Defender Centralized Deployment via AD GPO and WGA

[Guest]

Hello -

It had been a really fun weekend troubleshooting why Windows Defender wasn't
installing to my WXPSP2 machines. What I found out was that, because my
users are not Local Administrators, they had never been able to install the
WGA ActiveX control. As a result, the Defender installation failed on every
one.

So basically, there is this great tool for centralized deployment of
Defender (AD GPO), and a great supporting application for centralized
deployment of the definitions USED by Defender (WSUS), but it's all MOOT in
the face of having to touch EACH MACHINE INDIVIDUALLY to install WGA first?

PLEASE PLEASE PLEASE give netadm's and sysadm's a tool to remotely deploy
WGA. This wasted a whole weekend for me, logging into tons of machines to do
this.

Thanks -

Eric McWhorter

 

[Guest]

When you deploy windows defender through AD GPO, can you setup a basic
configuration? (e.g. time for scanning and checking for updates?)

 

[Guest]

Hello -

Not that I would say that Microsoft would support this, but I have found
that the registry key which stores the scan time/behavior is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan

Mine looks like this:

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000002
"LastScanRun"=hex:af,52,2a,a6,92,38,c6,01
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

*WARNING*

Now, I can't say whether modifying these values are safe or not, but I
wouldn't push out "LastScanType" or "LastScanRun."

What I would push out is something LIKE the following, which sets Defender to:

1. Not automatically clean after a scan
("AutomaticallyCleanAfterScan"=dword:00000000)
2. Checks for signatures before running a scan
("CheckForSignaturesBeforeRunningScan"=dword:00000001)
3. Does a Full System Scan ("ScanParameters"=dword:00000002)
4. Scans at 9 pm ("ScheduleTime"=dword:000004ec)

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

"AutomaticallyCleanAfterScan" value of 1 corresponds to the checkbox "Apply
actions on detected items after scanning" being checked.

"CheckForSignaturesBeforeRunningScan" value of 1 corresponds to the checkbox
"Check for updated definitions before scanning" being checked.

"ScanParameters" value of 1 corresponds to "Quick scan" being selected from
the "Type of scan" dropdown.

"ScheduleTime" value is the number of hours past midnight times 60 minutes,
and is in hexadecimal. For example, 3 am would be 3X60=180 or B4 in hex.

Hope this helps.

- Eric

 

[Guest]

Well, that doesn't seem to be working for me - the pushing of those registry
settings via AD GPO. I know those are where the settings get set for
Defender, but I guess you'd have to include the .reg file setting them in a
logon script or something.

- Eric

Hello -

Not that I would say that Microsoft would support this, but I have found
that the registry key which stores the scan time/behavior is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan

Mine looks like this:

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000002
"LastScanRun"=hex:af,52,2a,a6,92,38,c6,01
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

*WARNING*

Now, I can't say whether modifying these values are safe or not, but I
wouldn't push out "LastScanType" or "LastScanRun."

What I would push out is something LIKE the following, which sets Defender to:

1. Not automatically clean after a scan
("AutomaticallyCleanAfterScan"=dword:00000000)
2. Checks for signatures before running a scan
("CheckForSignaturesBeforeRunningScan"=dword:00000001)
3. Does a Full System Scan ("ScanParameters"=dword:00000002)
4. Scans at 9 pm ("ScheduleTime"=dword:000004ec)

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

"AutomaticallyCleanAfterScan" value of 1 corresponds to the checkbox "Apply
actions on detected items after scanning" being checked.

"CheckForSignaturesBeforeRunningScan" value of 1 corresponds to the checkbox
"Check for updated definitions before scanning" being checked.

"ScanParameters" value of 1 corresponds to "Quick scan" being selected from
the "Type of scan" dropdown.

"ScheduleTime" value is the number of hours past midnight times 60 minutes,
and is in hexadecimal. For example, 3 am would be 3X60=180 or B4 in hex.

Hope this helps.

- Eric

When you deploy windows defender through AD GPO, can you setup a basic
configuration? (e.g. time for scanning and checking for updates?)

 

[Bill Sanderson]

Scanning on a standalone box involves a hidden scheduled task running
\program files\windows defender\mpcmdrun.exe with some simple arguments.

The scheduler, of all things, is surely eminently controllable across a
network using group policy? As you can see--I know very little of this--but
this one should be easy--

--

Hello -

Not that I would say that Microsoft would support this, but I have found
that the registry key which stores the scan time/behavior is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan

Mine looks like this:

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000002
"LastScanRun"=hex:af,52,2a,a6,92,38,c6,01
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

*WARNING*

Now, I can't say whether modifying these values are safe or not, but I
wouldn't push out "LastScanType" or "LastScanRun."

What I would push out is something LIKE the following, which sets Defender
to:

1. Not automatically clean after a scan
("AutomaticallyCleanAfterScan"=dword:00000000)
2. Checks for signatures before running a scan
("CheckForSignaturesBeforeRunningScan"=dword:00000001)
3. Does a Full System Scan ("ScanParameters"=dword:00000002)
4. Scans at 9 pm ("ScheduleTime"=dword:000004ec)

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

"AutomaticallyCleanAfterScan" value of 1 corresponds to the checkbox
"Apply
actions on detected items after scanning" being checked.

"CheckForSignaturesBeforeRunningScan" value of 1 corresponds to the
checkbox
"Check for updated definitions before scanning" being checked.

"ScanParameters" value of 1 corresponds to "Quick scan" being selected
from
the "Type of scan" dropdown.

"ScheduleTime" value is the number of hours past midnight times 60
minutes,
and is in hexadecimal. For example, 3 am would be 3X60=180 or B4 in hex.

Hope this helps.

- Eric

When you deploy windows defender through AD GPO, can you setup a basic
configuration? (e.g. time for scanning and checking for updates?)

 

[Guest]

Wow. That's awesome. I was not aware that hidden tasks exist. I changed
the time in the gui and the scheduled time of the scan changed, but the
changes to the type of scan were not reflected. My cmdline option shows

"-ScanType config" - I am guessing that's to make it pull the values from
the registry for the scan type and such.

Thanks for the info! Learn something new every day!

Scanning on a standalone box involves a hidden scheduled task running
\program files\windows defender\mpcmdrun.exe with some simple arguments.

The scheduler, of all things, is surely eminently controllable across a
network using group policy? As you can see--I know very little of this--but
this one should be easy--

--

Hello -

Not that I would say that Microsoft would support this, but I have found
that the registry key which stores the scan time/behavior is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan

Mine looks like this:

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000002
"LastScanRun"=hex:af,52,2a,a6,92,38,c6,01
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

*WARNING*

Now, I can't say whether modifying these values are safe or not, but I
wouldn't push out "LastScanType" or "LastScanRun."

What I would push out is something LIKE the following, which sets Defender
to:

1. Not automatically clean after a scan
("AutomaticallyCleanAfterScan"=dword:00000000)
2. Checks for signatures before running a scan
("CheckForSignaturesBeforeRunningScan"=dword:00000001)
3. Does a Full System Scan ("ScanParameters"=dword:00000002)
4. Scans at 9 pm ("ScheduleTime"=dword:000004ec)

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

"AutomaticallyCleanAfterScan" value of 1 corresponds to the checkbox
"Apply
actions on detected items after scanning" being checked.

"CheckForSignaturesBeforeRunningScan" value of 1 corresponds to the
checkbox
"Check for updated definitions before scanning" being checked.

"ScanParameters" value of 1 corresponds to "Quick scan" being selected
from
the "Type of scan" dropdown.

"ScheduleTime" value is the number of hours past midnight times 60
minutes,
and is in hexadecimal. For example, 3 am would be 3X60=180 or B4 in hex.

Hope this helps.

- Eric

When you deploy windows defender through AD GPO, can you setup a basic
configuration? (e.g. time for scanning and checking for updates?)

:

Hello -

It had been a really fun weekend troubleshooting why Windows Defender
wasn't
installing to my WXPSP2 machines. What I found out was that, because
my
users are not Local Administrators, they had never been able to install
the
WGA ActiveX control. As a result, the Defender installation failed on
every
one.

So basically, there is this great tool for centralized deployment of
Defender (AD GPO), and a great supporting application for centralized
deployment of the definitions USED by Defender (WSUS), but it's all
MOOT in
the face of having to touch EACH MACHINE INDIVIDUALLY to install WGA
first?

PLEASE PLEASE PLEASE give netadm's and sysadm's a tool to remotely
deploy
WGA. This wasted a whole weekend for me, logging into tons of machines
to do
this.

Thanks -

Eric McWhorter

 

[Bill Sanderson]

Hmm - I hadn't tried that experiment--that may explain why the command-line
help for the switches seems so cryptic--this may all be a relatively new
notation that will be standard for Vista.

I didn't spot this myself, as usual, some brainier more eagle eyed peer here
posted it--but I like the way it works. If you want do dig into it, you can
plan scans and updates exactly the way you want them, if not, the GUI is
simple enough for my mom.

--

Wow. That's awesome. I was not aware that hidden tasks exist. I changed
the time in the gui and the scheduled time of the scan changed, but the
changes to the type of scan were not reflected. My cmdline option shows

"-ScanType config" - I am guessing that's to make it pull the values from
the registry for the scan type and such.

Thanks for the info! Learn something new every day!

Scanning on a standalone box involves a hidden scheduled task running
\program files\windows defender\mpcmdrun.exe with some simple arguments.

The scheduler, of all things, is surely eminently controllable across a
network using group policy? As you can see--I know very little of
this--but
this one should be easy--

--

Hello -

Not that I would say that Microsoft would support this, but I have
found
that the registry key which stores the scan time/behavior is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan

Mine looks like this:

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000002
"LastScanRun"=hex:af,52,2a,a6,92,38,c6,01
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

*WARNING*

Now, I can't say whether modifying these values are safe or not, but I
wouldn't push out "LastScanType" or "LastScanRun."

What I would push out is something LIKE the following, which sets
Defender
to:

1. Not automatically clean after a scan
("AutomaticallyCleanAfterScan"=dword:00000000)
2. Checks for signatures before running a scan
("CheckForSignaturesBeforeRunningScan"=dword:00000001)
3. Does a Full System Scan ("ScanParameters"=dword:00000002)
4. Scans at 9 pm ("ScheduleTime"=dword:000004ec)

=======================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000000
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"ScanParameters"=dword:00000002
"ScheduleTime"=dword:000004ec
=======================================

"AutomaticallyCleanAfterScan" value of 1 corresponds to the checkbox
"Apply
actions on detected items after scanning" being checked.

"CheckForSignaturesBeforeRunningScan" value of 1 corresponds to the
checkbox
"Check for updated definitions before scanning" being checked.

"ScanParameters" value of 1 corresponds to "Quick scan" being selected
from
the "Type of scan" dropdown.

"ScheduleTime" value is the number of hours past midnight times 60
minutes,
and is in hexadecimal. For example, 3 am would be 3X60=180 or B4 in
hex.

Hope this helps.

- Eric

:

When you deploy windows defender through AD GPO, can you setup a basic
configuration? (e.g. time for scanning and checking for updates?)

:

Hello -

It had been a really fun weekend troubleshooting why Windows
Defender
wasn't
installing to my WXPSP2 machines. What I found out was that,
because
my
users are not Local Administrators, they had never been able to
install
the
WGA ActiveX control. As a result, the Defender installation failed
on
every
one.

So basically, there is this great tool for centralized deployment of
Defender (AD GPO), and a great supporting application for
centralized
deployment of the definitions USED by Defender (WSUS), but it's all
MOOT in
the face of having to touch EACH MACHINE INDIVIDUALLY to install WGA
first?

PLEASE PLEASE PLEASE give netadm's and sysadm's a tool to remotely
deploy
WGA. This wasted a whole weekend for me, logging into tons of
machines
to do
this.

Thanks -

Eric McWhorter

 

[Guest]

Did you find a solution to the WGA problem? I have the same issue. I
installed Defender using a GPO and it worked fine on test machines. But
network deployment failed due to WGA. Is there a way to deploy WGA on all
network machines first?

R. Singley, MCP

 

[Bill Sanderson]

I have this observation which I'll contribute--I'm not at all sure that it
will be useful:

WGA was rev'ed today. If you go to MicrosoftUpdate, you'll be offered a new
download to do WGA. This is the executable involved, extracted from the
WindowsUpdate log:

http://www.download.windowsupdate.c..._7e1189ce89fb0c693cad6432a4c2f982dcea49a0.exe

You can pull this down to a location where you can look at it or try it on a
machine which hasn't visited WindowsUpdate, and see what it does. I suspect
that it may help, but won't be the whole story.

--

 

[Guest]

Cool!
I wonder if this can be deployed in a GPO.

I have this observation which I'll contribute--I'm not at all sure that it
will be useful:

WGA was rev'ed today. If you go to MicrosoftUpdate, you'll be offered a new
download to do WGA. This is the executable involved, extracted from the
WindowsUpdate log:

http://www.download.windowsupdate.c..._7e1189ce89fb0c693cad6432a4c2f982dcea49a0.exe

You can pull this down to a location where you can look at it or try it on a
machine which hasn't visited WindowsUpdate, and see what it does. I suspect
that it may help, but won't be the whole story.

 

[Bill Sanderson]

I'm going to quote a relevant portion of a KB article related to beta1 here:

http://support.microsoft.com/?kbid=892375

I'm not sure whether the issue that prompted this article is, in fact,
mitigated with beta2, but the admonition at the end has not changed:

MORE INFORMATION
There are known issues and limitations when you use Windows AntiSpyware
(Beta) in an enterprise environment. We strongly recommend that enterprise
customers thoroughly research and test all beta software, but we do not
recommend beta software for deployment in production environments.



--