Configuring Windows File Protection Using Group Policy

If you’re running Windows XP Professional, a few different WFP-related settings can be configured using the Group Policy MMC. To access this tool, open the Run command, type gpedit.msc, and click OK. WFP settings are found under Computer Configuration > Administrative Templates > System > Windows File Protection.

The four main configurable settings found in this section include:

Set Windows File Protection scanning – allows you to control whether system file scanning will occur during startup.

Hide the file scan progress window – controls whether the scan progress window appears when commands like sfc /scannow are issued.

Limit Windows File Protection cache size – Allows you to set a maximum size, in MB, for the size of the dllcache folder. This setting is configures the same setting as the sfc /cachesize command.

Specify the Windows File Protection cache location – Allows you to control the location of the folder where system files are cached, typically %systemroot%\system32\dllcache by default. This method of changing the setting is recommended over editing the Registry directly.

In a similar manner, driver signing options can also be configured from the Group Policy MMC. This setting is found under Computer Configuration > Windows Settings > Local Policies > Security Options. Change the setting of the Devices: Unsigned driver installation behavior to configure your system to Ignore, Warn, or Block when unsigned driver installation is attempted.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.