Merging Endpoint Protection Policies in ConfigMgr 2012

This week I want to devote a small post to merging Endpoint Protection policies in ConfigMgr 2012 SP1 (which is currently still in BETA). Since ConfigMgr 2012 SP1 there are two different ways/ types of merging Endpoint Protection policies. In short we can define two sides:

  • Server-side merge – On the server-side there is now the console option to merge multiple policies into one policy. In this case, when two settings conflict, the most secure setting is applied. Also settings like exclusion lists are really merged together.
  • Client-side merge – On the client-side there is now the automatic behavior to merge multiple polices into the client settings. In this case, when two settings conflict, the highest priority option is used. Also settings like exclusion lists are really merged together.

Configuration

Of course this is something that needs to be tested and as I can’t show it all in this post I choose to only show it with a configuration of exclusions. EPPoliciesI created two custom antimalware policies (see picture), one to exclude the exe file type and one to exclude the zip file type.

EPMerge

The server-side merge is a console option, so it does need the following additional configuration:

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies.
  • Select the two custom antimalware policies and on the Home tab, in the Client Settings group, select Merge.
  • On the Merge Policies –popup fill in a New Policy Name, select the Base Policy and click Ok.

The client-side merge does not require any additional configuration, besides deploying the policies, as it’s now default behavior to merge multiple deployed policies.

Result

The best, and easiest, place to see the results of these actions is for the server-side merge, the console, and for the client-side merge, the Endpoint Protection client.

Server-side Client-side
EPResult EPClient

Note

Besides the pictures above, for the client-side there are two more interesting locations to see which policies are applied on a client:

  • Client Log –EndpointProtectionAgent.log
  • Registry – HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy

5 thoughts on “Merging Endpoint Protection Policies in ConfigMgr 2012

  1. If you are using the server side merge, the conflicts in settings resolved by the base policy option, not by “the most secure” decision. 🙂 It seems the Technet library also has some unclear information about that one.

  2. Hi,

    I’ve tried with every module, same result, base policy always overwrites the other one. Which build are you using? 🙂

Leave a Comment