Description of the Windows Defender Group Policy administrative template settings

Article translations Article translations
Article ID: 927367 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

You can use the Windowsdefender.adm Group Policy template file to control the policy settings for Windows Defender when Windows Defender is installed on a computer that is running Microsoft Windows XP or a later operating system.

By default, the installation location of Windows Defender is the C:\Program Files\Windows Defender folder. The Group Policy administrative template file is put in the Windows Defender folder when you install Windows Defender. The file name of the Group Policy administrative template is Windowsdefender.adm. In Windows XP, the Windowsdefender.adm file is in the C:\Windows\inf folder. In Windows Vista, the Windowsdefender.adm file is in the C:\Windows\PolicyDefinitions folder.

MORE INFORMATION

You can use the Windowsdefender.adm template file to control the following policy settings for Windows Defender:
  • Policy setting: Turn off Windows Defender
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
    Policy description: Turns off Windows Defender Real-Time Protection. No more scans are scheduled.

    If you enable this policy setting, Windows Defender does not run. Computers are not scanned for spyware or other potentially unwanted software. If you disable or do not configure this policy setting, Windows Defender runs, and computers are scanned for spyware and other potentially unwanted software.
  • Policy setting: Turn off Real-Time Protection Prompts for Unknown Detection
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\EnableUnknownPrompts
    Policy description: Turns off Real-Time Protection prompts for unknown detection.

    If you enable this setting, Windows Defender prompts users to allow or block unknown activity on the computer. If you disable or do not configure this policy setting, Windows Defender does not prompt users to allow or block unknown activity.
  • Policy setting: Check for New Signatures Before Scheduled Scans
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan
    Policy description: Checks for new signatures before scheduled scans run.

    If you enable this policy setting, Windows Defender checks for new signatures before a scheduled scan runs. If you disable or do not configure this policy setting, Windows Defender does not check for new signatures before a scheduled scan runs.
  • Policy setting: Download Entire Signature Set
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\ForceFullUpdate
    Policy description: Downloads the full signature set instead of only the signatures that have been updated since the last signature download. Downloading the full signature set may help troubleshoot problems with signature installations. However, the download may take longer to finish because the full signature set is larger than the new signature set.

    If you enable this policy setting, the full signatures set is downloaded. If you disable or do not configure this policy setting, only updated signatures are downloaded.
  • Policy setting: Enable Logging Known Good Detections
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableLoggingForKnownGood
    Policy description: Enables logging detection data during Real-time Protection when Windows Defender detects known good files. Logging detection data gives you detailed information about the programs that run on the computers that you monitor.

    If you enable this policy setting, known good files are logged. If you disable or do not configure this policy setting, known good files are not logged.

    Note Enabling this policy setting may result in more events in the log.
  • Policy setting: Enable Logging Unknown Detections
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableLoggingForUnknown
    Policy description: Enables logging detections during Real-time Protection when Windows Defender detects unknown files. Logging detections gives you detailed information about the programs that run on the computers that you monitor.

    If you enable or do not configure this policy setting, unknown files are logged. If you disable this policy setting, unknown files are not logged.

    Note Enabling this policy setting may result in more events in the log.
  • Policy setting: Configure Microsoft SpyNet Reporting
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpyNetReporting
    Policy description: Adjusts membership in Microsoft SpyNet.

    Microsoft SpyNet is the online community that helps you decide how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections.

    When Windows Defender detects software or changes by software that is not yet classified for risks, you see how other members have responded to the alert. In turn, the other members see how you respond to the alert. The actions that you apply help other members decide how to respond. Your actions also help Microsoft determine which software to investigate for potential threats. You can decide to send basic information or additional information about detected software. Additional information helps improve how Windows Defender works. For example, additional information may include the location of detected items on the computer if Windows Defender removed harmful software. Windows Defender automatically collects and sends this information.

    If you enable this policy setting and select No Membership from the list, SpyNet membership is disabled. No information is sent to Microsoft. You are not alerted if Windows Defender detects unclassified software running on the computer. Local users cannot change their SpyNet memberships.

    If you enable this policy setting and select Basic from the list, SpyNet membership is set to Basic. Basic information about the detected items and the actions you apply is shared with the online community. You are not alerted if Windows Defender detects software that has not yet been classified for risks.

    If you enable this policy setting and select Advanced from the list, SpyNet membership is set to Advanced. You send your choices and additional information about detected items. You are alerted when Windows Defender detects changes to the computer by unclassified software. Your decisions to allow or block changes help Microsoft create new definitions for Windows Defender. Your decisions also help Microsoft better detect harmful software. In some instances, personal information may be sent to Microsoft, but no information is used to contact you.

    If you disable or do not configure this policy setting, SpyNet membership is disabled. No information is sent to Microsoft. You are not alerted if Windows Defender detects unclassified software running on the computer. Local users can still change their SpyNet memberships.
  • Policy setting: Turn on definition updates through both WSUS and Windows
    Registry key name:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates\CheckAlternateDownloadLocation
    Policy description: This policy setting lets you configure Windows Defender to use Windows Update to obtain definition updates when a locally managed Windows Server Update Services (WSUS) server is unavailable.

    Windows Defender uses the Automatic Updates client to check for definition updates. You can configure the Automatic Updates client to connect to the Windows Update Web site or to a locally managed WSUS server. When a computer cannot connect to an internal WSUS server, you can configure Windows Defender to use Windows Update to help make sure that definition updates are delivered to these computers. For example, a portable computer that is roaming outside the corporate network could benefit from this configuration.

    If you enable or do not configure this policy setting, Windows Defender connects to Windows Update for definition updates if connections to a locally managed WSUS server fail.

    If you disable this policy setting, Windows Defender checks for definition updates only on a locally managed WSUS server. However, you must configure the Automatic Updates client to use a managed WSUS server. Otherwise, the Automatic Updates client uses the Windows Update Web site.
Notes
  • Windows Defender prevents any direct administrative edit of these settings. Therefore, the Windows Defender configuration registry settings do not appear in this article.
  • The description of the Turn off Real-Time Protection Prompts for Unknown Detection policy setting in the Windowsdefender.adm template file is incorrect. The corrected description appears in this article.
For more information about how to manage Group Policy administrative template (.adm) files, click the following article number to view the article in the Microsoft Knowledge Base:
816662 Recommendations for managing Group Policy administrative template (.adm) files
For more information about how to use the Group Policy Object Editor to manage local computer policy in Windows XP , click the following article number to view the article in the Microsoft Knowledge Base:
307882 How to use the Group Policy Editor to manage local computer policy in Windows XP

Properties

Article ID: 927367 - Last Review: September 28, 2011 - Revision: 4.0
APPLIES TO
  • Windows Defender
Keywords: 
kbpolicy kbadmin kbexpertiseadvanced kbhowto kbinfo KB927367

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com