Installing Defender using Group Policy

[Guest]

I have been trying to install Windows Defender using Group Policy since it
was released.

I will go thru my steps.

I created a domain GP called InstallWindowsDefender. Within my Group Policy
Manager, it is linked to our domain and the security filtering is calling out
a global security group consisiting of computers within the domain, this is
being called TestOU right now.
For the policy, I chose Computer Configuration, software settings, software
installation. i created a package by navigating out to the msi file i just
downloaded and opened it. Within the deploy software dialog box, i left it
default at Assigned. If I look at the settings for this policy, it looks
right. I have exported the policy to a html file, if you would like to see
it, email me offline and i'll send it to you for review.
For delegation, I have Domain Admins, Enterprise Admins and SYSTEM having
edit, delete and modify security. Domain Computers have read as does my
TestOU (the global security group of computers)

What else am I missing, this deployement has been kicking my behind. This
is my first attempt to deploy software this way and I would like to use it on
other software but until I can get this to work, I am stuck.

Any help would be greatly appreciated!!!

Kelli

 

[Bill Sanderson MVP]

I haven't done this. I can't recall whether I've read success stories or
not. I am clear that Microsoft does not recommend deploying to production
equipment, and that there are predictable problesms--like the VNC one you
mention--that will result.

Microsoft has announced that at release time, there will be an ADM group
policy template file available. (However, they haven't announced when it
will be released!)

I'd recommend treading carefully until it is clear how it can be controlled.
I've seen some discussion of pre-setting some settings within the app via
..REG files--you can look at that--but I'm not at all sure that will be
sufficient for the VNC question. I've got VNC set as an "allow always" on
my system--so I'll do a little exploring and see whether I can see anything
in the registry the reflects/controls that.

 

[Bill Sanderson MVP]

I did dig through regedit looking for VNC strings, and didn't spot anything
that was clearly Windows Defender related. I did find "VNC" as a part of
some clearly encoded strings that I couldn't spot just what they were
related to--I think I decided they were accidental, but maybe not..

At any rate, I think this won't be as simple as plugging a short .REG file
in on each machine--don't know what would be needed.

--

 

[Guest]

I know there are people that have done it. If only I could find those
people...

Here is a gpresult from a users computer ... Under computer settings, the gp
WSUS is working just fine. Something in the InstallWindowsDefender must be
amiss.


C:\Documents and Settings\kzomberg>gpresult

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 4/18/2006 at 10:19:36 AM


RSOP results for DOMIAN\kzomberg on KZOMBERG : Logging Mode
----------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\kzomberg
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=KZOMBERG,OU=WindowsXP,OU=Desktops,DC=XXX,DC=com
Last time Group Policy was applied: 4/18/2006 at 9:33:14 AM
Group Policy was applied from: dpprojects.XXX.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
RemoteDesktop Group Policy Object
InstallWindowsDefender
WSUS
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
DP Domain Policy
Filtering: Not Applied (Empty)

MapDrives - Domain Users
Filtering: Disabled (GPO)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
KZOMBERG$
Domain Computers (read rights)
TestOU - This is the Group created for the Defender install. It's
the security filter group ... (read rights)


USER SETTINGS
--------------
CN=Kristi Zomberg,OU=Central Services,DC=XXX,DC=com
Last time Group Policy was applied: 4/18/2006 at 9:06:27 AM
Group Policy was applied from: dpprojects.XXX.com
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
DP Domain Policy
Filtering: Not Applied (Empty)

WSUS
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

MapDrives - Domain Users
Filtering: Disabled (GPO)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Employees
Printer Color
Test Printers
Revit Users
Printer Printshop
FTP Users
Viz Farm
PublicFolderOwners
South
Print Shop
Standards Group
Standards
HelpNET Browsers

Here is the Settings from the GP...

Windows Defenderhide
Product Informationhide
Name Windows Defender
Version 1.1
Language English (United States)
Platform Intel
Support URL http://go.microsoft.com/fwlink/?LinkId=55273

Deployment Informationhide
General Setting
Deployment type Assigned
Deployment source \\dpprojects\Setup\Software\AntiVirus AntiSpyware
Scanners\MicrosoftWindowsDefender\WindowsDefender1347.msi
Uninstall this application when it falls out of the scope of management
Disabled

Advanced Deployment Options Setting
Ignore language when deploying this package Disabled
Make this 32-bit X86 application available to Win64 machines Enabled
Include OLE class and product information Enabled

Diagnostic Information Setting
Product code {b2d7ce29-614a-4acc-8bfe-009eb3a244c9}
Deployment Count 0

Securityhide
PermissionsType Name Permission Inherited
Allow DESIGNPLUS\Domain Admins Full control No
Allow NT AUTHORITY\SYSTEM Full control No
Allow NT AUTHORITY\Authenticated Users Read No
Allow DESIGNPLUS\Domain Admins Read, Write Yes
Allow DESIGNPLUS\Enterprise Admins Read, Write Yes
Allow CREATOR OWNER Read, Write Yes
Allow NT AUTHORITY\SYSTEM Read, Write Yes
Allow DESIGNPLUS\TestOU Read Yes
Allow DESIGNPLUS\Domain Computers Read Yes
Allow inheritable permissions from the parent to propagate to this object
and all child objects Enabled

Advancedhide
Upgrades Setting
Required upgrade for existing packages Enabled
Packages that this package will upgrade GPO
None

Packages in the current GPO that will upgrade this package None

Categories
None

Transforms
None

 

[Bill Sanderson MVP]

How about trying the public WSUS support group?

Let me see if I can find a link for an HTML view of it:

http://www.microsoft.com/technet/co...crosoft.public.windows.server.update_services

should do it.

--

 

[Guest]

I will do that. Thanks!

How about trying the public WSUS support group?

Let me see if I can find a link for an HTML view of it:

http://www.microsoft.com/technet/co...crosoft.public.windows.server.update_services

should do it.

 

[Bill Sanderson MVP]

It's easier to use via NNTP, but the link was easier to find that way.

I believe I have seen this discussed before--you might also check the
..networking group here--I can't recall whether the discussion was there or
in the WSUS related groups. I've had great trouble making the search
function work in the HTML groups, unfortunately.

--

 

[Guest]

I set this up using a gpo as well, however I used the startup script area to
implement. Have you tried this?