We have a distributed system, and need to apply Defender "Allow" settings and
"ignore directory" settings across many nodes. Is there an API to accomplish
this? - or is it scriptable using Powershell or something?

thanks,
Paul.

Windows Defender has very limited group policy settings which are defined in
a .adm file installed as part of the product distribution.

For your use, Microsoft Forefront Client Protection--which has been
released, but won't be available until July, as I recall--except in the form
of a public beta--would be a far better fit.

--

"Paul." <Paul.@discussions.microsoft.com> wrote in message
news:6B87C003-4A4D-45D3-9041-(E-Mail Removed)...
> We have a distributed system, and need to apply Defender "Allow" settings
> and
> "ignore directory" settings across many nodes. Is there an API to
> accomplish
> this? - or is it scriptable using Powershell or something?
>
> thanks,
> Paul.

Hi,

If you export the relevent registry settings and save them to a .REG file,
these can be imported *BEFORE* you install WD

They will "stick" once the package has been installed.

If you attempt this once WD is installed the registry setting are protected
and cannot be altered.

My settings are as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000000
"ScheduleTime"=dword:000004b0
"ScheduleDay"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
"AlwaysShowTaskTrayIcon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000002

I have often wondered if this is in fact bad design or a bug, but it's
useful.

Kind Regards

Simon

I think setting the permissions on the registry keys so that they are not
easily changed is likely by design. Your workaround is a good one,
though--thanks!

--

"Simon Zerafa" <(E-Mail Removed)*no-spam*.uk> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> If you export the relevent registry settings and save them to a .REG file,
> these can be imported *BEFORE* you install WD
>
> They will "stick" once the package has been installed.
>
> If you attempt this once WD is installed the registry setting are
> protected and cannot be altered.
>
> My settings are as follows:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
> "AutomaticallyCleanAfterScan"=dword:00000000
> "CheckForSignaturesBeforeRunningScan"=dword:00000000
> "ScheduleTime"=dword:000004b0
> "ScheduleDay"=dword:00000000
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
> "AlwaysShowTaskTrayIcon"=dword:00000001
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
> "SpyNetReporting"=dword:00000002
>
> I have often wondered if this is in fact bad design or a bug, but it's
> useful.
>
> Kind Regards
>
> Simon
>
>

It is possible to script changing permissions on registry keys
[http://support.microsoft.com/kb/245031]

[Please make a note of the original permissions and take a back up of your
registry before you make any changes to it.]

After changing the permissions you should be able to modify the registry.

You can then reset the permissions to their original values, to ensure that
they can't be changed by an unauthorized program.

This is possible for a remote machine as well.

~Shiroy


"Bill Sanderson MVP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I think setting the permissions on the registry keys so that they are not
>easily changed is likely by design. Your workaround is a good one,
>though--thanks!
>
> --
>
> "Simon Zerafa" <(E-Mail Removed)*no-spam*.uk> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> If you export the relevent registry settings and save them to a .REG
>> file, these can be imported *BEFORE* you install WD
>>
>> They will "stick" once the package has been installed.
>>
>> If you attempt this once WD is installed the registry setting are
>> protected and cannot be altered.
>>
>> My settings are as follows:
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
>> "AutomaticallyCleanAfterScan"=dword:00000000
>> "CheckForSignaturesBeforeRunningScan"=dword:00000000
>> "ScheduleTime"=dword:000004b0
>> "ScheduleDay"=dword:00000000
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
>> "AlwaysShowTaskTrayIcon"=dword:00000001
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
>> "SpyNetReporting"=dword:00000002
>>
>> I have often wondered if this is in fact bad design or a bug, but it's
>> useful.
>>
>> Kind Regards
>>
>> Simon
>>
>>
>
>

Excellent! I've definitely reset those permissions and made changes myself
by hand, but I haven't needed to script such changes.

Thanks.
--

"Shiroy Choksey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> It is possible to script changing permissions on registry keys
> [http://support.microsoft.com/kb/245031]
>
> [Please make a note of the original permissions and take a back up of your
> registry before you make any changes to it.]
>
> After changing the permissions you should be able to modify the registry.
>
> You can then reset the permissions to their original values, to ensure
> that they can't be changed by an unauthorized program.
>
> This is possible for a remote machine as well.
>
> ~Shiroy
>
>
> "Bill Sanderson MVP" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I think setting the permissions on the registry keys so that they are not
>>easily changed is likely by design. Your workaround is a good one,
>>though--thanks!
>>
>> --
>>
>> "Simon Zerafa" <(E-Mail Removed)*no-spam*.uk> wrote in message
>> news:(E-Mail Removed)...
>>> Hi,
>>>
>>> If you export the relevent registry settings and save them to a .REG
>>> file, these can be imported *BEFORE* you install WD
>>>
>>> They will "stick" once the package has been installed.
>>>
>>> If you attempt this once WD is installed the registry setting are
>>> protected and cannot be altered.
>>>
>>> My settings are as follows:
>>>
>>> Windows Registry Editor Version 5.00
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
>>> "AutomaticallyCleanAfterScan"=dword:00000000
>>> "CheckForSignaturesBeforeRunningScan"=dword:00000000
>>> "ScheduleTime"=dword:000004b0
>>> "ScheduleDay"=dword:00000000
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX
>>> Configuration]
>>> "AlwaysShowTaskTrayIcon"=dword:00000001
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
>>> "SpyNetReporting"=dword:00000002
>>>
>>> I have often wondered if this is in fact bad design or a bug, but it's
>>> useful.
>>>
>>> Kind Regards
>>>
>>> Simon
>>>
>>>
>>
>>
>
>