An overview of my posts about ConfigMgr 2012 SP1

Let’s start my first post, of this new year, with an overview of my latest post about ConfigMgr 2012 Service Pack (SP) 1. Normally I’m not really the kind of person that looks back, but in this case it’s with a reason, as most of my posts where with pre-release versions of SP1. I also tried to sort all my posts per subject, even though sometimes there is some overlap. The following posts are all tested, this week, with the RTM version of SP1 and I can confirm that they are still working:

System Center Orchestrator

Windows Azure

Windows Intune

OS Deployment

Application Deployment

Client Settings

Merging Endpoint Protection Policies in ConfigMgr 2012

This week I want to devote a small post to merging Endpoint Protection policies in ConfigMgr 2012 SP1 (which is currently still in BETA). Since ConfigMgr 2012 SP1 there are two different ways/ types of merging Endpoint Protection policies. In short we can define two sides:

  • Server-side merge – On the server-side there is now the console option to merge multiple policies into one policy. In this case, when two settings conflict, the most secure setting is applied. Also settings like exclusion lists are really merged together.
  • Client-side merge – On the client-side there is now the automatic behavior to merge multiple polices into the client settings. In this case, when two settings conflict, the highest priority option is used. Also settings like exclusion lists are really merged together.


Of course this is something that needs to be tested and as I can’t show it all in this post I choose to only show it with a configuration of exclusions. EPPoliciesI created two custom antimalware policies (see picture), one to exclude the exe file type and one to exclude the zip file type.


The server-side merge is a console option, so it does need the following additional configuration:

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies.
  • Select the two custom antimalware policies and on the Home tab, in the Client Settings group, select Merge.
  • On the Merge Policies –popup fill in a New Policy Name, select the Base Policy and click Ok.

The client-side merge does not require any additional configuration, besides deploying the policies, as it’s now default behavior to merge multiple deployed policies.


The best, and easiest, place to see the results of these actions is for the server-side merge, the console, and for the client-side merge, the Endpoint Protection client.

Server-side Client-side
EPResult EPClient


Besides the pictures above, for the client-side there are two more interesting locations to see which policies are applied on a client:

  • Client Log –EndpointProtectionAgent.log
  • Registry – HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy