none
Where's the .ADM file?

    Question

  • I've got this GPO that I named "Forefront Security" in GPMC. All I need now is an .adm file that contains all settings for Forefront in standalone to import into the GPO. Some research revealed that this not a new concept. Apparently Microsoft supplies, or did, an .adm file for Windows Defender allowing administrators to control configuration of all machines in the organization through group policy: http://support.microsoft.com/kb/927367

     

    Why can't I find one for Forefront? I think the answer is an obvious effort to prevent any method of configuration in "standalone" other than the the woefully lacking "Options" page.

    Tuesday, March 11, 2008 5:28 PM

Answers

  • Yes, I test it with every modification. My workstation computer accounts are in an OU named "Domain XP Computers" and for testing purposes I created a sub-OU that contains only my laptop and is linked to the GPO that I import the .ADM file to. For the keys described in the "Settings not exposed in the console" section I created a single policy with Explain text that states to Enable this policy if ANY other Forefront policies are OTHER THAN 'NOT CONFIGURED'.

     

    I can enable/disable: spyware and virus protection individually, real-time (both by one policy), locally configured excludes, prompts for unclassified, scanning archives, restore points, heuristics, non-admins running manual scans, scheduled scans and set schedule and type, quick scans and frequency. If I enable or disable every policy then everything in Options is as set and cannot be changed even by a local admin (except if I allow local excludes).

     

    The acid test will be applying this to a fresh Forefront install on another workstation. If it works as well as mine does then I'M GOING WITH FOREFRONT! Dear Microsoft, I wanted to stay with your product (I am an MCSE and proud of it) and I have found a way. Our main business app is being upgraded to an SQL Server backend so I can probably justify the cost of the full Forefront product in 2009.

     

    I'm sending the .adm to you. I'm sure you can make many improvements so provide me with any you do.

    Monday, March 24, 2008 2:27 PM

All replies

  •  

    Hi,

     

    There is no ADM file for FCS. In order to define all the settings, you will need to load the FCS Management Console and then define a new policy. If clients are not part of a domain, you can export the settings to a file, and import them locally per client (registry file)

     

    Windows Defender is disabled when FCS installs on vista, and you should ensure it is removed on XP, as they clash...

     

    Hope this helps

     

    Tuesday, March 11, 2008 11:45 PM
  • Thanks Chris, but mine was actually a rhetorical question. I already know the answer and it is as I stated in the last sentence of my post. Microsoft has supplied template files for other products so they could be configured via Group Policy and they could easily make available a template file that contains all settings for a standalone install of Forefront.

     

    I'm over IT at a small company with 25 workstations and some remote users. I don't have the server capacity for the Management Console components and can't justify the cost when I could simply purchase desktop security products from Norton, Trend, Avita, etc. With a small operation I don't need the dashboard, reports, or any of the console features except exposure to all available FCS agent settings.

     

    It has nothing to do with technical skill sets since SQL 2005 is a piece of cake compared to the first version I was ever certified on which was SQL Server 6.5. The point is Microsoft's security product offerings have left out small businesses.

     

    I've spent several hours building my own FCS ADM file but the documentation is very vague and even inaccurate. I'm amazed that no matter how I word an Internet search it appears that no one has posted the contents of an ADM file that could be used for FCS.

    Wednesday, March 12, 2008 1:08 PM
  • Ahh, fair enough - understand now

     

    Can see where you are coming from, i agree - FCS isn't suited to very small setups, as you say the backend requirements are pretty extensive

     

    In theory you could possibly work out all the options by having a registry based policy created, but would be a fair amount of work...

     

    MS do read this forum, so hopefully the feedback may be taken for future consideration

     

    cheers

     

    Wednesday, March 12, 2008 1:20 PM
  • will take this upon myself...

    not very difficult to do...

    just a bit of time required...

     

    will try doing this sometime next week.

    promise to keep you posted on this one.

    Wednesday, March 12, 2008 9:21 PM
  • I appreciate you volunteering to do that. It would be nice to see what you come up with.

     

    After all my complaining what I'm realizing is that I'm learning everything I never really understood about .adm files. What I have done is used the XP SP2 Windows Update template, C:\WINDOWS\inf\wuau.adm, to start building a template for Forefront. Wuau.adm has virtually every type of policy in it, from simple ON - OFF settings to complex day-of-week and time-of-day structures. Since I can only work on this in my "spare" time it will take a couple of weeks to get a finished product but I'll then have a simple way configure Forefront on all workstations.

     

    Its actually fun to pop the unfinished .adm into a GPO, make my settings in GP Editor, and watch it lockdown Forefront settings on my workstation.

    Friday, March 14, 2008 12:56 PM
  • Almost finished with an administrative template for controlling Forefront "standalone" in an Active Directory environment. The biggest obstacle is the documentation, especially the \Policies registry keys as described in the TechnicalReference.doc document. It is VERY incomplete and some of the information appears to be flat out wrong. For example, the ConsoleFunctionalityAvailable key has NO effect regardless of what value it is set at. The AllowNonAdminFunctionality key actually comes closer to the description of the previously mentioned key but only for users without workstation admin rights.

     

    However, I'm only one or two policies away from an ADM file that can totally lock down all of the settings in Options and provides for configuring most of the settings. It leaves alert items at "Default action (definition-based)" and doesn't provide a way to add file exclusions BUT that's the default settings at install so I can live with it for now. If I run into files that need to be excluded (some special business app or something) then I'll work that part out.

     

    I'll keep you posted.

    Thursday, March 20, 2008 9:16 PM
  • Great work!

     

    Have you tested the .ADM file in you AD? importing it and successfully depolying settings?

    If you want, you can send me what you got so far and i'll se if i can help you with the last few settings...

     

    /J

     

    Saturday, March 22, 2008 7:25 AM
  • Yes, I test it with every modification. My workstation computer accounts are in an OU named "Domain XP Computers" and for testing purposes I created a sub-OU that contains only my laptop and is linked to the GPO that I import the .ADM file to. For the keys described in the "Settings not exposed in the console" section I created a single policy with Explain text that states to Enable this policy if ANY other Forefront policies are OTHER THAN 'NOT CONFIGURED'.

     

    I can enable/disable: spyware and virus protection individually, real-time (both by one policy), locally configured excludes, prompts for unclassified, scanning archives, restore points, heuristics, non-admins running manual scans, scheduled scans and set schedule and type, quick scans and frequency. If I enable or disable every policy then everything in Options is as set and cannot be changed even by a local admin (except if I allow local excludes).

     

    The acid test will be applying this to a fresh Forefront install on another workstation. If it works as well as mine does then I'M GOING WITH FOREFRONT! Dear Microsoft, I wanted to stay with your product (I am an MCSE and proud of it) and I have found a way. Our main business app is being upgraded to an SQL Server backend so I can probably justify the cost of the full Forefront product in 2009.

     

    I'm sending the .adm to you. I'm sure you can make many improvements so provide me with any you do.

    Monday, March 24, 2008 2:27 PM
  • Thanx!

     

    I will take a look at it this week and keep you posted on any changes!

     

    /J

     

     

    Monday, March 24, 2008 4:30 PM
  • Impressive work! I've always found it extremely puzzling that MS didn't include an .adm with the original product, it feels like they've continuously gone out of their way to avoid following their own guidelines with Forefront.

    Any chance that I might get a copy of your file?

    / Fredrik
    Monday, March 31, 2008 11:01 AM
  • I'm very interested in this file too, It will be great to test it!

     

     

    Any chance that I might get a copy of your file, too?

    Saturday, April 05, 2008 7:32 AM
  • I'm also interested in the ADM file, and also generally interested in what you've discovered regarding errors in the reference material.

     

    I've had to recreate policies based on existing GPOs (the policies have simply "gone missing" from within the console), and found registry entries which don't seem to be documented, and am wondering how to set them, and what they control.

     

    Can you post the file somewhere with public access?


    Thanks,

    David

    Friday, April 11, 2008 2:44 PM
  • OK. Here's something I can't check because I don't have the console. The Group Policy scheme creates a folder for each GPO in your domain controllers' SYSVOL share: \SYSVOL\<domain name>\Policies\<POLICYGUID>\Adm\.

     

    The \Adm folder contains the .adm file of each template that is part of that specific GPO. Does your Forefront created GPO use the same scheme? If so, is there a Forefront specific .adm file? If there is then we have the logical starting point for creating a Forefront .ADM file.

     

    My ADM file is admittedly "home brewed" but it does the job for now, and I don't mind sharing what I have. However, if there is one created by the console sitting right under our noses then we need to check it out. I'd also like to see an export of the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\ key from an XP workstation.

     

    The only totally undocumented registry values that I have discovered were ones that I found under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\ and duplicated in the \Policies section to see what would happen. Other things were discovered by experimentation such as: "scan multiple times A DAY" implies you can't select every 24 hrs. because that is not "multiple times a day."  Sure enough, if you make that value an integer greater than 12 it defaults to every 12 hrs. So the documentation says the range is 1 - 24 but the range is 1 - 12.

    Tuesday, April 15, 2008 7:18 PM
  • Unfortunately an adm file doesn't get added since the console just "injects" the settings into the GPO.  If I view a GPO in GPMC that is created with the console it just shows the settings under "Extra Registry Settings".  Something like this...

     

     

    Setting State
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AlertLevel 3
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableAntiSpyware 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableAntiVirus 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\DisableLocalAdminMerge 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\ProxyServer 
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Quarantine\PurgeItemsAfterDelay 7
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\AutomaticallyCleanRealTimeAfterDelay 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\DisableAntiSpywareRealtimeProtection 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\DisableAntiVirusRealtimeProtection 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\EnableUnknownPrompts 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Reporting\DisableLoggingForUnknown 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\AutomaticallyCleanAfterScan 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\CheckForSignaturesBeforeRunningScan 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\DisableArchiveScanning 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\DisableHeuristics 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\QuickScanInterval 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan\ScheduleDay 8
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\ServiceKeepAlive 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\CheckAlternateDownloadLocation 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\ScheduleDay 8
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates\SignatureUpdateInterval 6
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\SpyNet\SpyNetReporting 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\AllowNonAdminFunctionality 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\AlwaysShowTaskTrayIcon 1
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration\ConsoleFunctionalityAvailable 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\DeploymentMethod 2
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\DeploymentPath LDAP://CN=REMOVED
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\MOMGroupName REMOVED
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\MOMServerName REMOVED
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\Name Test AV policy
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileID ff9def70-043b-4257-b9a2-5c52ae70f951
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\ProfileInstanceID 3d4c373f-27f6-4e57-a52a-c457ea18bccd
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\OptIntoMU 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\Parameter <ScanJob Version='1.0' Culture='1033'> <Manifest ConfigFile='VulnerabilityDefinitions.manifest' ConfigVersion='1.0.0.0'/> </ScanJob>
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\Time 0
    SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction\TimeType

    Thursday, April 24, 2008 6:10 PM
  • Outstanding. Finally a look at how the console configures a client. The settings from DeploymentMethod till the end don't really apply to a standalone install. Down to that point there's only 3 that I don't have in my ADM file so I'm pretty close. I don't have AlertLevel, ProxyServer (we don't use proxy), or ConsoleFunctionalityAvailable (I played with it but couldn't make it do anything).

     

    I also don't have or understand the \Signature Updates\ScheduleDay value. The scheduled checking for signature updates is either turned off or set to occur every 1 - 24 hours. I'll have to play with that one to see what it does.

     

    OK. Give me a few days to redo the ADM file and I'll find some way to share it. I recently read a document on correctly creating ADM files and know what I was doing wrong. It works, but I was getting hung up on something saying "enabling this disables this." It sounded wrong. Enabling disables? The document said to use "turns off" or "turns on" instead of disables or enables. Now it sounds right like: Turn Off Real-time Protection - Enabling this policy will turn off real-time protection.

    Friday, April 25, 2008 2:04 PM
  • If this helps, the following is the contents of the reg file that the management console will generate for you if you need to deploy to machines outside the domain.

     

     

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]
    "AutomaticallyCleanRealTimeAfterDelay"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
    "DisableLocalAdminMerge"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration]
    "AlwaysShowTaskTrayIcon"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration]
    "AllowNonAdminFunctionality"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Quarantine]
    "PurgeItemsAfterDelay"=dword:7

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
    "ServiceKeepAlive"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
    "CheckAlternateDownloadLocation"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Reporting]
    "DisableLoggingForUnknown"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
    "ProxyServer"=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\SpyNet]
    "SpyNetReporting"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction]
    "Time"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction]
    "Parameter"="<ScanJob Version='1.0' Culture='1033'> <Manifest ConfigFile='VulnerabilityDefinitions.manifest' ConfigVersion='1.0.0.0'/> </ScanJob>"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
    "SignatureUpdateInterval"=dword:6

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]
    "DisableAntiVirusRealtimeProtection"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "QuickScanInterval"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "CheckForSignaturesBeforeRunningScan"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
    "DisableAntiVirus"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "AutomaticallyCleanAfterScan"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
    "ScheduleDay"=dword:8

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\UX Configuration]
    "ConsoleFunctionalityAvailable"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "DisableHeuristics"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA]
    "OptIntoMU"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
    "DisableAntiSpyware"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "AlertLevel"=dword:3

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]
    "EnableUnknownPrompts"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "MOMServerName"="RMCSRVAV1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction]
    "TimeType"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "MOMGroupName"="ForefrontClientSecurity-Server"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "DisableArchiveScanning"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]
    "DisableAntiSpywareRealtimeProtection"=dword:0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "ScheduleDay"=dword:8

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "Name"="Test AV policy"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "ProfileID"="ff9def70-043b-4257-b9a2-5c52ae70f951"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "ProfileInstanceID"="3d4c373f-27f6-4e57-a52a-c457ea18bccd"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "DeploymentMethod"=dword:1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0]
    "DeploymentPath"="c:\\Test AV policy.reg"

    Friday, April 25, 2008 2:44 PM
  • We are deploying FCS in standalone mode and this .adm file to create the GPOs to configure the client would be very very useful to us. Is the work available to share?
    Monday, May 12, 2008 4:55 PM
  • How do I get it to you? I could post it right here but it would be a lengthy post. Also I'm not sure how the Forefront folks view our collaboration on creating GPO controlled standalone. On one hand we're not purchasing the console. On the other hand we're not purchasing a competitor's product and some of us will be purchasing the console in the future.
    Monday, May 12, 2008 5:51 PM
  • I'd recommend something like http://rapidshare.de/
    Tuesday, May 13, 2008 7:55 AM
  • Administrative template for Forefront: http://rapidshare.de/files/39396327/forefront.adm.html

     

    Just in case you're interested I was experimenting with making the GPO as compact as possible. I pulled all of the firewall policies out of \System.adm into a seperate ADM that has all XP SP2 firewall policies exactly as they are in System.adm.

     

    Administrative template for XP SP2 firewall: http://rapidshare.de/files/39396328/firewallXPSP2.adm.html

    Tuesday, May 13, 2008 4:06 PM
  • Great, thanks a lot!
    Wednesday, May 14, 2008 10:16 AM
  • You could also consider putting it on codeplex as a project so that other people could add to it as needed.

    Kurt
    Friday, May 30, 2008 2:47 PM
    Moderator
  • i know is old post, but can we have new links of above files ? i had the very same problem, i try to deploy and manage forefront client in small organizaton i had simle .adm file wich just cant do the work.
    Monday, March 30, 2009 12:53 PM
  • I have reposted my simple Forefront and stripped down XP SP2 firewall ADM files.

    Administrative template for Forefront: http://rapidshare.de/files/46707045/forefront.adm.html

    Just in case you're interested I was experimenting with making the GPO as compact as possible. I pulled all of the firewall policies out of \System.adm into a seperate ADM that has all XP SP2 firewall policies exactly as they are in System.adm.

     Administrative template for XP SP2 firewall: http://rapidshare.de/files/46706901/firewallXPSP2.adm.html

    • Proposed as answer by lforbes Tuesday, April 14, 2009 6:53 PM
    Monday, April 13, 2009 7:52 PM
  • Thank you so much. We just purchased a site license for Forefront for our Organization. However, currently we are running a multiple domain environment and didn't want to have to purchase servers for each domain.

    This ADM may provide a solution for us.

    Is there any info on whether Stirling will allow client installs without the server component? We have the site license for Sterling.

    Thanks
    Lara
    lforbes
    Tuesday, April 14, 2009 7:02 PM
  • Has this administrative template been updated / is it still in use?  I see the links above are broken.  Thanks!
    Wednesday, July 22, 2009 5:10 PM
  • Has this administrative template been updated / is it still in use?  I see the links above are broken.  Thanks!

    Hi,

    Here is the one above updated to include a lot more settings.

    http://www.sd61.bc.ca/windows2000/downloads/Forefront.adm.doc

    Cheers,
    Lara
    lforbes
    Wednesday, July 22, 2009 7:24 PM
  • I've got this GPO that I named "Forefront Security" in GPMC. All I need now is an .adm file that contains all settings for Forefront in standalone to import into the GPO. Some research revealed that this not a new concept. Apparently Microsoft supplies, or did, an .adm file for Windows Defender allowing administrators to control configuration of all machines in the organization through group policy: http://support.microsoft.com/kb/927367

     

    Why can't I find one for Forefront? I think the answer is an obvious effort to prevent any method of configuration in "standalone" other than the the woefully lacking "Options" page.


    Hi,

    I know this is an old thread. We have a site license for Forefront but haven't got our network setup yet to have the Server. Therefore we have installed it all in standalone mode.

    Using a collection of the other self-built ADM's out there we updated to create our own ADM. It works extremely well with Forefront in Standalone Mode.  We have even added exclusions based on MS recommendations.

    We have both WSUS servers and just Windows Updates for the definitions. However, Microsoft Update (not Windows Update) has to be installed on all workstations not using the WSUS server.

    http://www.sd61.bc.ca/windows2000/downloads/Forefront.adm.doc

    Just Save and remove the .doc extension. It is just text but on the server it doesn't autodownload with the .txt or the .adm extension.

    It has been tested with both Windows 2003-Windows 2008R2 on both servers and Windows XP workstations.
    lforbes
    Friday, February 05, 2010 6:32 PM
  • Thanks for this, I have looked at the ADM and got it working on my client.

    One of my concerns is that there are still settings within FCS on the client which can't be set using this ADM or the Forefront management console. For example, I wish to prevent IE settings from being monitored via Real-time protection. This is a setting on the client via the UI, but not available to be controlled via policy.

    It seems crazy that only a subset of the features can be controlled via policy - how are we supposed to secure our managed desktops without being able to enforce and control all of the settings.

    Does anyone share my points?

    Wednesday, February 10, 2010 10:15 AM
  • Actually the IE settings can be set via an .adm

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]
    "AutoStartAgent"=dword:00000000
    "SystemConfigurationAgent"=dword:00000000
    "IEAddInsAgent"=dword:00000000
    "IEConfigurationAgent"=dword:00000000
    "IEDownloadsAndOutlookAttachmentsAgent"=dword:00000000
    "ServicesAndDriversAgent"=dword:00000000
    "ApplicationExecutionAgent"=dword:00000000
    "ApplicationRegistrationAgent"=dword:00000000
    "WindowsAddOnAgent"=dword:00000000
    "OnAccessAgent"=dword:00000000

    Thats where they are if you uncheck them all in the GUI.. if they are checked then the value would technically be 1 if you want them unchecked/disabled the value would be 0

    If you were going to do it via ADM though preferably you would use the following location for them

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection]

    Which is under the Policies key which would roll off properly if you were to remove the GPO with the .adm settings in it.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, February 10, 2010 4:04 PM
    Moderator
  • Thanks for this, I have looked at the ADM and got it working on my client.

    One of my concerns is that there are still settings within FCS on the client which can't be set using this ADM or the Forefront management console. For example, I wish to prevent IE settings from being monitored via Real-time protection. This is a setting on the client via the UI, but not available to be controlled via policy.

    It seems crazy that only a subset of the features can be controlled via policy - how are we supposed to secure our managed desktops without being able to enforce and control all of the settings.

    Does anyone share my points?

    This is not a MS ADM. It is a tech built one. You can customize it yourself by editing the ADM as someone has listed to include what you want. We have GP controlling IE so no need for that setting
    lforbes
    Wednesday, February 10, 2010 4:08 PM
  • I have similar issue and I really want to test this .adm file however I can't get to the webpage to download it.

    can someone help me!!

    Regards

    Himanshu

    Monday, March 24, 2014 3:52 PM