Endpoint Protection Policy Overview

Sign up to access this lesson

Click here to sign up and get access to this lesson!

Saving Progress...

  • What is a policy?  

A policy is a set of rules or settings that are applied to potentially thousands of clients all at once.

  • What settings are we talking about? For example, setting up scheduled scans, turning on and off real-time protection, scheduling updates, firewall settings among others.
  • If you have thousands of computers to manage there is no way you would want to manage settings on all those computers individually, right? That is what policies are used for.  
  • In configuration manager Endpoint Protection, you can use the default antimalware policy to deploy these settings to every device in your organization or you can create a custom policy and deploy settings to individual device collections in your organization.  

From the SCCM Console, Workspace, click Assets and Compliance, From the Navigation Pane click Endpoint Protection, then click Antimalware Policies. There are two policies, one is the Default Client Antimalware Policy and the other is a Custom policy called SCEP Standard Desktop Policy. In this overview, we will briefly describe both policies.

The Default Client Antimalware Policy (Open Console) 

  • Notice that the Default Client Antimalware Policy has a priority order value of 10,000 We will talk more about priority orders in a moment.
  • Default policy settings apply to all devices in the hierarchy.
  • The default policy can be modified and those modified policies are called custom policies.

Default Policy Limitations

  • Cannot be deployed to a device collection, a device collection is groups of computers.
  • The default policy cannot be exported to an .xml file.

Custom Policies

  • Can be deployed to individual device collections, not user collections.
  • Settings could be tailored to organizational policy (Government or Industrial)

You could have a government agency that requires a specific malware scan frequency or specific firewall settings. And you can create your own custom policy, which we will be covering in another lecture.

Let’s take a look at a custom policy. 

  • From the Console, we have a custom policy called SCEP Standard Desktop. At the bottom of the screen, we can click on  
  • Summary – Under Properties, this shows the Priority, which is 1, and it shows one deployment. This means that this policy has been deployed to a collection. From File Properties - this shows the date created and who created it.  
  • If we click Deployments, at the top it shows the two policies, and at the bottom Under SCEP Standard Desktop, the name of the collection Windows 10 is displayed.

If you recall a collection is a group of computers. What this means is that the SCEP Standard Desktop Custom Policy and all its settings will be deployed to the device collection called Windows 10.

  • To verify what computers are part of the Windows 10 Collection. From the Navigation Pane click Device Collections, then double click the Windows 10 Collection. Here we see our Windows 10 computer ITFWS02.  

How does this priority order work? 

  • The default Policy has a policy order of 10,000, the SCEP standard desktop custom policy has a policy order of 1. Both policies will be applied.
  • if the settings are alike the settings will be merged.  
  • If the settings conflict, the policy called SCEP Standard Desktop will win, the lower the number the higher the priority.

But only for machines in the windows 10 collection that get the custom policy. 

  • Now go back to Antimalware policies, from the list view, click the SCEP policy, and from the Ribbon click Deploy.
  • From Device Collections, click Windows 10, then ok.

So now ITFWS02 will receive the settings from the default policy and the settings from SCEP Standard Desktop policy. If the settings are alike they will be merged and if the settings conflict, the custom policy will take precedence over the default policy. Normally this policy would deploy, but as you can see I have already assigned this policy to the collection called windows 10.  

Sign up to access the rest of this lesson

You must either log in or sign up to access this lesson.

Saving Progress...

0 0 votes
Lesson Rating
Notify of
Inline Feedbacks
View all comments

Installing and Configuring System Center Configuration Manager (SCCM)


0/1 Lessons

Getting Started with this Course

• 26min

0 / 3 lessons complete

System Center Configuration Manager - Features and Capibilities

• 31min

0 / 5 lessons complete

SCCM 1902 Lab Setup

• 50min

0 / 12 lessons complete

Installing SCCM 1902 Installation

• 1hr 17min

0 / 11 lessons complete

Configuration Manager Basics

• 1hr 53min

0 / 8 lessons complete

Updating SCCM

• 30min

0 / 7 lessons complete

SCCM Client Installation

• 46min

0 / 4 lessons complete

User and Device Collections

• 1hr 0min

0 / 13 lessons complete

Application Management

• 2hr 34min

0 / 12 lessons complete

Operating System Deployment

• 23min

0 / 7 lessons complete

Endpoint Protection

• 1hr 12min

0 / 10 lessons complete


• 37min

0 / 4 lessons complete

Problems and Solutions from the Message Board

• 14min

0 / 5 lessons complete