I'm testing the rollout of Windows Defender via GPO as well as testing some
registry settings that will be pushed to clients via PolicyMaker's Registry
Extension.

I was playing around with the "AllowNonAdminFunctionality" setting in the
registry to see how much it would lock down Defender for my clients. I
noticed that when I turn it on, the client is not even allowed to open up the
GUI for Defender to change things. This is acceptable although I hope more
flexible in Vista.

The question is this: what about when I want to check things on the client's
machine to see histories, check settings (to make sure they're applied), etc?
I've tried to "Run As" the local administrator, the domain administrator, and
myself (a Domain Admin). In all cases, a popup states that "Application
failed to initialize: 0x80070005. Access is Denied." My thought would be that
if I have this setting turned on then "administrators" would be able to
access the GUI, but I guess that's not how it works. Is there something I'm
missing here? Does the Defender service look at the user logged in and not
even check who's trying to run the GUI?

Thanks!

Hello WPBCIT,

See if you can aplly the solution in this KB
http://support.microsoft.com/kb/904423/en-us

I hope this post is helpful.

Let us know how it works ºut.

Еиçеl
--
"WPBCIT" wrote:

> I'm testing the rollout of Windows Defender via GPO as well as testing some
> registry settings that will be pushed to clients via PolicyMaker's Registry
> Extension.
>
> I was playing around with the "AllowNonAdminFunctionality" setting in the
> registry to see how much it would lock down Defender for my clients. I
> noticed that when I turn it on, the client is not even allowed to open up the
> GUI for Defender to change things. This is acceptable although I hope more
> flexible in Vista.
>
> The question is this: what about when I want to check things on the client's
> machine to see histories, check settings (to make sure they're applied), etc?
> I've tried to "Run As" the local administrator, the domain administrator, and
> myself (a Domain Admin). In all cases, a popup states that "Application
> failed to initialize: 0x80070005. Access is Denied." My thought would be that
> if I have this setting turned on then "administrators" would be able to
> access the GUI, but I guess that's not how it works. Is there something I'm
> missing here? Does the Defender service look at the user logged in and not
> even check who's trying to run the GUI?
>
> Thanks!

This fix requires a contact to Microsoft for the hotfix. I'll look into it
and see what comes of it.

Thanks,
Robert

"Engel" wrote:

> Hello WPBCIT,
>
> See if you can aplly the solution in this KB
> http://support.microsoft.com/kb/904423/en-us
>
> I hope this post is helpful.
>
> Let us know how it works ºut.
>
> Еиçеl
> --
> "WPBCIT" wrote:
>
> > I'm testing the rollout of Windows Defender via GPO as well as testing some
> > registry settings that will be pushed to clients via PolicyMaker's Registry
> > Extension.
> >
> > I was playing around with the "AllowNonAdminFunctionality" setting in the
> > registry to see how much it would lock down Defender for my clients. I
> > noticed that when I turn it on, the client is not even allowed to open up the
> > GUI for Defender to change things. This is acceptable although I hope more
> > flexible in Vista.
> >
> > The question is this: what about when I want to check things on the client's
> > machine to see histories, check settings (to make sure they're applied), etc?
> > I've tried to "Run As" the local administrator, the domain administrator, and
> > myself (a Domain Admin). In all cases, a popup states that "Application
> > failed to initialize: 0x80070005. Access is Denied." My thought would be that
> > if I have this setting turned on then "administrators" would be able to
> > access the GUI, but I guess that's not how it works. Is there something I'm
> > missing here? Does the Defender service look at the user logged in and not
> > even check who's trying to run the GUI?
> >
> > Thanks!

I installed and tested that hotfix referred to by that KB article. It did not
work. Thanks for the try.

Anybody else got any ideas? I'm starting to think it may just be how
Defender is written instead of a bug.

Robert

"Engel" wrote:

> Hello WPBCIT,
>
> See if you can aplly the solution in this KB
> http://support.microsoft.com/kb/904423/en-us
>
> I hope this post is helpful.
>
> Let us know how it works ºut.
>
> Еиçеl
> --
> "WPBCIT" wrote:
>
> > I'm testing the rollout of Windows Defender via GPO as well as testing some
> > registry settings that will be pushed to clients via PolicyMaker's Registry
> > Extension.
> >
> > I was playing around with the "AllowNonAdminFunctionality" setting in the
> > registry to see how much it would lock down Defender for my clients. I
> > noticed that when I turn it on, the client is not even allowed to open up the
> > GUI for Defender to change things. This is acceptable although I hope more
> > flexible in Vista.
> >
> > The question is this: what about when I want to check things on the client's
> > machine to see histories, check settings (to make sure they're applied), etc?
> > I've tried to "Run As" the local administrator, the domain administrator, and
> > myself (a Domain Admin). In all cases, a popup states that "Application
> > failed to initialize: 0x80070005. Access is Denied." My thought would be that
> > if I have this setting turned on then "administrators" would be able to
> > access the GUI, but I guess that's not how it works. Is there something I'm
> > missing here? Does the Defender service look at the user logged in and not
> > even check who's trying to run the GUI?
> >
> > Thanks!

I've not tested the setting you speak of, which I believe is exposed in the
GUI at Tools, Options, scroll all the way down to near the bottom. The
explanation there of the setting, and what you may find in Help is all that
I know about it, I'm afraid.

What I can tell you is that Defender is explicitly not designed for your
intended use, and that you would be far better off with a malware protection
product which is explicitly designed for managed deployment and centralized
reporting and control--Microsoft Forefront Client Protection.

http://www.microsoft.com/forefront/c...y/default.mspx

That said, I've no idea the size of your operation, nor what Forefront will
cost. I can say that it is now in public beta.

I've looked at the article cited by Engel, and I don't see any relevance,
I'm afraid.
--

"WPBCIT" <(E-Mail Removed)> wrote in message
news:6912152D-6B53-4FF4-A003-(E-Mail Removed)...
>I installed and tested that hotfix referred to by that KB article. It did
>not
> work. Thanks for the try.
>
> Anybody else got any ideas? I'm starting to think it may just be how
> Defender is written instead of a bug.
>
> Robert
>
> "Engel" wrote:
>
>> Hello WPBCIT,
>>
>> See if you can aplly the solution in this KB
>> http://support.microsoft.com/kb/904423/en-us
>>
>> I hope this post is helpful.
>>
>> Let us know how it works ºut.
>>
>> ??ç?l
>> --
>> "WPBCIT" wrote:
>>
>> > I'm testing the rollout of Windows Defender via GPO as well as testing
>> > some
>> > registry settings that will be pushed to clients via PolicyMaker's
>> > Registry
>> > Extension.
>> >
>> > I was playing around with the "AllowNonAdminFunctionality" setting in
>> > the
>> > registry to see how much it would lock down Defender for my clients. I
>> > noticed that when I turn it on, the client is not even allowed to open
>> > up the
>> > GUI for Defender to change things. This is acceptable although I hope
>> > more
>> > flexible in Vista.
>> >
>> > The question is this: what about when I want to check things on the
>> > client's
>> > machine to see histories, check settings (to make sure they're
>> > applied), etc?
>> > I've tried to "Run As" the local administrator, the domain
>> > administrator, and
>> > myself (a Domain Admin). In all cases, a popup states that "Application
>> > failed to initialize: 0x80070005. Access is Denied." My thought would
>> > be that
>> > if I have this setting turned on then "administrators" would be able to
>> > access the GUI, but I guess that's not how it works. Is there something
>> > I'm
>> > missing here? Does the Defender service look at the user logged in and
>> > not
>> > even check who's trying to run the GUI?
>> >
>> > Thanks!

I appreciate your comments.

However, I'm the IT Director for my church and as a non-profit organization
we're on a pretty limited budget. I'm always looking for free or reduced cost
software that will suit our needs. I know Defender is not made for what I'm
trying to get it to do, but I'm always trying to find creative ways to save
us a few dollars here. It's about the best option I have at this point. We
can't use Spybot S&D because it costs money even for non-profits (although
they give a good 50% discount). Defender on the other hand is free AND can
receive updates via my WSUS server. That alone is huge for me.

Thanks for your time. Again, I appreciate it.

"Bill Sanderson MVP" wrote:

> I've not tested the setting you speak of, which I believe is exposed in the
> GUI at Tools, Options, scroll all the way down to near the bottom. The
> explanation there of the setting, and what you may find in Help is all that
> I know about it, I'm afraid.
>
> What I can tell you is that Defender is explicitly not designed for your
> intended use, and that you would be far better off with a malware protection
> product which is explicitly designed for managed deployment and centralized
> reporting and control--Microsoft Forefront Client Protection.
>
> http://www.microsoft.com/forefront/c...y/default.mspx
>
> That said, I've no idea the size of your operation, nor what Forefront will
> cost. I can say that it is now in public beta.
>
> I've looked at the article cited by Engel, and I don't see any relevance,
> I'm afraid.
> --
>
> "WPBCIT" <(E-Mail Removed)> wrote in message
> news:6912152D-6B53-4FF4-A003-(E-Mail Removed)...
> >I installed and tested that hotfix referred to by that KB article. It did
> >not
> > work. Thanks for the try.
> >
> > Anybody else got any ideas? I'm starting to think it may just be how
> > Defender is written instead of a bug.
> >
> > Robert
> >
> > "Engel" wrote:
> >
> >> Hello WPBCIT,
> >>
> >> See if you can aplly the solution in this KB
> >> http://support.microsoft.com/kb/904423/en-us
> >>
> >> I hope this post is helpful.
> >>
> >> Let us know how it works ºut.
> >>
> >> ??ç?l
> >> --
> >> "WPBCIT" wrote:
> >>
> >> > I'm testing the rollout of Windows Defender via GPO as well as testing
> >> > some
> >> > registry settings that will be pushed to clients via PolicyMaker's
> >> > Registry
> >> > Extension.
> >> >
> >> > I was playing around with the "AllowNonAdminFunctionality" setting in
> >> > the
> >> > registry to see how much it would lock down Defender for my clients. I
> >> > noticed that when I turn it on, the client is not even allowed to open
> >> > up the
> >> > GUI for Defender to change things. This is acceptable although I hope
> >> > more
> >> > flexible in Vista.
> >> >
> >> > The question is this: what about when I want to check things on the
> >> > client's
> >> > machine to see histories, check settings (to make sure they're
> >> > applied), etc?
> >> > I've tried to "Run As" the local administrator, the domain
> >> > administrator, and
> >> > myself (a Domain Admin). In all cases, a popup states that "Application
> >> > failed to initialize: 0x80070005. Access is Denied." My thought would
> >> > be that
> >> > if I have this setting turned on then "administrators" would be able to
> >> > access the GUI, but I guess that's not how it works. Is there something
> >> > I'm
> >> > missing here? Does the Defender service look at the user logged in and
> >> > not
> >> > even check who's trying to run the GUI?
> >> >
> >> > Thanks!
>
>
>

I have got a client office which runs as non-admins and I can look at how
this setting works for them. Catch is that I don't know their client
passwords, and I'm the admin--so I'll have to connect in via Remote Desktop,
create a non-admin account, and do some testing to see how this works. I'd
like to do this, 'cause I have seen some posts here indicating that folks
feel this setting doesn't work as expected--but I'm not sure I'll manage to
find the time. I work in a not too different environment from yours--mostly
small non-profit organizations, and the one I work for most of the time is
church-related.

--

"WPBCIT" <(E-Mail Removed)> wrote in message
news:0B6F5534-86F0-40DA-9FE0-(E-Mail Removed)...
>I appreciate your comments.
>
> However, I'm the IT Director for my church and as a non-profit
> organization
> we're on a pretty limited budget. I'm always looking for free or reduced
> cost
> software that will suit our needs. I know Defender is not made for what
> I'm
> trying to get it to do, but I'm always trying to find creative ways to
> save
> us a few dollars here. It's about the best option I have at this point.
> We
> can't use Spybot S&D because it costs money even for non-profits (although
> they give a good 50% discount). Defender on the other hand is free AND can
> receive updates via my WSUS server. That alone is huge for me.
>
> Thanks for your time. Again, I appreciate it.
>
> "Bill Sanderson MVP" wrote:
>
>> I've not tested the setting you speak of, which I believe is exposed in
>> the
>> GUI at Tools, Options, scroll all the way down to near the bottom. The
>> explanation there of the setting, and what you may find in Help is all
>> that
>> I know about it, I'm afraid.
>>
>> What I can tell you is that Defender is explicitly not designed for your
>> intended use, and that you would be far better off with a malware
>> protection
>> product which is explicitly designed for managed deployment and
>> centralized
>> reporting and control--Microsoft Forefront Client Protection.
>>
>> http://www.microsoft.com/forefront/c...y/default.mspx
>>
>> That said, I've no idea the size of your operation, nor what Forefront
>> will
>> cost. I can say that it is now in public beta.
>>
>> I've looked at the article cited by Engel, and I don't see any relevance,
>> I'm afraid.
>> --
>>
>> "WPBCIT" <(E-Mail Removed)> wrote in message
>> news:6912152D-6B53-4FF4-A003-(E-Mail Removed)...
>> >I installed and tested that hotfix referred to by that KB article. It
>> >did
>> >not
>> > work. Thanks for the try.
>> >
>> > Anybody else got any ideas? I'm starting to think it may just be how
>> > Defender is written instead of a bug.
>> >
>> > Robert
>> >
>> > "Engel" wrote:
>> >
>> >> Hello WPBCIT,
>> >>
>> >> See if you can aplly the solution in this KB
>> >> http://support.microsoft.com/kb/904423/en-us
>> >>
>> >> I hope this post is helpful.
>> >>
>> >> Let us know how it works ºut.
>> >>
>> >> ??ç?l
>> >> --
>> >> "WPBCIT" wrote:
>> >>
>> >> > I'm testing the rollout of Windows Defender via GPO as well as
>> >> > testing
>> >> > some
>> >> > registry settings that will be pushed to clients via PolicyMaker's
>> >> > Registry
>> >> > Extension.
>> >> >
>> >> > I was playing around with the "AllowNonAdminFunctionality" setting
>> >> > in
>> >> > the
>> >> > registry to see how much it would lock down Defender for my clients.
>> >> > I
>> >> > noticed that when I turn it on, the client is not even allowed to
>> >> > open
>> >> > up the
>> >> > GUI for Defender to change things. This is acceptable although I
>> >> > hope
>> >> > more
>> >> > flexible in Vista.
>> >> >
>> >> > The question is this: what about when I want to check things on the
>> >> > client's
>> >> > machine to see histories, check settings (to make sure they're
>> >> > applied), etc?
>> >> > I've tried to "Run As" the local administrator, the domain
>> >> > administrator, and
>> >> > myself (a Domain Admin). In all cases, a popup states that
>> >> > "Application
>> >> > failed to initialize: 0x80070005. Access is Denied." My thought
>> >> > would
>> >> > be that
>> >> > if I have this setting turned on then "administrators" would be able
>> >> > to
>> >> > access the GUI, but I guess that's not how it works. Is there
>> >> > something
>> >> > I'm
>> >> > missing here? Does the Defender service look at the user logged in
>> >> > and
>> >> > not
>> >> > even check who's trying to run the GUI?
>> >> >
>> >> > Thanks!
>>
>>
>>