Configuring security state assessment scans
Applies To: Forefront Client Security
A Client Security policy can enforce SSA scans. When you edit or create a policy, use the Protection tab to configure whether the policy enforces SSA scans on all client computers to which you deploy the policy.
SSA scans occur either at scheduled times or at intervals. The default settings for SSA scans enforce a scan every 12 hours.
The Client Security agent checks for definition updates prior to performing any SSA scan.
When you enable SSA scans, you enable Client Security to perform all of the SSA checks included in the vulnerabilities definitions. You cannot enable or disable specific checks.
Typically, when the settings examined by an SSA check are configured by Group Policy on the scanned computer, the resulting score is Informational. It is assumed that settings configured by Group Policy conform to your organization's standards and are therefore intentional.
To enable SSA scans
In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.
In the New Policy or Edit Policy dialog box, click the Protection tab.
If you want to schedule SSA scans for a particular time:
Under Security state assessment, select the Scan at this time option button.
In the list of hours, select the hour for the start of the scan.
Decide how Client Security should act when a scan cannot be run when it is scheduled (such as when a client computer is shut down). As applicable, clear or select the If scan was not run when scheduled, run it as soon as possible check box.
If you want to run scans at regular intervals, under Security state assessment, select the Scan at set interval check box and set the number of hours between assessments.
Note
If a scan is missed at the interval, such as when a client computer is shut down, the scan runs when the SSA service is next available.
After you finish creating or editing the policy, click OK.
To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.
To disable SSA scans
In the Client Security console, edit the policy in which you want to disable scheduled scans. For details about how to edit a policy, see Creating, editing, copying, and deleting policies.
In the Edit Policy dialog box, click the Protection tab.
Under Security state assessments, select Do not run security state scan.
After you finish editing the policy, click OK.
To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.