Microsoft have just announced they will allow small business with less that 10 seats to use Microsoft Security Essentials for free. But even having to configured 10 copies of Microsoft Security Essentials (MSE) can be a pain so below is a quick tutorial on how you can Group Policy Enable Microsoft Security Essentials.
Update: Microsoft have now updated their Microsoft Security Essentials web site to say small business can now “officially†use MSE.
Before we begin I want to be clear that MSE does NOT natively support group policy this is simply a way to configure the registry keys of the application using the Group Policy Preferences Registry key setting.
Note: If the below instructions to create the registry keys seems like to much work you will be glad to know that I have put a link at the bottom to an XML Group Policy Preferences Registry file. You can use this file to import the all the Policy Registry setting I talk about below automatically.
How to use Group Policy Preferences Registry key setting.
Before we begin we first need to know how to create a Group Policy Preferences Registry Key setting that we will use to control each of the registry keys we need to configured MSE. The following steps will need to be repeated for each registry key below.
Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.
Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry
Step 3. In the Menu click on Action > New > Registry Item
Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.
Note: The Data values below that are highlighted in BOLD are the values you need to use to replication the examples shown.
How to configured Scheduled Scan using Group Policy for Microsoft Security Essentials
Now you need to create a registry few specific registry keys. In this example we are going to configured a Full Scheduled scan to run each day at 8am. We are also going to enable the option to check for an update before scanning and we are going to configure the scan to
Scheduled Day
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScheduleDay (REG_DWORD)
Data: 0 (Every Day)
Data: 1 (Sunday)
Data: 2 (Monday)
Data: 3 (Tuesday)
Data: 4 (Wednesday)
Data: 5 (Thursday)
Data: 6 (Friday)
Data: 7 (Saturday)
Scheduled Time
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScheduleTime (REG_DWORD)
Data: 0 (12am)
Data: 000001e0 (8am)
The data of this value represents the number of minutes from 12am in hex… therefore if you want 8am configured the data to “000001e0â€
Full or Quick Scan
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanParameters (REG_DWORD)
Data: 1 (Quick Scan)
Data: 2 (Full Scan)
Check for Update before scanning
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: CheckForSignaturesBeforeRunningScan (REG_DWORD)
Data: 0 (Disabled)
Data: 1 (Enabled)
Scan only when idle
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanOnlyIfIdle (REG_DWORD)
Data: 0 (Scan when idle)
Data: 1 (Scan when active)
Now all your computers will have the scheduled scan option configured as the following image below.
How to configure Real-Time Protection options using Group Policy for Microsoft Security Essentials
Below are the registry keys for configuring the “Rea-Time Scanning†settings for Microsoft Security Essentials.
Monitor file and program activity
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
Value: DisableIOAVProtection (REG_DWORD)
Data: 0 (Real-Time scan Enabled)
Data: 1 (Real-Time scan Disabled)
Scan all downloaded files and attachments
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
Value: DisableOnAccessProtection (REG_DWORD)
Data: 0 (Scan Enabled)
Data: 1 (Scan Disabled)
You real time protection should now be configured as shown below.
How to configure Advanced Real-Time Protection options using Group Policy for Microsoft Security Essentials
Below are the registry keys for configuring the “Advanced†settings for Microsoft Security Essentials.
Scan archive files
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableArchiveScanning (REG_DWORD)
Data: 0 (Enable Archive Scanning)
Data: 1 (Disable Archive Scanning)
Scan Removable Drives
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableRemovableDriveScanning (REG_DWORD)
Data: 0 (Scan Enabled)
Data: 1 (Scan Disabled)
Create a system restore point
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableRestorePoint (REG_DWORD)
Data: 0 (Create Restore Point)
Data: 1 (Do not create Restore Point)
Importing Group Policy Preferences
For your convenience I have provided you a link to a XML Group Policy Preferences Registry file for all the above settings.
Simply save the file to your desktop and then drag it into the empty pane on the right hand side, click “Yes†to confirm the import and you will have all the registry keys automatically created.
RT @xenappblog: Group Policy for Microsoft Security Essentials http://bit.ly/b6zNcM
RT @alanburchill: Blog Post: Group Policy for Microsoft Security Essentials http://bit.ly/9tX3MH
Group Policy for Microsoft Security Essentials http://t.co/mpO2WN0
Interesting reading: Group Policy for Microsoft Security Essentials http://bit.ly/9OMeOO
RT @louisgohl: Interesting reading: Group Policy for Microsoft Security Essentials http://bit.ly/9OMeOO
Very helpful article on "Group Policy for Microsoft Security Essentials" by @alanburchill http://t.co/HgBWr0n
RT @louisgohl: Interesting reading: Group Policy for Microsoft Security Essentials http://bit.ly/9OMeOO
RT @SecurityGarden: Very helpful article on "Group Policy for Microsoft Security Essentials" by @alanburchill http://t.co/HgBWr0n
RT @SecurityGarden: Very helpful article on "Group Policy for Microsoft Security Essentials" by @alanburchill http://t.co/HgBWr0n
Group Policy for Microsoft Security Essentials http://t.co/X5zDaZ0 via @alanburchill
Group Policy for Microsoft Security Essentials http://t.co/FLXdwqM
Microsoft Security Essentials now free for small business http://t.co/FLXdwqM #auteched
I can just say, great MVP man with great Articles
always i see new great Article
I love it
thanks again
regards
RT @grouppolicy_biz: Group Policy for Microsoft Security Essentials http://t.co/FLXdwqM
Group Policy for Microsoft Security Essentials http://t.co/duBswjY via @alanburchill
Is there any method of pointing the client to an update folder on the LAN rather than each one updating via the internet?
Meaning that either one client can update via the update site, and the others be directed to the updated files on that client
Or that the update be manually downloaded and saved to a common mapped folder?
Thanks
Jonathan
In this article the description is very clear and helpful. It describes everything clearly. I enjoyed the article very much. I also have read a article about this topic here “http://www.techyv.com/article/group-policy-essentials-2003-2008” which is very helpful also.
Hi Alan – thanks for an excellent article and GPO Preferences file.
Very useful for preventing endusers from modifying settings by accident.
I think there is a small typo regarding this setting:
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanOnlyIfIdle (REG_DWORD)
Data: 0 (Scan when idle)
Data: 1 (Scan when active)
Should probably have said:
Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanOnlyIfIdle (REG_DWORD)
Data: 0 (Always Scan) <- default
Data: 1 (Scan only if idle)
Cheers,
Steen
Fantastic post, thanks for sharing these settings and compiling the XML – one note however: I was not able to drag-and-drop the XML into the Preferences right pane (Server 2008 setting perhaps?) as instructed, I was however able to Ctrl+C the XML file and right-click Paste it into the Preferences pane
Much appreciated, Alan
How can I get other REG_DWORDS for MSE? Specifically I would like to disable the settings tab to users..
How am I able to configure the settings for automatically deleting quarantined files using regedit?