Getting started

Perform the following tasks to get started with Enforce policies.

Upload Anti-malware

In the Enforce > Settings page, select the Anti-Malware tab. Review these settings to determine if you should modify them.

If Enforce has a problem with an anti-malware definition, an Error displays next to the definition under Anti-Malware Definitions Status in the Health section of the Enforce Anti-Malware page. View the error reason from Settings > Anti-Malware.

Microsoft System Center Endpoint Protection (SCEP) Installation

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

You can choose one of the following:

  • Disable SCEP Installation: This is the default state. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. Once enabled, click Choose Installer or Update Installer to upload an installer file.
  • The Microsoft System Center Configuration Manager includes the SCEP client installation file.

Please refer to Microsoft Technet: Endpoint Protection for more information about SCEP.

Managed Anti-Malware Definitions Download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed under Managed Anti-Malware Definitions Download URLs specify the Microsoft links Enforce uses to download definitions.

See Create an Anti-malware policy for further instructions.

Set defaults for AppLocker

Access the AppLocker settings from the Enforce menu under Settings > AppLocker.

In AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.

AppLocker Deny rules take precedence over AppLocker Allow rules. See Microsoft: Understanding AppLocker allow and deny actions on rules.

Block listrule template

The Block list rule templates allow Everyone to run all applications through the (Default Rule) All filesAllow rule. This rule is the only rule that is included in this rule template by default. Define the specific applications you want to block by adding Deny rules.

The Block list rule template is the default rule template used in Enforce until you change it.

You cannot delete or modify the (Default Rule) All filesAllow rule in this rule template because this rule template is intended to allow all files to run except those that you specifically block through a Deny rule.

Allow list rule template

The Allow list rule template, by default, allows only applications that Administrators run, or that are run out of these folders:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

The default rules in the allow list rule templates are based on the Windows AppLocker default rules. For more information, see Microsoft: Understanding AppLocker default rules.

If you choose to enforce the default Allow list rule template, you might block applications unintentionally. The Allow list rule template blocks applications without explicitly listing the applications. For example, a program being run by a user out of that user’s profile directory is blocked. For best results, deploy allow list policies initially in Audit Only mode until audit reports can be reviewed and the intended results are confirmed. See Using best practices with policies and rules: AppLocker policies for an example workflow.

As a best practice, add to the existing default rules to allow or deny applications rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block files in the Tanium Client directory that might break the client functions.

When you edit a block list or allow list template, it becomes a custom template and the pulldown field changes to Custom.

Custom rule template

Use the Custom rule template to create your own template. This rule template does not contain any rules by default.

You can customize any of these rule templates by adding additional Allow rules or Deny rules. Click Save to save your changes. To go back to the original default settings, click Restore to Default.

Create Default AppLocker rules

Use rule exceptions to specify files or folders to exclude from a default AppLocker rule. You can create default executable rules, default Windows installer rules, and default script rules.

  1. Expand a category: Default Executable Rules, Default Windows Installer Rules, or Default Script Rules and select a template from the pulldown: Allow List, Block list, Custom.
  2. Click Create to add a new default rule. Each rule type contains the same configuration fields.
    1. Enter a Name for the rule.
    2. Select a type: Hash, Path, Publisher.
    3. For Hash, provide the Hash and optional File Size (bytes). Optionally, click the + sign to add another hash rule.
    4. For Path, provide the full path or file name in the Path field.
    5. For Publisher, provide the Publisher, Product Name, and File Name. In the File Version field, use the pulldown to indicate whether you want earlier or later versions included or only the exact version you specify. You can use the * character as a wildcard in any of these values.
  3. In the Windows User section, select whether this rule applies to Everyone or only Administrators.
  4. Click Save for the rule.
  5. Click Create for the policy.

Manage Windows device classes and devices

Click Settings from the Enforce menu and go to Device Control to manage the global list of Windows device classes and devices for use with Windows device control policies.

Device Classes

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

  • Use the sort menu to sort the list by Name, Type, or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a custom device class to the global list.
  • You can edit or delete custom device classes:
    • Select a custom device class and click Edit to update the configuration for that device class.
    • Select a custom device class and click Delete to delete that device class.

Only custom device classes can be modified or deleted. You cannot modify or delete the default device classes. Changes that are made to device classes through the global list are pushed out to all policies that reference the device class. If you delete a device class, it is removed from all policies where it is referenced.

Devices

This list includes devices that were added from this page or through a device control policy. Click Devices to manage the global list of devices.

  • Use the sort menu to sort the list by Name or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a new device to the global list.
  • Select a device and click Edit to update the configuration for that device.
  • Select a device and click Delete to delete that device.

Changes that are made to devices through the global list are pushed out to all policies that reference the device. If you delete a device class, it is removed from all policies where it is referenced.

See Createa Windows device control policy for further instructions.

Next steps

Create Policies

Configure Windows administrative policies for computer groups. See Creating policies.

Enforcements

After policies are configured, create enforcements to apply them to endpoints. See Enforcing policies.