Controlling the end-user experience
Applies To: Forefront Client Security
A Client Security policy includes settings for configuring what the end user experiences when using a managed client computer, such as whether users can access the Client Security agent UI. When you edit or create a policy, use the Advanced tab to configure the user experience.
The settings under Client options are available only if the policy specifies that either spyware protection or virus protection is on, or if both virus and spyware protection are on. If spyware protection and virus protection are both set to User controlled, then the Client options are disabled and the user will automatically have access to the Client Security agent UI. For more information, see Enabling and disabling malware protection.
The following table describes the five options under Client options.
Client option | Effect of enabling the option |
---|---|
User can view all Client Security agent settings and messages |
Allows all users to see the Client Security agent UI and to run scans. When settings on the Protection tab are set to User controlled, this option enables administrators to change settings in the UI. |
Users can only view system tray icon and status messages |
Limits users to minimal access. Denies to all users access to the Client Security agent UI. Users can see the Client Security notification area (formerly known as system tray) icon, balloon tips from the notification area icon, messages regarding malware detection by real-time protection, and error messages. Note If Group Policy disables balloon messages on a computer, users do not see balloon tips from the Client Security notification area icon. When users have no access to the Client Security agent UI, this means they receive no notification when the agent detects malware during scheduled or interval scans. |
Only administrators can change Client Security agent settings |
Allows only local administrators to see the Client Security agent UI and to run scans (only when access to the Client Security agent UI is allowed). |
Allow users to add exclusions and overrides |
Allows users to add exclusions and overrides (only when access to the Client Security agent UI is allowed). |
Prompt user when unclassified software is detected |
Enables the Client Security agent to prompt users when it detects unclassified software. This feature is not affected by other settings under Client options. |
In the following table, each row lists one combination of enabled settings under Client options and the effect of those settings on the end-user experience.
Enabled Client options settings | View notification area icon and status messages | Open Client Security agent and run scans | Change user-controlled settings | Add exclusions and overrides |
---|---|---|---|---|
|
All users |
All users |
All users |
No users |
|
All users |
All users |
Administrators only |
Administrators only |
|
All users |
Administrators only |
Administrators only |
No users |
|
All users |
Administrators only |
Administrators only |
Administrators only |
|
All users |
No users |
No users |
No users |
About user-defined exclusions and overrides
If users are allowed access to the Client Security agent UI and you allow user-defined changes to scan exclusions and overrides, only users with administrator privileges can change these settings.
When you change the policy protecting a client computer and disallow user-defined exclusions and overrides, this setting only affects the ability of users to add new exclusions and overrides. Client Security retains user-defined exclusions and overrides configured before you deploy a policy that disallows them.
About user-controlled scheduled scans
You can allow end users to schedule malware scans using the Client Security agent UI. To enable this, you must grant access to the Client Security agent UI by using the settings under Client options, and you must specify User controlled on one or more of the settings on the Protection tab. For information about allowing user-controlled scheduled scans, see Configuring scheduled and interval malware scans.
About user prompts and unclassified software
Unclassified software is software that is not explicitly identified in malware definitions as malware or as trusted software. If a Client Security agent detects suspicious behavior by unclassified software and the Prompt user when unclassified software is detected option is enabled in the policy applied to the computer, Client Security prompts the user. Users can choose whether to allow the detected action by the unclassified software.
Important
If you enable Client Security to prompt users about unclassified software, it is strongly recommended that you use a test environment to determine if Client Security detects suspicious actions by applications that are common and legitimate in your organization. To avoid prompting the user for these applications, you should exclude them from scans in policies that enable the Client Security agent to prompt users about unclassified software. For more information, see Excluding files, folders, and file types from scans.
Configuring client options
To configure how users experience the Client Security agent
In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.
In the New Policy or Edit Policy dialog box, click the Advanced tab.
Under Client options, configure whether users can access the Client Security agent UI. Do one of the following:
If you want to provide users with full access to the Client Security agent UI, select the User can view all Client Security agent settings and messages option.
If you want to provide users with minimal access to the Client Security agent UI, select the User can only view system tray icon and status messages option. This is the default setting in a new policy. Regardless of user privileges, including administrator privileges, the user cannot access the Client Security agent UI.
If you are allowing full access to the Client Security agent UI, configure whether only administrators can access the Client Security agent UI. Do one of the following:
If you want to allow only administrators to access the Client Security agent UI, select the Only administrators can change Client Security agent settings check box.
If you want to allow all users to change Client Security settings on a client computer, clear the Only administrators can change Client Security agent settings check box. This is the default setting in a new policy.
If you are allowing full access to the Client Security agent UI, configure whether administrators are allowed to add scan exclusions for files, folders, and file types and overrides for malware responses. Do one of the following:
If you want to allow administrators to configure exclusions and overrides, select the Allow users to add exclusions and overrides check box.
If you do not want to allow administrators to configure exclusions and overrides, clear the Allow users to add exclusions and overrides check box. This is the default setting in a new policy.
Configure whether the Client Security agent prompts users when it discovers unclassified software. Do one of the following:
If you want the Client Security agent to prompt users, select the Prompt users when unclassified software is detected check box.
If you do not want the Client Security agent to prompt users, clear the Prompt users when unclassified software is detected check box. This is the default setting in a new policy.
After you finish creating or editing the policy, click OK.
To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.