If users are allowed to configure real-time protection settings can a user disable it? If a user can disable it, will it re-enable after a certain amount of time has passed?
Thanks
Technology Tips and News
If users are allowed to configure real-time protection settings can a user disable it? If a user can disable it, will it re-enable after a certain amount of time has passed?
Thanks
Hi I AM Sir Ask Alot,
If you allow the users to configure real-time settings, then no once disabled it will stay disabled until you either change the policy or the user enabled it themselves.
Instead of configuring the "allow users on client computers to configure real-time protection settings" in SCEP policy, you could try setting the corresponding registry keys directly via compliance settings. The settings are in
HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection
LocalSettingOverrideDisableBehaviorMonitoring
LocalSettingOverrideDisableIntrusionPreventionSystem
LocalSettingOverrideDisableOAVProtection
LocalSettingOverrideDisableOnAccessProtection
LocalSettingOverrideDisableRealTimeMonitoring
LocalSettingOverrideDisableScriptScanning
LocalSettingOverrideDisableRealTimeScanDirection
(all are REG_DWORD type)
Set LocalSettingOverrideDisableRealTimeMonitoring to 0 and the rest to 1. The result is that the parent setting for "Turn on real-time protection" is enabled and grayed out in the GUI, but the child settings can still be configured individually.
Hi Kevin, have you tested that process? Just curious if those registry will get overwritten during the next SCEP policy evaluation? I haven't ever directly edited those keys but I know if many cases, editing SCCM registry directly just gets overwritten to the correct settings defined in policy.
Thanks!
Great, thanks guys.
I appreciate it
Hi I AM Sir Ask Alot,
If you allow the users to configure real-time settings, then no once disabled it will stay disabled until you either change the policy or the user enabled it themselves.
Instead of configuring the "allow users on client computers to configure real-time protection settings" in SCEP policy, you could try setting the corresponding registry keys directly via compliance settings. The settings are in
HKLM\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection
LocalSettingOverrideDisableBehaviorMonitoring
LocalSettingOverrideDisableIntrusionPreventionSystem
LocalSettingOverrideDisableOAVProtection
LocalSettingOverrideDisableOnAccessProtection
LocalSettingOverrideDisableRealTimeMonitoring
LocalSettingOverrideDisableScriptScanning
LocalSettingOverrideDisableRealTimeScanDirection
(all are REG_DWORD type)
Set LocalSettingOverrideDisableRealTimeMonitoring to 0 and the rest to 1. The result is that the parent setting for "Turn on real-time protection" is enabled and grayed out in the GUI, but the child settings can still be configured individually.