Endpoint Protection Policy Overview
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Upgrade your plan to get instant access to this and many more premium courses. Click the Upgrade Plan button below to get started.

Saving Progress...
- What is a policy?

A policy is a set of rules or settings that are applied to potentially thousands of clients all at once.
- What settings are we talking about? For example, setting up scheduled scans, turning on and off real-time protection, scheduling updates, firewall settings among others.
- If you have thousands of computers to manage there is no way you would want to manage settings on all those computers individually, right? That is what policies are used for.
- In configuration manager Endpoint Protection, you can use the default antimalware policy to deploy these settings to every device in your organization or you can create a custom policy and deploy settings to individual device collections in your organization.
From the SCCM Console, Workspace, click Assets and Compliance, From the Navigation Pane click Endpoint Protection, then click Antimalware Policies. There are two policies, one is the Default Client Antimalware Policy and the other is a Custom policy called SCEP Standard Desktop Policy. In this overview, we will briefly describe both policies.
The Default Client Antimalware Policy (Open Console)


- Notice that the Default Client Antimalware Policy has a priority order value of 10,000 We will talk more about priority orders in a moment.
- Default policy settings apply to all devices in the hierarchy.
- The default policy can be modified and those modified policies are called custom policies.
Default Policy Limitations
- Cannot be deployed to a device collection, a device collection is groups of computers.
- The default policy cannot be exported to an .xml file.
Custom Policies

- Can be deployed to individual device collections, not user collections.
- Settings could be tailored to organizational policy (Government or Industrial)
You could have a government agency that requires a specific malware scan frequency or specific firewall settings. And you can create your own custom policy, which we will be covering in another lecture.
Let’s take a look at a custom policy.

- From the Console, we have a custom policy called SCEP Standard Desktop. At the bottom of the screen, we can click on
- Summary – Under Properties, this shows the Priority, which is 1, and it shows one deployment. This means that this policy has been deployed to a collection. From File Properties - this shows the date created and who created it.
- If we click Deployments, at the top it shows the two policies, and at the bottom Under SCEP Standard Desktop, the name of the collection Windows 10 is displayed.
If you recall a collection is a group of computers. What this means is that the SCEP Standard Desktop Custom Policy and all its settings will be deployed to the device collection called Windows 10.
- To verify what computers are part of the Windows 10 Collection. From the Navigation Pane click Device Collections, then double click the Windows 10 Collection. Here we see our Windows 10 computer ITFWS02.
How does this priority order work?

- The default Policy has a policy order of 10,000, the SCEP standard desktop custom policy has a policy order of 1. Both policies will be applied.
- if the settings are alike the settings will be merged.
- If the settings conflict, the policy called SCEP Standard Desktop will win, the lower the number the higher the priority.
But only for machines in the windows 10 collection that get the custom policy.


- Now go back to Antimalware policies, from the list view, click the SCEP policy, and from the Ribbon click Deploy.
- From Device Collections, click Windows 10, then ok.
So now ITFWS02 will receive the settings from the default policy and the settings from SCEP Standard Desktop policy. If the settings are alike they will be merged and if the settings conflict, the custom policy will take precedence over the default policy. Normally this policy would deploy, but as you can see I have already assigned this policy to the collection called windows 10.
Server Academy Members Only
Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..
If someone is already a Full Administrator, is it necessary to add them to the Endpoint Protection Management Admin security role?
Hi
Matthew Stricker
If they are already a Full Administrator there is no need to add them to the Endpoint Protection Management Admin security role since they will have the necessary permissions.
Ricardo