Enforcing policies

After you create a policy, it is enforced in the following scenarios:

• The enforcement is first created
• Changes are made to the policy corresponding to the enforcement
• The Tanium Client or Tanium Client process restarts on an endpoint
• At the beginning and end of the enforcement schedule
• Enforce detects a failed or incomplete verification of policies
• (User Administrative Template policies) When a user signs in to an endpoint

Enforce verifies policies approximately every 15 minutes.

Applying policy settings using configuration service providers (CSPs)

When you enforce a Bitlocker policy, Machine Administrative Template policy, Security Settings policy, or User Administrative Template policy, settings on supported Windows 10 and later endpoints are applied using configuration service providers (CSPs) when possible. Settings that can be applied using a CSP are annotated with this icon in the Enforce policy. When you apply policies using a CSP, domain-joined endpoints do not need to be connected to a Domain Controller to configure settings, unlike policy application using Group Policy Object (GPO). If an Enforce policy setting is applied using a CSP that is also applied by a group policy, local policy, or already configured manually in the registry, the setting that is applied by the CSP takes precedence. This means that you do not need to first configure settings as Not Configured before you can configure a setting using a CSP. For more information about CSPs, see Microsoft Documentation: What is a CSP?.

Enforce uses the WMI-to-CSP Bridge to apply policies on endpoints, so a mobile device management (MDM) service is not required to use this feature. For more information about the WMI-to-CSP Bridge, see Microsoft Documentation: The WMI-to-CSP Bridge.

Microsoft Policy DDF files determine which policy settings can be applied using a CSP. For more information about Policy DDF files, see Microsoft documentation: Policy DDF file. To determine the earliest supported Windows 10 operating system versions for a specific setting, hover over next to the setting. For a list of supported operating system versions for each policy setting, see Microsoft Documentation: Policy Areas.

Enforce policies that were created before Enforce 2.1.273the Enforce update on January 30, 2023 are not applied using a CSP by default. To apply existing policies using a CSP, edit and re-save the policy.

On Windows 10 version 1709 and earlier endpoints, policies enforced using GPO might override policies enforced using a CSP because the ControlPolicyConflict setting is not available. In this scenario, a message is logged to the endpoint client extension log: Group Policy will override CSP policies in Windows 10 Version 1709 and earlier. For more information about this limitation, see Microsoft Blog: Windows 10 Group Policy vs. Intune MDM Policy who wins?.

Create enforcements

Complete the enforcement creation

1. In the Target section, click Select Computer Groups and select one or more groups that were defined in the Administration section of the Tanium Console. See Tanium Platform User Guide: Managing Computer Groups. To search for a group, type the first few letters of the group into the search field.

   If you are creating an enforcement for a macOS device configuration profile, click Select Mobile Device Groups, and then select one or more groups. Then click Save and go to step 3.

   You might not have access to all computer groups that appear in the target list. Click All and Available in the target window to see every computer group or only the ones that you have permissions to view. Additionally, rules might limit your access to computers within the groups you select. For more information, see Role-based access control and configuration visibility.

   
2. (Optional) Select Additional Filtering Criteria:
   • Specify Individual Endpoints: Enter or paste a comma-separated list of computer names into the Computer Names field. This list must be no longer than 50 computers.
   • Ask a Question: Enter a filter question.
   • Define a Rule: Add rows and groupings to build a filter.
3. In the Preview section, review the computers that you want to target.
4. (Optional) In the Schedule section, select Include Start Time and Include End Time options for the enforcement.
   • Schedule a start time.
   • Schedule an end time if you want the policy enforcement to expire after a certain time frame. For example, allow writing to removable drives for only a finite period of time.

   When you select a Include Start Time or Include End Time, Coordinated Universal Time (UTC) is selected and displayed by default. If you change the time to Endpoint Local Time (ELT), the selected time does not automatically update to reflect ELT. You must choose a valid ELT before you can create the enforcement.

   When you schedule an enforcement, allow enough time for the endpoint to receive the scheduling information. If the endpoint receives the scheduling information after the scheduled end time, then the enforcement does not run.

5. (Optional) For remediation policies, you can also select and set the following options:
   • Repeat: Specify how often enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes. The default is 1 hour.
   • Distribute Over Time: Control whether endpoints apply enforcements the moment they receive the action (immediate) or at unique moments within the saved action interval (diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance.
6. Click Create to create the enforcement.

To un-enforce or remove a policy from an endpoint, delete the enforcement. For more information, see Remove an enforcement.

To view the status of an enforcement on the Enforcements tab of the Policy Configurations page, click the arrow next to an enforcement to expand the status information. You can also view the status information in the Summary section of the enforcement details page. For more information about each enforcement state, see Enforcement.

View enforcements

Required access rights

To view enforcements, you must have one of the following access rights:

• The Unrestricted Management Rights permission.
• Access to the computer groups targeted by the enforcement.
  You must have access to the exact computer group targeted by the enforcement to view the enforcement. Access to another computer group that includes the endpoints from the targeted computer group does not provide viewing access. For example, if you have access to the All Windows computer group, but not the All Windows 10 computer group, you cannot view enforcements that target only the All Windows 10 computer group.

For more information, see Tanium Console User Guide: Manage computer group assignments for a user.

View the enforcement

Expand the details for the enforcement to view the application status.

Click the name of the enforcement to open the enforcement details page.

Enforcements for User Administrative Template policies show the enforcement status per user, not per endpoint.

Filter results

In the Endpoints section on the enforcement details page, you can filter results by items such as computer name, operating system, operators (contains or does not contain), and plain text. You can also add additional rows and groupings to the filter.

For more information about filtering and merging question results, see the Tanium Interact User Guide: Managing question results.

View endpoint details

You can use Enforce with Reporting to view enhanced endpoint details in enforcements. In the Endpoints section on the enforcement details page, click Endpoint Details .

Click View Details to open the endpoint details in Reporting. For more information, see Reporting User Guide: View endpoint details.

Remove an enforcement

From the list of enforcements, select one or more enforcements and click Delete . You can also click on an individual enforcement and then click Delete .