Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 04 : Endpoint Protection

Policies

Microsoft Services
V04.21-2010
Module Overview
• Policies Overview
• Creating a Custom Policy
• Policy Merging
• Policy Application via ConfigMgr
• Applying Policy via GPO
• Firewall Policies
• Lab 04: Endpoint Protection Policy Overview
Module 04: Endpoint Protection
Policies

Policies Overview

Microsoft Confidential
Policies Overview
• Endpoint Protection policy types:
• Antimalware
• BitLocker
• Firewall
• Microsoft Defender for Endpoint (aka MD ATP)
• Microsoft Defender Exploit Guard
• Microsoft Defender Application Guard
• Microsoft Defender Application Control
• Ships with 4 antimalware policy templates and 25
more archived templates that cover well-known
Microsoft server applications.
• Ability to merge one or more policy templates into
a new custom policy.
Policies Overview
Antimalware Policy: groups of settings
• Scheduled scans
• Scan settings
• Default actions
• Real-time protection
• Exclusion settings
• Advanced
• Threat Overrides
• Cloud Protection Service (CSP)
• Security Intelligence updates

Windows Firewall profile settings

• Enable/disable, per profile
• Block/not block incoming connection, per profile
• Notify/not notify the user if block happens, per profile
Policies Overview
Policy Precedence
• Computers can belong to multiple Collections, so may be candidates for multiple
policies.
• Precedence is used to determine the effective policy.
• Default Policy has the lowest priority - 10 000
• Any new custom policy will get higher priority – 1,2,3,…
• Policies are merged on the client.
• All exclusions will be merged, all other applicable settings will honor the policy
with the highest precedence.
Policies Overview
Default Antimalware Policy
• Delivered to all client machines.
• Doesn’t have a deployment – all Configuration Manager clients receive the
default policy as a first, initial policy.
• Should be considered as a baseline of settings.
• Has the lowest priority meaning custom policy will overwrite or merge with
the default policy.
• Can be modified but not deleted.
• Components:
• Weekly quick scan.
• Real-Time Transport Protocol (RTP) on.
• Default exclusions.
Module 04: Endpoint Protection
Policies

Creating Custom Policies

Microsoft Confidential
Creating Custom Policies
New Policy Wizard
• When the new policy wizard is invoked, a new policy is created and automatically
given the highest precedence.
• Policy order could be modified (increase/decrease)
• Policy deployments should be assigned to device collections
Creating Custom Policies settings
Creating Custom Policies
Import Policy
• Configuration Manager
supplies a selection of
predefined templates. These
are optimized for various
scenarios
• These templates are available
in the folder:
<ConfigMgr Install Folder> \
AdminConsole\XMLStorage
\EPTemplates\*.xml
Module 04: Endpoint Protection
Policies

Policy Merging

Microsoft Confidential
 Policy Merging
• Policies can be merged by selecting two or more policies
and clicking the Merge icon.
Choose Merge

Multi-Select

Select
Base
policy
Module 04: Endpoint Protection
Policies

Policy Application

Microsoft Confidential
Policy Application
To track if policy was applied
From a client side
• Via registry:
Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\CCM\EPAgent
and LastAppliedPolicy
• On windows 10 from
Windows Security tab:
Windows Security > Settings >
About

From server side

• Via Endpoint
Protection Status
dashboard
Module 04: Endpoint Protection
Policies

Applying Policies via GPO

Microsoft Confidential
Applying Policy via GPO
Advantages Disadvantages

Apply policies to computers that aren’t • Can’t apply policies to non-domain

managed by Configuration Manager. computers.
• No Alerts or Reporting.
• An ‘unmanaged’ solution.
Policy is periodically reapplied more frequently ConfigMgr reapplies EP policy automatically
(90 minutes by default). every three hours.

Consistent policy management methodology. EP Client UI does not reflect Group Policy
name.

More configuration options. Certain settings only exposed by CM.

Group Policy “layering.” Client Side Merge can achieve the same
functionality.
Module 04: Endpoint Protection
Policies

Firewall Policies

Microsoft Confidential
Firewall Policies
Basic Firewall configuration:
• Applied for multiple profiles (domain, private, and public):
• Turn on Firewall.
• Block incoming connections.
• Notify the user when Firewall blocks a program.
• Can be assigned to individual Collections.
• Applied through ConfigMgr client policy.
• Good option for workgroup clients where Group Policy is not available.
Knowledge Measure
1. What types of Endpoint Protection Polices can be created?
2. How does the SCEP client handle multiple policies with conflicting settings?
3. Can SCEP policy only be deployed via Config Manager?
4. How could we track the policy application?
Module Summary
• Policies are groups of settings that control the behavior of the Endpoint
Protection client and user experience.
• A default policy is deployed to all endpoints, and custom policies can be
created to modify the behavior of the default policy.
• Policies can be applied to endpoints via Configuration Manager or Group
Policy.
Lab 04: Endpoint Protection
Policy Overview
• Task 1: Understanding Default Policy.
• Task 2: Creating New Policy.
• Task 3: Importing and Merging Policy.
• Task 4: Setting Precedence .
• Task 5: Deploying Policy.
• Task 6: Client-side Policy Merge.
• Task 7: Using GPO to apply Endpoint
Protection Settings.
• Task 8: Export/Import Endpoint Protection
Settings.
• Task 9: Firewall Settings.
• Task 10: Manual Modification of XML
Policy File.
© 2015 Microsoft Corporation. All rights reserved.