Rolling out Microsoft Forefront Client Security via Group Policy

26 Jul

This is quick guide on how to roll out MFCS to your machines via Group Policy and also change and lock down the registry settings via GP.

From your copy of MFCS, extract all the files from the zip and then copy both the 32bit and the 64bit version of the file MP_AMBITS.MSI to your installs directory on the network.

I created 2 GPO’s, one for the 32 bit version and one for the 64 bit. Within each of these I added the relevant software MSI package and for each I used the WMI settings so that it only applied to the relevant computer.

There’s a nice little guide on creating WMI filters here

Basically, in in GPMC look under DOMAIN \ WMI Filters and create 2 new filters. I called them ’32 bit Machines’ and ’64 bit Machines’. The query’s for these 2 objects are:

Operating System 32-bit
Select * from Win32_Processor where AddressWidth = ’32’

Operating System 64-bit
Select * from Win32_Processor where AddressWidth = ’64’

This was the software rollout taken care of, next was to create the registry entries so It worked the way I wanted to. There is very little to change but I wanted each machine to:

  • Run its own full scan at 3am daily
  • Check for updates before the scan ran
  • Use my set severity action levels
  • Not allow users to make changes to these settings (This will allows users to see all the options, but the save option will be disabled)
  • The rest of the settings I was happy to leave as default

I created a spate GPO just for the registry settings, these can be found in the GPO under:

Computer Configuration > Preferences > Windows Settings > Registry

The registry entries themselves can be found under:

HKLM > Software > Microsoft > Microsoft Forefront > Client Security > 1.0 > AM

So, in the new GPO I then in there I added:

  • Scan \ ScanParameters : 2
  • Scan \ ScheduleTime : 180
  • Scan \ ScheduleDay : 0
  • Scan \ CheckForSignatureBeforeScan : 1
  • Threats \ ThreatSeverityDefaultAction\1 : 2
  • Threats \ ThreatSeverityDefaultAction\2 : 2
  • Threats \ ThreatSeverityDefaultAction\4 : 3
  • UX Configuration \ AllowNonAdminFunctionality : 0

Details on the Forefront registry values can be found here.

That’s it. All there is left to do is roll it out.

PS – The Forefront Client Security Deployment tool I found when initially exploring this topic can be found here. I never used it in the end but it might be of use to you.