Windows Defender: Part Two of Two

It has been a while since my last blog. I figure after shipping Windows Vista, a week of vacation, and two winter snowstorms that I should get back to updating the blog. So, lets wrap up the four remaining computer policy settings for Windows Defender.

Two of the remaining four policy settings allow you to enable or disable logging when using real-time protection. The Enable logging known Good Detections  policy settings forces Windows Defender to write detailed information about applications it detects as known “good” applications to the event log. The Enable logging Unknown Detection policy settings forces Windows Defender to write detailed information about applications it detects as “unknown” to the event log. Both of these policy settings, when enabled, write information to the event log. When disabled, the do not. Also, enabling either of these policy settings can increases the size of and number of events appear in your event log. Make sure your event log configuration can accommodate the additional activity.

The next policy setting, titled Download Entire Signature Set, forces Windows Defender to download the entire signature set, rather than downloading an update. Updated signature sets are much smaller than the entire signature sets. The smaller size results in a faster download of the signature set. However, at times, downloading the entire signature set (which is larger and takes longer to download), can resolve issues with signature installations. By default, Windows Defender downloads updated signatures unless you enable this policy setting.

The last policy setting, Configured Microsoft SpyNet Reporting, allows you to configure Microsoft SpyNet reporting. Microsoft SpyNet is an online network that helps you respond to potential spyware threats.

When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the actions you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information (borrowed from the explain text).

By Default, membership to Microsoft SpyNet is disabled. However, once you enable this policy settings you have two three choices:

No Membership—forces the “No Membership” settings to all computers that receive the policy setting. Computers do not send any information to Microsoft and users are not warned if Windows Defender detects unclassified applications.

Basic—forces the “Basic” setting to all computer that received the policy setting. Computers send basic information about the detect items and actions you apply to each warning. This information is shared with the SpyNet community. Users are not alerted when Windows Defender detects unclassified software.

Advance—forces the “Advance” setting to all computers that receive the policy setting. Computers send additional information about your choices and the detected items to the SpyNet community. Users are alerted and must choose either “allow” or “block” actions when Windows Defender detects unclassified software.

That wraps up Windows Defender. Also, it concludes my introduction of new Group Policy settings included with Windows Vista. I hope that, after the many weeks of blogging, you can see how much more you can do with Group Policy and Windows Vista.


Mike Stephens, Technical Writer, Group Policy