Next up in our registry key series: setting definition update keys via policy.
On the FCS TechNet library, the following registry key is described:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0
|Description||Registry Key||New value when deployed in policy||Default value when no policy deployed||Scan types effected|
|Specifies the day and time that Client Security will update definitions||AM\Signature Updates\ScheduleDay||Never (0x8)||Every day (0x0)||Real-time scan, Scheduled scan|
There are additional settings that you can use to change the day and time at which definition updates are performed.
In addition to the values in the above table, ScheduleDay can be configured to use the following values:
- Sunday (0x1)
- Monday (0x2)
- Tuesday (0x3)
- Wednesday (0x4)
- Thursday (0x5)
- Friday (0x6)
- Saturday (0x7)
You can control the value for the time at which definition updates are performed by adding the ScheduleTime registry key to the same location as ScheduleDay.
ScheduleTime should be configured with a DWORD value that represents 12:00 AM – 11:59 PM. The value entered is the number of minutes past midnight (in local time), so specifying 120 would result in a definition update attempt at 2:00 AM. The maximum value is 1439, which would be 11:59 PM.
You may (correctly) note that these keys take the same values as the values for Scan\ScheduleDay and Scan\ScheduleTime, as noted here.
ScheduleDay will already exist in the registry (FCS already publishes it and sets it to 0x8). Your ADM/.reg file will be changing this value, not adding the key. However, as in the first post of this series (http://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the ScheduleTime key.
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates"
PART !!ScheduleDay_Name DROPDOWNLIST REQUIRED
NAME "Every Day" VALUE NUMERIC 0 DEFAULT
NAME "Sunday" VALUE NUMERIC 1
NAME "Monday" VALUE NUMERIC 2
NAME "Tuesday" VALUE NUMERIC 3
NAME "Wednesday" VALUE NUMERIC 4
NAME "Thursday" VALUE NUMERIC 5
NAME "Friday" VALUE NUMERIC 6
NAME "Saturday" VALUE NUMERIC 7
PART !!ScheduleTime_Name DROPDOWNLIST REQUIRED NOSORT
NAME "12:00am" VALUE NUMERIC 0
NAME "1:00am" VALUE NUMERIC 60
NAME "2:00am" VALUE NUMERIC 120
NAME "3:00am" VALUE NUMERIC 180
NAME "4:00am" VALUE NUMERIC 240
NAME "5:00am" VALUE NUMERIC 300
NAME "6:00am" VALUE NUMERIC 360
NAME "7:00am" VALUE NUMERIC 420
NAME "8:00am" VALUE NUMERIC 480
NAME "9:00am" VALUE NUMERIC 540
NAME "10:00am" VALUE NUMERIC 600
NAME "11:00am" VALUE NUMERIC 660
NAME "12:00pm" VALUE NUMERIC 720
NAME "1:00pm" VALUE NUMERIC 780
NAME "2:00pm" VALUE NUMERIC 840
NAME "3:00pm" VALUE NUMERIC 900
NAME "4:00pm" VALUE NUMERIC 960
NAME "5:00pm" VALUE NUMERIC 1020
NAME "6:00pm" VALUE NUMERIC 1080
NAME "7:00pm" VALUE NUMERIC 1140
NAME "8:00pm" VALUE NUMERIC 1200
NAME "9:00pm" VALUE NUMERIC 1260
NAME "10:00pm" VALUE NUMERIC 1320
NAME "11:00pm" VALUE NUMERIC 1380
FCSCategory="Microsoft Forefront Client Security"
Schedule="Sets the time and date for definition updates for Client Security."
ScheduleDay_Name="Set the definition update day"
ScheduleDay_Explain="This setting sets the day of the week and the time of day when the FCS antimalware client will update definitions."
ScheduleTime_Name="Set the definition update time"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use FCSSchedule.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the Schedule Time key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
To confirm that your client has received and configured this policy, you can check in the Windows Task Scheduler. On a Windows Vista or Windows 7 computer, start the Task Scheduler:
- Click Start, click All Programs, click Administrative Tools, and then click Task Scheduler.
- Expand Task Scheduler Library, expand Microsoft, expand Microsoft Forefront, expand Client Security, expand Client, and then expand Antimalware.
- On the View menu, click Show Hidden Tasks.
If you have a client configured properly, you should see a scheduled task named MP Scheduled Signature Update set to the defined time: