Share via


Policy settings and registry keys

Applies To: Forefront Client Security

This topic details the settings available in the New/Edit Policy dialog box and the registry key values that are pushed to the client computer within the policy. Also included are settings that are not exposed in the console.

Important

Registry key values are provided for informational purposes only. It is strongly recommended that you do not change registry key values.

Registry key values not associated with a policy are written to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0 key. Those keys and values are listed in Registry keys.

For information about creating or editing policies, see the Client Security Administrator's Guide (https://go.microsoft.com/fwlink/?LinkID=75776).

Settings exposed in the New/Edit Policy dialog box

The New/Edit Policy dialog box is used to define settings for a Client Security policy. The dialog box consists of five tabs:

  • General tab

  • Protection tab

  • Advanced tab

  • Overrides tab

  • Reporting tab

The registry key and values listed in the following tables are added to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0

General tab

Control Registry key Value

Name

<name>

Protection tab

Control Registry key Values* Scan type**

Virus protection

AM\

DisableAntiVirus (DAV)

On (0)

Off (1)

User controlled

R, S, C

Spyware protection

AM\

DisableAntiSpyware (DAS)

On (0)

Off (1)

User controlled

R, S, C

Use real-time protection (scan programs and services when they are accessed)

AM\Real-Time Protection\

DisableAntiVirusRealtimeProtection

AM\Real-Time Protection\

DisableAntiSpywareRealtimeProtection

On (0) (0)

Off (1) (1)

R

Run a scan at this time

Start time

AM\Scan\

ScheduleDay

Off (0x8)

Every day (0x0)

Sunday (0x1)

Monday (0x2)

Tuesday (0x3)

Wednesday (0x4)

Thursday (0x5)

Friday (0x6)

Saturday (0x7)

User controlled

S

  

AM\Scan\

ScheduleTime

12:00 AM-11:00 PM (0-1439)

User controlled

2 AM (120)

  

Scan type

AM\Scan\

ScanParameters

Full scan (2)

Quick scan (1)

S

Run a quick scan at set interval (hours)

AM\Scan\

QuickScanInterval

Off (0)

1–24 hours (1–24)

S

Scan at set interval (hours)

SSA\ScanAction\Time

1–24 hours (1–24)

12 hours (12)

V

Scan at this time

SSA\ScanAction\Time

12:00 AM–11:00 PM

3:00 AM (3)

V

Do not run security state scan

SSA\ScanAction\TimeType

ScanAction\Time = time (1)

ScanAction\Time = interval (0)

V

If scan was not run when scheduled, run as soon as possible

SSA\ScanAction\ScanWhenMissed

On (1)

Off (0)

V

*Default policy settings in bold

**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan

Advanced tab

Control Registry key Values* Scan type**

Check for updates before starting a scan

AM\Scan\

CheckforSignaturesBeforeRunningScan

On (1)

Off (0)

S, C

Check for updates at set interval (hours)

AM\Signature Updates\

SignatureUpdateInterval

Off (0)

1-24 hours (1–24)

6 (6)

R, S

Check for updates on Microsoft Update when WSUS is unavailable

AM\Signature Updates\

CheckAlternateDownloadLocation

On (1)

Off (0)

R, S, C, V

Scan archive files

AM\Scan\

DisableArchiveScanning

On (0)

Off (1)

S, C

Use heuristics to detect suspicious files

AM\Scan\

DisableHeuristics

On (0)

Off (1)

R

Delete quarantined files

Delete after (days)

AM\Quarantine\

PurgeItemsAfterDelay

Off (0)

1–100 days (1–100)

R, S, C

File and folder paths

AM\Exclusions\

Paths

<empty>

R, S, C

Extensions

AM\Exclusions\

Extensions

<empty>

R, S, C

Users can view all Client Security settings and messages

Users can only view notification area icon and status messages

AM\UX Configuration\

ConsoleFunctionalityAvailable

Full UI (0)

Minimum UI (3)

R, S, C

Only administrators can change Client Security agent settings

AM\UX Configuration\

AllowNonAdminFunctionality

On (1)

Off (0)

R, S, C

Allow users to add exclusions and overrides

AM\

DisableLocalAdminMerge

On (1)

Off (0)

R, S, C

Prompt user when unclassified software is detected

AM\Real-Time Protection\

EnableUnknownPrompts

On (1)

Off (0)

R, S, C

*Default policy settings in bold

**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan

Overrides tab

Control Registry key Values* Scan type**

Overrides based on threat

AM\Threats\

ThreatIDDefaultAction

<empty>

Ignore (6)

R, S, C

Overrides based on category

AM\Threats\

ThreatTypeDefaultAction

<empty>

Default Response (0)

Remove (3)

Quarantine (2)

Ignore (6)

R, S, C

Overrides based on severity

AM\Threats\

ThreatSeverityDefaultAction

<empty>

Default Response (0)

Remove (3)

Quarantine (2)

Ignore (6)

R, S, C

*Default policy settings in bold

**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan

Reporting tab

Control Registry key Values* Scan type**

Specify the alert level

AlertLevel

1-5

3 (3)

R, S, C, V

Do not log events for files marked "Unknown"

AM\Reporting\

DisableLoggingForUnknown

On (1)

Off (0)

R, S, C

SpyNet reporting

AM\SpyNet\

SpyNetReporting

Off (0)

Basic (1)

Advanced (2)

R, S, C

Use Microsoft Internet Explorer® settings

Use other proxy server and port

AM\ProxyServer

Use IE settings <empty>

<text>

R, S, C

*Default policy settings in bold

**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan

Settings not exposed in the console

Some settings associated with Client Security policies are not accessible or displayed through the console but are written to the registry when a policy is deployed. This section lists those settings and the associated defaults and registry key values.

When a policy is deployed, Client Security overwrites some registry key values that were written when the Client Security agent was installed and used on the client computer without a policy.

For a list of all the registry key values not associated with a policy, see Registry keys.

The registry keys and values in the following table are added to this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0

Description Registry key New values from policy Default values without policy Scan type**

Designates whether the Client Security service will continue to run when scans are turned off

AM\

ServiceKeepAlive

On (1)

Off (0)

R, S

Designates whether the Client Security agent will take action on items detected during a real-time protection scan (after a non-configurable delay)

AM\Real-Time Protection\

AutomaticallyCleanRealTimeAfterDelay

On (1)

Off (0)

R

Designates whether the Client Security agent will take default actions during scheduled scans

AM\Scan\AutomaticallyCleanAfterScan

On (1)

Off (0)

S, C

Specifies the day and time that Client Security agent will update definitions

AM\Signature Updates\

ScheduleDate

Never (0x8)

Every day (0x0)

R, S

Specifies whether the Client Security icon will be displayed in the notification area at all times

AM\UX Configuration\

AlwaysShowTaskTrayIcon

On (1)

Off (0)

R, S

Reads language and minimum manifest version from server

SSA\ScanAction\

Parameter

<culture code>

<manifest version>

V

**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan