Next up in our registry key series: setting definition update keys via policy.

On the FCS TechNet library, the following registry key is described:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0

Description Registry Key New value when deployed in policy Default value when no policy deployed Scan types effected
Specifies the day and time that Client Security will update definitions AM\Signature Updates\ScheduleDay Never (0x8) Every day (0x0) Real-time scan, Scheduled scan

There are additional settings that you can use to change the day and time at which definition updates are performed.

In addition to the values in the above table, ScheduleDay can be configured to use the following values:

  • Sunday (0x1)
  • Monday (0x2)
  • Tuesday (0x3)
  • Wednesday (0x4)
  • Thursday (0x5)
  • Friday (0x6)
  • Saturday (0x7)

You can control the value for the time at which definition updates are performed by adding the ScheduleTime registry key to the same location as ScheduleDay.

ScheduleTime should be configured with a DWORD value that represents 12:00 AM – 11:59 PM. The value entered is the number of minutes past midnight (in local time), so specifying 120 would result in a definition update attempt at 2:00 AM. The maximum value is 1439, which would be 11:59 PM.

You may (correctly) note that these keys take the same values as the values for Scan\ScheduleDay and Scan\ScheduleTime, as noted here.

ScheduleDay will already exist in the registry (FCS already publishes it and sets it to 0x8). Your ADM/.reg file will be changing this value, not adding the key. However, as in the first post of this series (http://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the ScheduleTime key.

For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:

CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!Schedule
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates"
    EXPLAIN !!ScheduleDay_Explain
        PART !!ScheduleDay_Name DROPDOWNLIST REQUIRED
        VALUENAME ScheduleDay
        ITEMLIST
            NAME "Every Day"    VALUE NUMERIC 0 DEFAULT
            NAME "Sunday"    VALUE NUMERIC 1
            NAME "Monday"        VALUE NUMERIC 2
            NAME "Tuesday"        VALUE NUMERIC 3
            NAME "Wednesday"  VALUE NUMERIC 4
            NAME "Thursday"    VALUE NUMERIC 5
            NAME "Friday"        VALUE NUMERIC 6
            NAME "Saturday"   VALUE NUMERIC 7
        END ITEMLIST
    END PART
    PART !!ScheduleTime_Name DROPDOWNLIST REQUIRED NOSORT
            VALUENAME ScheduleTime
        ITEMLIST
            NAME "12:00am"   VALUE NUMERIC 0
            NAME "1:00am"   VALUE NUMERIC 60
            NAME "2:00am"   VALUE NUMERIC 120
            NAME "3:00am"   VALUE NUMERIC 180
            NAME "4:00am"   VALUE NUMERIC 240
            NAME "5:00am"   VALUE NUMERIC 300
            NAME "6:00am"   VALUE NUMERIC 360
            NAME "7:00am"   VALUE NUMERIC 420
            NAME "8:00am"   VALUE NUMERIC 480
            NAME "9:00am"   VALUE NUMERIC 540
            NAME "10:00am"  VALUE NUMERIC 600
            NAME "11:00am"  VALUE NUMERIC 660
            NAME "12:00pm"  VALUE NUMERIC 720
            NAME "1:00pm"   VALUE NUMERIC 780
            NAME "2:00pm"   VALUE NUMERIC 840
            NAME "3:00pm"   VALUE NUMERIC 900
            NAME "4:00pm"   VALUE NUMERIC 960
            NAME "5:00pm"   VALUE NUMERIC 1020
            NAME "6:00pm"   VALUE NUMERIC 1080
            NAME "7:00pm"   VALUE NUMERIC 1140
            NAME "8:00pm"   VALUE NUMERIC 1200
            NAME "9:00pm"   VALUE NUMERIC 1260
            NAME "10:00pm"  VALUE NUMERIC 1320
            NAME "11:00pm"  VALUE NUMERIC 1380
        END ITEMLIST
    END PART
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"
Schedule="Sets the time and date for definition updates for Client Security."
ScheduleDay_Name="Set the definition update day"
ScheduleDay_Explain="This setting sets the day of the week and the time of day when the FCS antimalware client will update definitions."
ScheduleTime_Name="Set the definition update time"

Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use FCSSchedule.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2,  in the KB article.

If you want to deploy the Schedule Time key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]

"Schedule Time"=dword:value

To confirm that your client has received and configured this policy, you can check in the Windows Task Scheduler.  On a Windows Vista or Windows 7 computer, start the Task Scheduler:

  1. Click Start, click All Programs, click Administrative Tools, and then click Task Scheduler
  2. Expand Task Scheduler Library, expand Microsoft, expand Microsoft Forefront, expand Client Security, expand Client, and then expand Antimalware
  3. On the View menu, click Show Hidden Tasks

If you have a client configured properly, you should see a scheduled task named MP Scheduled Signature Update set to the defined time:

clip_image002