Policy settings and registry keys
Applies To: Forefront Client Security
This topic details the settings available in the New/Edit Policy dialog box and the registry key values that are pushed to the client computer within the policy. Also included are settings that are not exposed in the console.
Important
Registry key values are provided for informational purposes only. It is strongly recommended that you do not change registry key values.
Registry key values not associated with a policy are written to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0 key. Those keys and values are listed in Registry keys.
For information about creating or editing policies, see the Client Security Administrator's Guide (https://go.microsoft.com/fwlink/?LinkID=75776).
Settings exposed in the New/Edit Policy dialog box
The New/Edit Policy dialog box is used to define settings for a Client Security policy. The dialog box consists of five tabs:
General tab
Protection tab
Advanced tab
Overrides tab
Reporting tab
The registry key and values listed in the following tables are added to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0
General tab
| Control | Registry key | Value |
|---|---|---|
Name |
— |
<name> |
Protection tab
| Control | Registry key | Values* | Scan type** |
|---|---|---|---|
Virus protection |
AM\ DisableAntiVirus (DAV) |
On (0) Off (1) User controlled |
R, S, C |
Spyware protection |
AM\ DisableAntiSpyware (DAS) |
On (0) Off (1) User controlled |
R, S, C |
Use real-time protection (scan programs and services when they are accessed) |
AM\Real-Time Protection\ DisableAntiVirusRealtimeProtection AM\Real-Time Protection\ DisableAntiSpywareRealtimeProtection |
On (0) (0) Off (1) (1) |
R |
Run a scan at this time Start time |
AM\Scan\ ScheduleDay |
Off (0x8) Every day (0x0) Sunday (0x1) Monday (0x2) Tuesday (0x3) Wednesday (0x4) Thursday (0x5) Friday (0x6) Saturday (0x7) User controlled |
S |
|
AM\Scan\ ScheduleTime |
12:00 AM-11:00 PM (0-1439) User controlled 2 AM (120) |
|
Scan type |
AM\Scan\ ScanParameters |
Full scan (2) Quick scan (1) |
S |
Run a quick scan at set interval (hours) |
AM\Scan\ QuickScanInterval |
Off (0) 1–24 hours (1–24) |
S |
Scan at set interval (hours) |
SSA\ScanAction\Time |
1–24 hours (1–24) 12 hours (12) |
V |
Scan at this time |
SSA\ScanAction\Time |
12:00 AM–11:00 PM 3:00 AM (3) |
V |
Do not run security state scan |
SSA\ScanAction\TimeType |
ScanAction\Time = time (1) ScanAction\Time = interval (0) |
V |
If scan was not run when scheduled, run as soon as possible |
SSA\ScanAction\ScanWhenMissed |
On (1) Off (0) |
V |
*Default policy settings in bold
**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan
Advanced tab
| Control | Registry key | Values* | Scan type** |
|---|---|---|---|
Check for updates before starting a scan |
AM\Scan\ CheckforSignaturesBeforeRunningScan |
On (1) Off (0) |
S, C |
Check for updates at set interval (hours) |
AM\Signature Updates\ SignatureUpdateInterval |
Off (0) 1-24 hours (1–24) 6 (6) |
R, S |
Check for updates on Microsoft Update when WSUS is unavailable |
AM\Signature Updates\ CheckAlternateDownloadLocation |
On (1) Off (0) |
R, S, C, V |
Scan archive files |
AM\Scan\ DisableArchiveScanning |
On (0) Off (1) |
S, C |
Use heuristics to detect suspicious files |
AM\Scan\ DisableHeuristics |
On (0) Off (1) |
R |
Delete quarantined files Delete after (days) |
AM\Quarantine\ PurgeItemsAfterDelay |
Off (0) 1–100 days (1–100) |
R, S, C |
File and folder paths |
AM\Exclusions\ Paths |
<empty> |
R, S, C |
Extensions |
AM\Exclusions\ Extensions |
<empty> |
R, S, C |
Users can view all Client Security settings and messages Users can only view notification area icon and status messages |
AM\UX Configuration\ ConsoleFunctionalityAvailable |
Full UI (0) Minimum UI (3) |
R, S, C |
Only administrators can change Client Security agent settings |
AM\UX Configuration\ AllowNonAdminFunctionality |
On (1) Off (0) |
R, S, C |
Allow users to add exclusions and overrides |
AM\ DisableLocalAdminMerge |
On (1) Off (0) |
R, S, C |
Prompt user when unclassified software is detected |
AM\Real-Time Protection\ EnableUnknownPrompts |
On (1) Off (0) |
R, S, C |
*Default policy settings in bold
**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan
Overrides tab
| Control | Registry key | Values* | Scan type** |
|---|---|---|---|
Overrides based on threat |
AM\Threats\ ThreatIDDefaultAction |
<empty> Ignore (6) |
R, S, C |
Overrides based on category |
AM\Threats\ ThreatTypeDefaultAction |
<empty> Default Response (0) Remove (3) Quarantine (2) Ignore (6) |
R, S, C |
Overrides based on severity |
AM\Threats\ ThreatSeverityDefaultAction |
<empty> Default Response (0) Remove (3) Quarantine (2) Ignore (6) |
R, S, C |
*Default policy settings in bold
**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan
Reporting tab
| Control | Registry key | Values* | Scan type** |
|---|---|---|---|
Specify the alert level |
AlertLevel |
1-5 3 (3) |
R, S, C, V |
Do not log events for files marked "Unknown" |
AM\Reporting\ DisableLoggingForUnknown |
On (1) Off (0) |
R, S, C |
SpyNet reporting |
AM\SpyNet\ SpyNetReporting |
Off (0) Basic (1) Advanced (2) |
R, S, C |
Use Microsoft Internet Explorer® settings Use other proxy server and port |
AM\ProxyServer |
Use IE settings <empty> <text> |
R, S, C |
*Default policy settings in bold
**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan
Settings not exposed in the console
Some settings associated with Client Security policies are not accessible or displayed through the console but are written to the registry when a policy is deployed. This section lists those settings and the associated defaults and registry key values.
When a policy is deployed, Client Security overwrites some registry key values that were written when the Client Security agent was installed and used on the client computer without a policy.
For a list of all the registry key values not associated with a policy, see Registry keys.
The registry keys and values in the following table are added to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0
| Description | Registry key | New values from policy | Default values without policy | Scan type** |
|---|---|---|---|---|
Designates whether the Client Security service will continue to run when scans are turned off |
AM\ ServiceKeepAlive |
On (1) |
Off (0) |
R, S |
Designates whether the Client Security agent will take action on items detected during a real-time protection scan (after a non-configurable delay) |
AM\Real-Time Protection\ AutomaticallyCleanRealTimeAfterDelay |
On (1) |
Off (0) |
R |
Designates whether the Client Security agent will take default actions during scheduled scans |
AM\Scan\AutomaticallyCleanAfterScan |
On (1) |
Off (0) |
S, C |
Specifies the day and time that Client Security agent will update definitions |
AM\Signature Updates\ ScheduleDate |
Never (0x8) |
Every day (0x0) |
R, S |
Specifies whether the Client Security icon will be displayed in the notification area at all times |
AM\UX Configuration\ AlwaysShowTaskTrayIcon |
On (1) |
Off (0) |
R, S |
Reads language and minimum manifest version from server |
SSA\ScanAction\ Parameter |
<culture code> <manifest version> |
— |
V |
**R=Real-time scan, S=Scheduled scan, C=Client on-demand scan, V=SSA scan