Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Preventing users initiating scans or reboots

Answered Preventing users initiating scans or reboots

  • Friday, February 15, 2013 3:10 PM
     
     
    Sign In to Vote
    0

    Hi

    FEP 2010 v4.1.522.0 is the version reporting installed, Citrix Xenapp6, Win2008R2 64-bit.

    Had an interesting thing come up on Citrix the other day. We've provisioned servers (booting from a common vDisk) and one user visited a webpage with a bit of malware on. No drama, FEP killed the offending HTM as it was written to his Temp Internet Files.

    However, it alerted him, and told him it needed to reboot the server to finish the cleansing process. Users don't have permissions to reboot the servers of course - but Forefront does! So over it went. Cue some-annoyed-users. Some of whom also saw the infection notification and they all logged calls for a virus.

    This brought up the questions:

    • How do I stop FEP 2010 from displaying notifications to users (we don't want this for desktops, and it's only a potential for Citrix - I might not go down this route)
    • Can I prevent them from forefront giving them the option (and thus permission) to reboot the server?
    • Can I stop them opening the console and running a scan? This is provisioned, any infection would be killed with a reboot anyway, and it's all IO we frankly don't need.

    Not seeing anything in the group policies for this... nor in the SCCM FEP integration for it.

    Thanks in advance. Been googling of course, no joy.

    A

     

All Replies

  • Friday, February 15, 2013 5:26 PM
     
     Answered
    Sign In to Vote
    0

    You can completely suppress the UI (tray icon and ability to launch from the shortcut) by setting the following registry value:

    HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration

    REG_DWORD - UILockdown = 1

    I would think this would also suppress any alerts visible to the user as well.

    It's good that you are running FEP 2010 4.1.522.0 as this reg key isn't recognized in previous versions. It's a value you can set through SCCM via policy in SCEP 2012, but as you said, it is not available to set in FEP 2010.


    • Edited by KevinMJohnston Friday, February 15, 2013 5:26 PM
    • Marked As Answer by andreww Thursday, February 21, 2013 10:14 AM
    •  
     
  • Thursday, February 21, 2013 10:14 AM
     
     
    Sign In to Vote
    0
    I like the sound of that. Will see how it pans out, thanks Kevin.