FYI: Defender GPO description is wrong RRS feed

  • Question

  • Hey all,

    Since there is not (to my knowledge) a separate forum for Windows Defender, and that product has recently caused major issues with FSLogix, I wanted to make you all aware of an inconsistency I discovered with the Defender GPO/Intune/Registry configuration that can cause major issues-- and in our case, broke a few of our applications completely until we stumbled upon the truth.

    By default, Windows Defender scans network files. This directly contradicts the description of the GPO setting "Scan network files" and Microsoft's documentation. That GPO and related documentation clearly state "If you disable or do not configure this setting, network files will not be scanned". This is incorrect. By default, not configuring that setting causes Defender to scan network locations. If you set that setting to Disabled, it sets the DWORD "DisableScanningNetworkFiles" under HKLM\Software\Policies\Microsoft\Windows Defender\Scan to the value 1, which stops Defender from scanning network locations. Even Intune Defender settings have a similar issue; there, you can only set network file scanning to "Enabled" or "Not Configured", both of which allow it.

    Hopefully this will save others some time, as we spent many hours troubleshooting application issues caused by Defender touching network files as they're opened by default, contrary to Microsoft's own documentation. With how heavily FSLogix and other VDI components rely on constant read/writes to/from network locations, I strongly suggest setting this GPO setting to "Disabled", ignoring Microsoft's contradictory GPO description entirely.

    • Edited by galperinm Tuesday, December 3, 2019 4:14 PM
    Tuesday, December 3, 2019 3:43 PM

All replies

  • Thank you for this info Galperinm, we are using FsLogix with RDSH. We were badly affected by the duff Windows Defender Definition update that happened on 22/11. We are also seeing "A timeout (30000 milliseconds) was reached while waiting for a transaction response from the frxsvc service"  messages in event log.  Since I have seen your message I am also wondering Windows defender causing this issue.  Only worry I have for setting this GPO is, users accessing files on network storage may not be scanned.  Then again we have Windows Defender enabled on File servers.  I have now setup this policy on our RDSH server and monitoring for any issues. 

    It will be nice to hear from anyone else experiencing the similar issues.

    Many thanks


    Wednesday, December 4, 2019 8:55 AM