Group Policy for Microsoft Security Essentials

imageMicrosoft have just announced they will allow small business with less that 10 seats to use Microsoft Security Essentials for free. But even having to configured 10 copies of Microsoft Security Essentials (MSE) can be a pain so below is a quick tutorial on how you can Group Policy Enable Microsoft Security Essentials.

Update: Microsoft have now updated their Microsoft Security Essentials web site to say small business can now “officially” use MSE.

Microsoft Security Essentials Download

Before we begin I want to be clear that MSE does NOT natively support group policy this is simply a way to configure the registry keys of the application using the Group Policy Preferences Registry key setting.

Note: If the below instructions to create the registry keys seems like to much work you will be glad to know that I have put a link at the bottom to an XML Group Policy Preferences Registry file. You can use this file to import the all the Policy Registry setting I talk about below automatically.


How to use Group Policy Preferences Registry key setting.

Before we begin we first need to know how to create a Group Policy Preferences Registry Key setting that we will use to control each of the registry keys we need to configured MSE. The following steps will need to be repeated for each registry key below.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Group Policy Management Editor

Step 3. In the Menu click on Action > New > Registry Item

New Registry Properties

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Note: The Data values below that are highlighted in BOLD are the values you need to use to replication the examples shown.

How to configured Scheduled Scan using Group Policy for Microsoft Security Essentials

Now you need to create a registry few specific registry keys. In this example we are going to configured a Full Scheduled scan to run each day at 8am. We are also going to enable the option to check for an update before scanning and we are going to configure the scan to

Scheduled Day

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScheduleDay (REG_DWORD)
Data: 0 (Every Day)
Data: 1 (Sunday)
Data: 2 (Monday)
Data: 3 (Tuesday)
Data: 4 (Wednesday)
Data: 5 (Thursday)
Data: 6 (Friday)
Data: 7 (Saturday)

Scheduled Time

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScheduleTime (REG_DWORD)
Data: 0 (12am)
Data: 000001e0 (8am)

The data of this value represents the number of minutes from 12am in hex… therefore if you want 8am configured the data to “000001e0”

Full or Quick Scan

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanParameters (REG_DWORD)
Data: 1 (Quick Scan)
Data: 2 (Full Scan)

Check for Update before scanning

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: CheckForSignaturesBeforeRunningScan (REG_DWORD)
Data: 0 (Disabled)
Data: 1 (Enabled)

Scan only when idle

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: ScanOnlyIfIdle (REG_DWORD)
Data: 0 (Scan when idle)
Data: 1 (Scan when active)

Now all your computers will have the scheduled scan option configured as the following image below.

Microsoft Security Essentials Settings


How to configure Real-Time Protection options using Group Policy for Microsoft Security Essentials

Below are the registry keys for configuring the “Rea-Time Scanning” settings for Microsoft Security Essentials.

Monitor file and program activity

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
Value: DisableIOAVProtection (REG_DWORD)
Data: 0 (Real-Time scan Enabled)
Data: 1 (Real-Time scan Disabled)

Scan all downloaded files and attachments

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
Value: DisableOnAccessProtection (REG_DWORD)
Data: 0 (Scan Enabled)
Data: 1 (Scan Disabled)

You real time protection should now be configured as shown below.

Microsoft Security Essenitals Settings Real-time protection


How to configure Advanced Real-Time Protection options using Group Policy for Microsoft Security Essentials

Below are the registry keys for configuring the “Advanced” settings for Microsoft Security Essentials.

Scan archive files

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableArchiveScanning (REG_DWORD)
Data: 0 (Enable Archive Scanning)
Data: 1 (Disable Archive Scanning)

Scan Removable Drives

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableRemovableDriveScanning (REG_DWORD)
Data: 0 (Scan Enabled)
Data: 1 (Scan Disabled)

Create a system restore point

Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
Value: DisableRestorePoint (REG_DWORD)
Data: 0 (Create Restore Point)
Data: 1 (Do not create Restore Point)

Microsoft Security Essenitals Settings Advanced

Importing Group Policy Preferences

For your convenience I have provided you a link to a XML Group Policy Preferences Registry file for all the above settings.

 

Simply save the file to your desktop and then drag it into the empty pane on the right hand side, click “Yes” to confirm the import and you will have all the registry keys automatically created.

image

Group Policy Management Editor

Author: Alan Burchill

Microsoft MVP (Group Policy)

22 thoughts on “Group Policy for Microsoft Security Essentials

  1. I can just say, great MVP man with great Articles
    always i see new great Article
    I love it

    thanks again
    regards

  2. Is there any method of pointing the client to an update folder on the LAN rather than each one updating via the internet?
    Meaning that either one client can update via the update site, and the others be directed to the updated files on that client

    Or that the update be manually downloaded and saved to a common mapped folder?

    Thanks

    Jonathan

  3. In this article the description is very clear and helpful. It describes everything clearly. I enjoyed the article very much. I also have read a article about this topic here “http://www.techyv.com/article/group-policy-essentials-2003-2008” which is very helpful also.

  4. Hi Alan – thanks for an excellent article and GPO Preferences file.
    Very useful for preventing endusers from modifying settings by accident.

    I think there is a small typo regarding this setting:

    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
    Value: ScanOnlyIfIdle (REG_DWORD)
    Data: 0 (Scan when idle)
    Data: 1 (Scan when active)

    Should probably have said:

    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
    Value: ScanOnlyIfIdle (REG_DWORD)
    Data: 0 (Always Scan) <- default
    Data: 1 (Scan only if idle)

    Cheers,
    Steen

  5. Fantastic post, thanks for sharing these settings and compiling the XML – one note however: I was not able to drag-and-drop the XML into the Preferences right pane (Server 2008 setting perhaps?) as instructed, I was however able to Ctrl+C the XML file and right-click Paste it into the Preferences pane

    Much appreciated, Alan

  6. How can I get other REG_DWORDS for MSE? Specifically I would like to disable the settings tab to users..

Leave a Reply