Client Policy Settings
- Hello everyone, thanks in advance for any help on this. I feel like I'm missing something obvious here, but I'm not sure exactly what. We are running Forefront client security 2007 with both admin computers and locked down computers.
I found this document detailing how the policy setup works. http://technet.microsoft.com/en-us/library/bb418862.aspx
I have the following, nondefault settings in the policy...
On the Protection tab, Run a scan every day at 2:00 pm with a quickscan
On the Advanced tab, Check for updates at an interval of 1 hour
On the Advanced tab, Users can view all Client Security...
On the Advanced tab, Only administrators can change Client...
(Adding exclusions and prompting for unclassified software are both unchecked)
Now, this is what I'm seeing, on the Protection tab of the policy, if you only set both Malware protection settings to On, client options will be greyed out but visible to admins. I see the custom settings above. With users, I am not able to view the options or run a manual scan, but the custom settings are in effect. (auto scan ran at the non default time)
In the protection tab, if you set both Malware protection settings to User Controlled, both admins and users can view and change the client options. However, the nondefault settings that I applied earlier had been reset to the default values.
It would be preferable to have users open the client and see the custom settings but not be able to modify them. Also the user ability to run manual scans would be helpful. In addition, administrators should be able able to open the client and have the custom settings but be able to modify them if needed. Is this a possible configuration for a policy file?
Sorry, this seems like a lot of info in this post, hopefully it's clear. If anyone has any questions to clarify the issue please ask. Thanks again for any help on this.
Mike
全部回复
Hi,
Thank you for the post.
As far as I know, when enabling malware protection, you have two choices. You can either enforce virus or spyware protection for all client computers to which you deploy the policy that you are creating or editing, or you can allow users to control the use of virus or spyware protection. When both types of protection are set to User controlled, none of these settings are available and users can control settings in the Client Security agent UI. And if you want to control the end-user experience, please refer to the following article.
http://technet.microsoft.com/en-us/library/bb418862.aspx
Regards,
Nick Gu - MSFT- 已建议为答案Nick Gu - MSFTMSFT, 版主2009年11月25日 8:43
- Thanks Nick, much appreciated, so what would you do if the helpdesk wanted to run a scan at a non scheduled time on a locked down computer?
I guess the computer could be moved to an OU that is not locked down, then force a gpupdate, but it seems like a lot to just run a scan.
Thanks again
Mike - Hey Mike,
I may be missing what you are trying to do, but will running a scan from the FCS Dashboard do what you need?
(You can scan a specific computer that way) - Thanks for the reply Eddie, yeah we have thought about that, but our service desk guys don't access that server. I guess if that's the option, which it sounds like it might be that's what we can do.
Thanks again
Mike
