalk Services Platform. These libraries may be installed or used by other applications but are not installed or used by FactoryTalk Services Platform.

Network security

For the latest network security considerations when using Rockwell Automation products, visit the Rockwell Automation Knowledgebase.

For information about:

File extensions created by Rockwell Automation software, firewall rules, and service dependences, see Knowledgebase Document ID: PN826 - Security considerations when using Rockwell Automation Software Products.
TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Document ID: BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Password Policy compatibility

FactoryTalk Services Platform version 3.00 or earlier used the MD5 cryptographic hashing algorithm to encode passwords. If compatibility with FactoryTalk Services Platform version 3.00 or earlier is required the MD5 password encryption method must be selected. MD5 is an older algorithm that has known security vulnerabilities. Using the SHA-256 encryption method is recommended.

IMPORTANT

After changing the password encryption method, all existing FactoryTalk user accounts' password will be removed and must be re-entered by the user.

To modify the Password encryption method

In FactoryTalk Administration Console Explorer, expand System > Policies > System Policies.
Right-click Security Policy and select Properties.
In Security Policy Properties, select > to expand Password Policy Settings.
In Password encryption method select the down arrow and select SHA-256 or MD5.
Changing the password encryption method invalidates current user passwords.
Select OK or Apply to apply the new settings.
Choose how to apply the password encryption method change to all of the current FactoryTalk user accounts.
- Select Disable all FactoryTalk user accounts to review each user account and select unique passwords for each.
- Select Reset all FactoryTalk user passwords immediately to set a new password on all user accounts and require users to specify a new password the next time they log on.

System login method

Please be aware that selecting Badge Only as system login method allows access to the system without authenticating the native FactoryTalk user. The system grants access solely on the identity of the badge. To maintain a strong security posture, we recommend that you select Password and Badge as the system login method to provide passwords in addition to presenting the badge.

Note: The Badge Only system login method cannot be used with Windows-linked users.

Rockwell Automation recognizes that some of the terms that are currently used in our industry and in this publication are not in alignment with the movement toward inclusive language in technology. We are proactively collaborating with industry peers to find alternatives to such terms and making changes to our products and content. Please excuse the use of such terms in our content while we implement these changes.

Copyright © 2025 Rockwell Automation, Inc. All rights reserved.
Rockwell Automation, Allen-Bradley, and FactoryTalk are trademarks of Rockwell Automation, Inc.
To view a complete list of Rockwell Automation trademarks please click here.
Trademarks not belonging to Rockwell Automation are property of their respective companies.