Policy Transition Process

This process outlines the necessary steps to transition a policy into the enforcement phase while ensuring minimal disruption to end users. By carefully reviewing and adjusting the policy settings, you can ensure a smooth transition and effective enforcement.

Step 1

Begin by filtering the data to focus on a specific policy, such as IT Workstations. In this example, if you notice 98 untrusted executions today, it's likely too early to transition this policy to enforcement. However, for demonstration purposes, proceed to the Bulk Add section to remove any remaining untrusted executions.

Step 2

Add these publishers to the policy to eliminate the untrusted executions.

Step 3

Once your IT Workstation group can execute any application signed by the previously identified publishers, you can be confident that transitioning to enforcement will not be excessively disruptive.

Step 4

Next, ensure that inheritance has not caused any confusion with the publishers or paths associated with this policy. Sometimes a publisher, path, or process might accidentally be trusted at the audit level rather than under the parent policy.

Step 5

This scenario means that all machines in the audit group currently benefit from these settings, but they will not be inherited once you switch to enforcement. Verify that the IT Audit group consists entirely of publishers inherited from above, indicated by blue icons.

Step 6

Perform a similar check for processes, paths, or allow lists to ensure that nothing is exclusively linked to the IT audit policy. Everything should be inherited from above. Then, you can move the machine from IT Audit to IT Enforcement or transition the entire policy group by selecting Group Settings and disabling audit mode for that policy.

Step 7

Regardless of the method chosen, the machines within this policy will transition to enforcement during their next check-in. Instead of displaying untrusted executions, the system will block any file or application not included in the allow list.