Defender and "AllowNonAdminFunctionality" setting

[Guest]

I'm testing the rollout of Windows Defender via GPO as well as testing some
registry settings that will be pushed to clients via PolicyMaker's Registry
Extension.

I was playing around with the "AllowNonAdminFunctionality" setting in the
registry to see how much it would lock down Defender for my clients. I
noticed that when I turn it on, the client is not even allowed to open up the
GUI for Defender to change things. This is acceptable although I hope more
flexible in Vista.

The question is this: what about when I want to check things on the client's
machine to see histories, check settings (to make sure they're applied), etc?
I've tried to "Run As" the local administrator, the domain administrator, and
myself (a Domain Admin). In all cases, a popup states that "Application
failed to initialize: 0x80070005. Access is Denied." My thought would be that
if I have this setting turned on then "administrators" would be able to
access the GUI, but I guess that's not how it works. Is there something I'm
missing here? Does the Defender service look at the user logged in and not
even check who's trying to run the GUI?

Thanks!

 

[Guest]

Hello WPBCIT,

See if you can aplly the solution in this KB
http://support.microsoft.com/kb/904423/en-us

I hope this post is helpful.

Let us know how it works ºut.

Еиçеl

 

[Guest]

This fix requires a contact to Microsoft for the hotfix. I'll look into it
and see what comes of it.

Thanks,
Robert

 

[Guest]

I installed and tested that hotfix referred to by that KB article. It did not
work. Thanks for the try.

Anybody else got any ideas? I'm starting to think it may just be how
Defender is written instead of a bug.

Robert

 

[Bill Sanderson MVP]

I've not tested the setting you speak of, which I believe is exposed in the
GUI at Tools, Options, scroll all the way down to near the bottom. The
explanation there of the setting, and what you may find in Help is all that
I know about it, I'm afraid.

What I can tell you is that Defender is explicitly not designed for your
intended use, and that you would be far better off with a malware protection
product which is explicitly designed for managed deployment and centralized
reporting and control--Microsoft Forefront Client Protection.

http://www.microsoft.com/forefront/clientsecurity/default.mspx

That said, I've no idea the size of your operation, nor what Forefront will
cost. I can say that it is now in public beta.

I've looked at the article cited by Engel, and I don't see any relevance,
I'm afraid.
--

 

[Guest]

I appreciate your comments.

However, I'm the IT Director for my church and as a non-profit organization
we're on a pretty limited budget. I'm always looking for free or reduced cost
software that will suit our needs. I know Defender is not made for what I'm
trying to get it to do, but I'm always trying to find creative ways to save
us a few dollars here. It's about the best option I have at this point. We
can't use Spybot S&D because it costs money even for non-profits (although
they give a good 50% discount). Defender on the other hand is free AND can
receive updates via my WSUS server. That alone is huge for me.

Thanks for your time. Again, I appreciate it.

 

[Bill Sanderson MVP]

I have got a client office which runs as non-admins and I can look at how
this setting works for them. Catch is that I don't know their client
passwords, and I'm the admin--so I'll have to connect in via Remote Desktop,
create a non-admin account, and do some testing to see how this works. I'd
like to do this, 'cause I have seen some posts here indicating that folks
feel this setting doesn't work as expected--but I'm not sure I'll manage to
find the time. I work in a not too different environment from yours--mostly
small non-profit organizations, and the one I work for most of the time is
church-related.

--