This week I want to devote a small post to merging Endpoint Protection policies in ConfigMgr 2012 SP1 (which is currently still in BETA). Since ConfigMgr 2012 SP1 there are two different ways/ types of merging Endpoint Protection policies. In short we can define two sides:
- Server-side merge – On the server-side there is now the console option to merge multiple policies into one policy. In this case, when two settings conflict, the most secure setting is applied. Also settings like exclusion lists are really merged together.
- Client-side merge – On the client-side there is now the automatic behavior to merge multiple polices into the client settings. In this case, when two settings conflict, the highest priority option is used. Also settings like exclusion lists are really merged together.
Configuration
Of course this is something that needs to be tested and as I can’t show it all in this post I choose to only show it with a configuration of exclusions. 
I created two custom antimalware policies (see picture), one to exclude the exe file type and one to exclude the zip file type.
The server-side merge is a console option, so it does need the following additional configuration:
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies.
- Select the two custom antimalware policies and on the Home tab, in the Client Settings group, select Merge.
- On the Merge Policies –popup fill in a New Policy Name, select the Base Policy and click Ok.
The client-side merge does not require any additional configuration, besides deploying the policies, as it’s now default behavior to merge multiple deployed policies.
Result
The best, and easiest, place to see the results of these actions is for the server-side merge, the console, and for the client-side merge, the Endpoint Protection client.
| Server-side | Client-side |
 |
 |
Note
Besides the pictures above, for the client-side there are two more interesting locations to see which policies are applied on a client:
- Client Log –EndpointProtectionAgent.log
- Registry – HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy
If you are using the server side merge, the conflicts in settings resolved by the base policy option, not by “the most secure” decision. 🙂 It seems the Technet library also has some unclear information about that one.
Hi Flowman,
With which settings did you test it? I just ran a test with the scan settings and the merge takes the Yes above the No, no matter what the Base Policy is.
Peter
Hi,
I’ve tried with every module, same result, base policy always overwrites the other one. Which build are you using? 🙂
Hi Flowman,
I’m using ConfigMgr 2012 SP1 BETA (Build: 7782).
Peter