This week I want to devote a small post to merging Endpoint Protection policies in ConfigMgr 2012 SP1 (which is currently still in BETA). Since ConfigMgr 2012 SP1 there are two different ways/ types of merging Endpoint Protection policies. In short we can define two sides:
- Server-side merge – On the server-side there is now the console option to merge multiple policies into one policy. In this case, when two settings conflict, the most secure setting is applied. Also settings like exclusion lists are really merged together.
- Client-side merge – On the client-side there is now the automatic behavior to merge multiple polices into the client settings. In this case, when two settings conflict, the highest priority option is used. Also settings like exclusion lists are really merged together.
Of course this is something that needs to be tested and as I can’t show it all in this post I choose to only show it with a configuration of exclusions. I created two custom antimalware policies (see picture), one to exclude the exe file type and one to exclude the zip file type.
The server-side merge is a console option, so it does need the following additional configuration:
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies.
- Select the two custom antimalware policies and on the Home tab, in the Client Settings group, select Merge.
- On the Merge Policies –popup fill in a New Policy Name, select the Base Policy and click Ok.
The client-side merge does not require any additional configuration, besides deploying the policies, as it’s now default behavior to merge multiple deployed policies.
The best, and easiest, place to see the results of these actions is for the server-side merge, the console, and for the client-side merge, the Endpoint Protection client.
Besides the pictures above, for the client-side there are two more interesting locations to see which policies are applied on a client:
- Client Log –EndpointProtectionAgent.log
- Registry – HKLM\SOFTWARE\Microsoft\CCM\EPAgent\LastAppliedPolicy