Enforcing policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

After you create a policy, it is enforced in the following scenarios:

  • The enforcement is first created
  • Changes are made to the corresponding policy
  • The Tanium Client or Tanium Client process restarts on an endpoint
  • At the beginning and end of the enforcement schedule
  • The policy is manually enforced by clicking Enforce on the policy page
  • Enforce detects a failed or incomplete verification of policies (check occurs approximately every hour)

Enforce verifies policies approximately every 15 minutes.

Applying policy settings using configuration service providers (CSPs)

When you enforce a Bitlocker policy, Machine Administrative Template policy, or Security Settings policy, settings on supported Windows 10 and later endpoints are applied using configuration service providers (CSPs) when possible. Settings that can be applied using a CSP are annotated with this icon in the Enforce policy. When you apply policies using a CSP, domain-joined endpoints do not need to be connected to a Domain Controller to configure settings, unlike policy application using Group Policy Object (GPO). If an Enforce policy setting is applied using a CSP that is also applied by a group policy, local policy, or already configured manually in the registry, the setting that is applied by the CSP takes precedence. This means that you do not need to first configure settings as Not Configured before you can configure a setting using a CSP. For more information about CSPs, see Microsoft Documentation: What is a CSP?.

Enforce uses the WMI-to-CSP Bridge to apply policies on endpoints, so a mobile device management (MDM) service is not required to use this feature. For more information about the WMI-to-CSP Bridge, see Microsoft Documentation: The WMI-to-CSP Bridge.

Microsoft Policy DDF files determine which policy settings can be applied using a CSP. For more information about Policy DDF files, see Microsoft documentation: Policy DDF file. To determine the earliest supported Windows 10 operating system versions for a specific setting, hover over next to the setting. For a list of supported operating system versions for each policy setting, see Microsoft Documentation: Policy Areas.

On Windows 10 version 1709 and earlier endpoints, policies enforced using GPO might override policies enforced using a CSP because the ControlPolicyConflict setting is not available. In this scenario, a message is logged to the endpoint client extension log: Group Policy will override CSP policies in Windows 10 Version 1709 and earlier. For more information about this limitation, see Microsoft Blog: Windows 10 Group Policy vs. Intune MDM Policy who wins?.



Create enforcements

Create an enforcement for a remediation policy

  1. From the Enforce menu, click Device Actions. Click Enforcements and then click Create.
  2. Enter a name for the enforcement and select a policy.
  3. See Complete the enforcement creation to continue creating the enforcement.

Create an enforcement for all other types of policies

  1. From the Enforce menu, click Policy Configurations. Click Enforcements and then click Create.
  2. Enter a name for the enforcement and select a policy.
  3. See Complete the enforcement creation to continue creating the enforcement.

Create an enforcement from an individual policy

  1. From the Enforce menu, perform one of the following tasks:
    • For a remediation policy, click Device Actions and then click Remediations.

    • For all other policy types, click Policy Configurations and then click Policies.

  2. Click on the policy to be enforced and then click Enforce .
  3. Enter a name for the enforcement.

    The policy that you selected is automatically populated in the Policy field.

  4. See Complete the enforcement creation to continue creating the enforcement.

Complete the enforcement creation

  1. In the Target section, click Select Computer Groups and select one or more groups that were defined in the Administration section of the Tanium Console. See Tanium Platform User Guide: Managing Computer Groups. To search for a group, type the first few letters of the group into the search field.

    If you are creating an enforcement for a macOS device configuration profile, click Select Mobile Device Groups, and then select one or more groups. Then click Save and go to step 3.

    You might not have access to all computer groups that appear in the target list. Click All and Available in the target window to see every computer group or only the ones that you have permissions to view. Additionally, rules might limit your access to computers within the groups you select. For more information, see Role-based access control and configuration visibility.

  2. (Optional) Select Additional Filtering Criteria:
    • Specify Individual Endpoints: Enter or paste a comma-separated list of computer names into the Computer Names field. This list must be no longer than 50 computers.
    • Ask a Question: Enter a filter question.
    • Define a Rule: Add rows and groupings to build a filter.
  3. In the Preview section, review the computers that you want to target.
  4. (Optional) In the Schedule section, select Start Time and End Time options for the enforcement.
    • Select Run now or Custom to schedule a start time.
    • Select Never or Custom to schedule an end time if you want the policy enforcement to expire after a certain time frame. For example, allow writing to removable drives for only a finite period of time.
    • When you select a Start Time or End Time, Coordinated Universal Time (UTC) is selected and displayed by default. If you change the time to Endpoint Local Time (ELT), the selected time does not automatically update to reflect ELT. You must choose a valid ELT before you can create the enforcement.

      When you schedule an enforcement, allow enough time for the endpoint to receive the scheduling information. If the endpoint receives the scheduling information after the scheduled End Time, then the enforcement does not run.

  5. (Optional) For remediation policies, you can also select and set the following options:
    • Repeat: Specify how often enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes. The default is 1 hour.
    • Distribute Over Time: Control whether endpoints apply enforcements the moment they receive the action (immediate) or at unique moments within the saved action interval (diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance.
  6. Click Create to create the enforcement.

To un-enforce or remove a policy from an endpoint, delete the enforcement. For more information, see Remove an enforcement.

To view the status of an enforcement on the Enforcements tab of the Policy Configurations page, click the arrow next to an enforcement to expand the status information. You can also view the status information in the Summary section of the enforcement details page. For more information about each enforcement state, see Enforcement.

View enforcements

From the Enforce menu, perform one of the following tasks:

  • For a remediation policy, click Device Actions and then click Enforcements.

  • For all other policy types, click Policy Configurations and then click Enforcements.

Filter results

From the enforcement Endpoints section, you can filter results by items such as computer name, operating system, operators (contains or does not contain), and plain text. You can also add additional rows and groupings to the filter.

For more information about filtering and merging question results, see the Tanium Interact User Guide: Managing question results.

Remove an enforcement

From the list of enforcements, select one or more enforcements and click Delete . You can also click on an individual enforcement and then click Delete .