Configuring Policy Groups

In this process, you will learn how to configure and adjust policies for a designated group of systems, such as Windows Workstations. The steps involve navigating the console, managing baselines, allow lists, and blocklists, and setting rules based on paths, publishers, and processes.

Step 1

Log into the console and navigate to the Policy section in the main navigation. On the left side, you will see various policy groups. Select the "Indianapolis Windows Workstations" parent group. Changes made at this level will automatically apply to the child groups underneath.

Step 2

A policy is a set of defined criteria on the right side of the screen. These include baselines, core operating system components, any allow lists or blocklists, and rules based on paths, publishers, and processes.

Step 3

To add a baseline, right-click on it and select "Approve." To deny a baseline, right-click and choose "Deny."

Step 4

To disassociate a baseline from the parent group policy, right-click and select "Deny." For allow lists, the process is similar; select the allow list and choose to approve or deny. Blocklists follow a similar, yet slightly different, procedure.

Step 5

Right-click on the Windows blocklist column to enable an audit. This provides console visibility of blocklist activities before enforcement. This step is recommended if the blocklist contains rules with uncertain impacts.

Step 6

To disable auditing, right-click on the Windows blocklist and select "Disable." Click "Apply Changes" to propagate updates to the policy group. To remove a path-based rule or exclusion, right-click and choose "Delete."

Step 7

To add a custom path-based rule, right-click and select "Add Custom," then complete the form. For predefined path-based rules, you can select and remove them based on environmental needs. To manage publisher trust, right-click, select "Add Exclusion," and choose publishers to associate with the group.

Step 8

To remove a publisher, select it and hit "Delete." For process-based rules that establish trust between parent and grandparent processes, right-click, select "Add Exclusion," and specify the processes to trust.

Step 9

To remove a process-based rule, right-click and select "Delete."