Creating policies

You can create the following policies in Enforce.

Anti-malware

Use Anti-malware policies to protect your endpoints from viruses using the Microsoft Anti-malware engine. This policy type is configured using Machine administrative templates- Windows Defender Antivirus Active Directory administrative group policy objects on Windows systems. For more information, see Create an Anti-malware policy.

AppLocker

Use AppLocker policies to prevent unwanted executables from running on your endpoints (Deny rules) or to allow only certain applications to run on endpoints (Allow rules). For more information, see Create an AppLocker policy.

BitLocker

Use BitLocker policies to encrypt drives on endpoints using Windows BitLocker Drive Encryption. For more information about BitLocker Drive Encryption. For more information, see Create a BitLocker policy.

Device Control - All Devices

Use Device Control - All Devices policies to restrict the installation of new devices. With this policy type, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. For more information, see Create a Windows device control policy.

Device Control - Removable Storage

Use Device Control - Removable Storage policies to control access permissions to specific removable media categories. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD). For more information, see Create a Windows device control policy.

FileVault Policy

Use FileVault policies to encrypt drives on endpoints using macOS FileVault Encryption. For more information, see Create a FileVault policy.

Firewall Management - Windows and Linux

Use Firewall Management policies to configure rules that block or allow network traffic using the built-in operating system firewall. For more information, see Create a Windows firewall management policy and Create a Linux firewall management policy.

Machine Administrative Templates

Use Machine Administrative Templates policies to target machine-based Active Directory administrative template (ADMX) group policy objects on Windows systems. With these policies, you can apply consistent rules to Windows devices regardless of the logged-in user. For more information, see Create a Machine administrative template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 11 baseline, Google Chrome, MS Office, Microsoft Edge, and Windows Security Baseline ADMX files (MSS-legacy and SecGuide).

Mac Device Configuration Profile

Mac Device Enrollment is currently public beta software.

Available only when Mac Device Enrollment is installedadded to your Tanium license. Use Mac Device Configuration Profile policies to configure settings, such as email accounts and encryption settings, on managed macOS devices. For more information, see Create a Mac Device Configuration Profile policy.

Remediation

Use Remediation policies to configure a set of tasks that run sequentially on endpoints. For more information, see Create a remediation policy.

Remediation Purge

Use Remediation Purge policies to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in. For more information, see Create a purge remediation policy.

Software Restriction Policy (SRP)

Use SRPs to configure rules created using the Windows SRP component that block the execution of applications. For more information, see Create an SRP management policy

Security Settings

Use Security Settings policies to protect endpoints from malicious threats using Windows operating system security settings. For more information, see Create a Security Settings policy.

Tanium Removable Storage Access Control

Use Tanium Removable Storage Access Control policies to block access for USB storage devices by default and provide configurable exception rules to allow access for specific devices. For more information, see Create a Tanium removable storage access control policy.

User Administrative Templates

Use User Administrative Templates policies to target user-based Active Directory administrative template (ADMX) group policy objects on Windows systems. With these policies, you can apply consistent rules to Windows users. When a user signs in to an endpoint where a User Administrative Template policy is enforced, the settings in the policy apply to that user on that endpoint. The policy applies to every user that signs in to the endpoint where the policy is enforced. For more information, see Create a User Administrative Template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 11 2022 Update (22H2), MS Office, Google Chrome (91.0.124 build 4472), Windows Security Baseline (MSS-legacy and SecGuide), Mozilla Firefox, OneDrive (build 20.201.1005.0009), Microsoft Edge (Chromium), and FSLogix Policy Settings (2.9.7654.46150) ADMX files.

Create an Anti-malware policy

Anti-malware policies consist of groups of settings. You can have only one Anti-malware rule for each policy; however, a single Anti-malware rule within one policy can have multiple settings. When you create an Anti-Malware policy, you can add settings to control the user experience.

Make sure you have completed the steps detailed in the Upload Anti-malware section before configuring anti-malware policies.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Machine Administrative Templates.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  4. From the list of policy setting categories, go to the following categories and enable Windows Defender settings as needed. Click Add to Policy after you configure each setting.
    • Windows Components > Microsoft Defender Antivirus
    • Windows Components > Microsoft Defender Application Guard
    • Windows Components > Microsoft Defender Exploit Guard
    • Windows Components > Windows Defender SmartScreen
  5. Expand Filters and search for Defender in the Settings text field.
    1. Enable additional Windows Defender policy settings and configure as needed.
    2. Click Add to Policy after you configure each policy setting.

    Anti-malware policies require that endpoints have either SCEP or Windows Defender installed. When SCEP Installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

  6. Click Create.
    The policy now appears in the Policies list on the Policy Configurations page.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create an AppLocker policy

For successful AppLocker rule enforcement, Enforce starts the Application Identity service on the endpoint.

The Enforce settings include default rule templates for each rule type used in AppLocker policies. The Block list rule template is used by default until you change it. For more information about changing the default rule templates, see Set defaults for AppLocker.

Only one AppLocker policy is in effect on an endpoint at a given time. Therefore, if you want to enforce rules for multiple app types (Executable, Windows Installer, or Script) on a particular endpoint, you must use one AppLocker policy with rules for each app type (and not a separate policy for each one). If there are multiple policies with the same policy type applied to an endpoint, the priority of the policy is used to resolve the conflict.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select AppLocker.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. In the Settings section, configure the policy settings.
    1. (Optional) Provide a Support URL if you want to display a custom URL when a user tries to run an app that is blocked.
    2. You can import AppLocker rules using the XML files you generate in the AppLocker section of the Windows Local Security Policy Tool or an exported Enforce AppLocker policy to quickly add multiple rules to a policy. For more information, see Import an AppLocker rule.
    3. Select one or more rule types to configure for the policy: Executable, Windows Installer, or Script and configure each rule type that you select. Deny and Allow rules are populated with the default rule template you chose in the Enforce Settings > AppLocker section.
  4. In each of the sections for the enabled rule types, add deny or allow rules, if necessary, as follows.
    • Deny rules prevent the specified files from running on endpoints where the policy is enforced
    • Allow rules let the specified files run on endpoints where the policy is enforced

      AppLocker Deny rules take precedence over AppLocker Allow rules. You must include at least one Allow rule. For more information about best practices and rule precedence, see Set defaults for AppLocker.

      Be aware of AppLocker allow or deny rules that are set in your Domain Policy. These rules might take precedence over AppLocker rules created in Enforce.

      Add to the existing default rules to allow or deny files rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

      The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block scripts in the Tanium Client directory that might break the client functions.

    1. Select whether the rule type is Audit Only or Blocking.
    2. Click Create and provide a Name for the rule.
    3. In the Type section, select Hash, Path, or Publisher.
    4. Specify the settings for the file:
      • If you selected Hash, provide the Hash and optional file size in bytes. Optionally, click the Add another rule to add another hash rule.

        For best results, use a utility other than Get-AppLockerFileInformation to generate the SHA-256 hash. For example, you can use Get-FileHash to generate the hash. Hashes generated with Get-AppLockerFileInformation are different than hashes generated by other utilities and are not supported by Enforce.

      • If you selected Path, provide the file path or file name.
      • If you selected Publisher, provide the Publisher, Product Name, File Name, and File Version, using the dropdown list to indicate whether you want earlier or later versions included or only the version you specify.
        You can use the * character as a wildcard character only for the entire value. Partial wildcard values are not valid for any of these values.
    5. Select Everyone or Administrators in the Windows User section and then click Save.
  5. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Import an AppLocker rule

  1. Click Browse for File in the Import Rules From XML section.
  2. Select the XML file that contains the exported AppLocker rules and click Open.
  3. The Import Pending Review window shows up to three tabs, depending on the content in the XML file: the new rules added to the policy from the imported XML file, the rules Enforce cannot import, and duplicate rules.
  4. Click Proceed to import the XML file and then click Save.

For more information about AppLocker event logs, see Review AppLocker event logs.

Create a BitLocker policy

Complete the steps detailed in the Configure Endpoint Encryption settings section before you create BitLocker policies.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

Settings that can be applied using a configuration service provider (CSP) are annotated with this icon . Hover over the icon to see the earliest supported operating system for policy application using a CSP. For more information about Enforce policy application using a CSP, see Applying policy settings using configuration service providers (CSPs).

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select BitLocker.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.

    If requirements for this policy are missing, that information is displayed. For more information about BitLocker requirements, see Configure Endpoint Encryption settings

  3. In the Global Encryption Settings section, select the Encryption Type: Hardware, Software, or Hardware and Software.
    • If you select Hardware and Software, BitLocker software-based encryption is used if the drive does not support hardware-based encryption.
    • If you select Software or Hardware and Software, set the Encryption Method for each operating system.
    • This setting applies only to software-based encryption. It configures the encryption algorithm and key cipher strength for the drive. For more information about this setting, see Microsoft Documentation: Choose drive encryption method and cipher strength.
  4. (Optional) In the Operating System Disk Encryption section, select Encrypt Operating System Drives.
    1. Choose: Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption.
    2. For computers that have a TPM chip, specify the behavior of the computer at startup or reboot when the drive is encrypted:

      TPM only

      If you choose TPM only, the drive is unlocked at startup or reboot using the integrated TPM chip with no user interaction.

      With TPM only, the drive can be encrypted when no end user is signed in to the computer. Keys are backed up to the Tanium database. One or more reboots are required, and you can use a Tanium package to accomplish that. It is recommended that you monitor the system status and push the reboot when needed.

      TPM + PIN

      If you choose TPM + PIN, the user configures a PIN during the initial BitLocker setup on the computer. The user must enter that PIN when the computer starts or reboots.

      If you use a PIN, you must set the Minimum PIN Length. Set this value to a number between 4 and 20. By default, PINs can include only numbers. If you want to allow PINs to include uppercase and lowercase letters, symbols, numbers, and spaces, select Enhanced PIN. If you do not want to allow PINs or passwords that consist of all the same character (11111111) or a sequence of characters (12345678), select Enforce minimum complexity requirements.

    3. (Optional) For computers without a TPM chip, specify whether you want to Allow BitLocker to run without a compatible TPM and specify a minimum password length. If you select this option, you can enforce the policy on computers that do not have a compatible TPM chip. Users must enter a password to access the encrypted drive. You can also specify whether you want to Enforce minimum complexity requirements for PINs or passwords to prevents PINs from using duplicate or sequential characters.
  5. (Optional) In the Fixed Disk Encryption section, select Encrypt Fixed Data Drives.
    1. Select Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption.
    2. (Optional) Select Deny write access to fixed drives not protected by BitLocker.

      If you select this option, fixed data drives that are not protected by BitLocker are mounted as read-only. Fixed data drives that are protected by BitLocker are mounted with Read and Write access.

  6. (Optional) In the Removable Disk Encryption section, configure settings for removable data drives.
    1. Select Encrypt Removable Data Drives and then select Full or Used Disk Space Only. For more information on this option, see Microsoft Documentation: Used Disk Space Only encryption

      .
    2. Select Deny write access to removable drives not protected by BitLocker

      to specify if BitLocker protection is required for a computer to write to a removable data drive.

      If you select this option, removable data drives that are not protected by BitLocker are mounted as read-only. Removable data drives that are protected by BitLocker are mounted with Read and Write access.

    3. Select Control use of BitLocker on removable drives to allow users to turn BitLocker on or off on removable drives.
      1. Select Allow users to apply BitLocker protection on removable data drives

        to allow users to enable BitLocker protection.
      2. Select Allow users to suspend and decrypt BitLocker protection on removable data drives to allow users to remove BitLocker encryption.
    4. Select Configure use of hardware-based encryption for removable data drives to manage how BitLocker uses hardware-based encryption on removable data drives and to specify which encryption algorithms and cipher suites can be used with hardware-based encryption.
      1. Select Use BitLocker software-based encryption when hardware-based encryption is not available.

      2. Select Restrict encryption algorithms and cipher suites allowed for hardware-based encryption.
      3. Select Restrict crypto algorithms or cipher suites to the following and enter the crypto algorithms and cipher suites that you want to allow for hardware-based encryption.

    5. Select Allow access to BitLocker-protected removable data drives from earlier versions of Windows to specify whether removable data drives formatted with the FAT file system can be unlocked and viewed on computers that run Windows Vista or Windows XP SP2 or SP3. You can also restrict whether to allow installation of BitLocker to Go Reader on FAT-formatted removable drives on Windows XP or Windows Vista machines.
    6. Select Configure use of passwords for removable data drives to specify whether a password is required to unlock removable data drives that are protected by BitLocker, and to set password requirements.
    7. Select Choose how BitLocker-protected removable drives can be recovered to control how removable data drives protected by BitLocker can be recovered when the required credentials are not available.
      1. Select Omit recovery options from the BitLocker setup wizard to hide recovery options during BitLocker setup.

      2. Select Save BitLocker recovery information to AD DS for removable data drives to back up your recovery key to Active Directory. Note that Tanium also stores the recovery key in escrow in Enforce.

    For more information about these settings, see Microsoft Documentation: BitLocker Group Policy settings.

    To apply removable disk encryption setting updates, reboot the targeted endpoints after you enforce the BitLocker policy.

  7. In the End User Notifications section:
    1. Select or drag an image file (PNG, GIF, or JPG/JPEG) and enter a window title to use in the notifications window for all BitLocker notifications.
    2. In the Reboot Computer section, provide the notification Title and Message that you want to display to users before the computer is rebooted. This message is the first message that displays to the user after the policy is enforced. It should prompt them to reboot their computer when possible to prepare their drive for encryption.
    3. In the Encrypt Hard Drive section, provide the notification Title and Message that you want to display to users to notify them that they must reboot their computer to begin the encryption process. This message displays when the hard drive is prepared for encryption, which occurs after the first reboot. This message prompts users to reboot their computer when possible to start the encryption.

      Inform users that drive encryption is not a disruptive process and that they can continue to work while encryption occurs.

    4. If applicable, in the message, notify users that they must reset the password or PIN. This option is available only when you choose the TPM + PIN or Allow BitLocker to run without a compatible TPM options.

      Click Restore Default for any of these sections to remove your text and return to the default text.

  8. In the Key Recovery section:
    1. Specify the Pre-Boot Recovery Message. If you chose the TPM + PIN or Allow BitLocker to run without a compatible TPM option, this message displays to users at startup and reboot on the screen where the PIN or password is entered.

      Include the URL for the recovery portal in this message.

    2. Select how often you want keys to rotate from the Recovery Key Rotation dropdown list.

      Due to Microsoft Windows OS constraints, if you change the protection settings in an existing BitLocker policy, you must decrypt endpoints and re-encrypt them again for the changes to be applied.

  9. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

View BitLocker recovery keys

View recovery key information, such as computer name, user name, recovery key ID, and last rotation.

From the Enforce menu, click Endpoint Encryption to view health data and recovery key information.

Create a Windows device control policy

Windows device control policies provide two modes for administering devices on Windows endpoints.

Removable Storage

Controls access permissions on removable media. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD).

With this mode, you can deny specific permissions to categories of removable devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Removable Storage Access.

All Devices

Restricts the installation of new devices. This advanced mode provides more granular control by using a list-based approach.

With this mode, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. Optional settings allow administrators to bypass all restrictions and to uninstall existing USB storage devices that are not on the allowed list of devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Device Installation > Device Installation Restrictions.

Make sure you complete the steps that are detailed in the Manage Windows device classes and devices section before configuring device control policies.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. Enter a Name and optional Description for the policy.

Create a Windows device control policy to administer removable devices

  1. From the Policy Type dropdown list, select Device Control - Removable Storage - Windows.

    To filter the policy type by operating system, click any of the operating system icons.

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
  3. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  4. In the Device Control section, select the type of removable storage that you want to administer and the access that you want to deny for that storage type.
  5. Click Create.

Create a Windows device control policy to administer all devices

This mode blocks new installations of all devices by default. This mode includes an optional setting to uninstall existing USB storage devices that are not on the policy allow list. All other existing devices remain installed and unblocked, including devices that are not currently connected but were installed previously. You must add devices to the policy allow list to allow installation to endpoints. Carefully test configurations and their impacts before you deploy them widely.

  1. From the Policy Type dropdown list, select Device Control - All Devices - Windows.

    To filter the policy type by operating system, click any of the operating system icons.

  2. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
  3. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  4. (Optional) In the Notification section, select Provide a notification message for users when a device is denied access and specify a message to display when a user attempts to install a restricted device.
  5. In the General Device Rules section, configure the following settings:
    1. In the Administrator Permissions section, select the Allow Administrators to bypass all restrictions option to enable users to bypass the restrictions if they are signed in as an administrator.

      Devices do not install automatically when this option is selected. Administrators must manually install the device through Device Manager.

    2. In the Existing USB Devices section, select the Uninstall existing USB storage devices not on the allowed list of devices option to uninstall USB storage devices that are not on the allow list.

      As a safeguard against uninstalling devices that are required for the system to run, other devices that are currently installed on an endpoint, including devices that are not currently connected but were installed previously, are not uninstalled when this option is selected. If the device is in use when the policy is enforced on the endpoint, the device is uninstalled at the next reboot of the endpoint. In this scenario, the policy status sensor returns a status indicating that prohibited devices are still installed.

  6. In the Device Classes section, define groups of devices that you want to allow in your environment. Many device classes are predefined by Microsoft, and you can define custom device classes. Each device class has a globally unique identifier (GUID). For more information about device classes, see Microsoft Documentation: Windows Hardware Developer: System-Defined Device Setup Classes Available to Vendors. When you add a device class, it is stored in the global device class list, which you can access from the Settings page.

    If you add a device by device class, you must allow all of the device nodes in the device tree for that class. For example, if you want to allow the installation of a USB storage device, you must allow the installation of Disk Drives and USB Bus Devices (hubs and host controllers). For more information, see Microsoft Documentation: Windows Hardware Developer: Device nodes and device stacks.

    • Click Import to query all Windows endpoints for their installed device classes and import them to the allow list. With this option, you can quickly add any custom device classes that might be used in your environment. Device classes that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all device classes that were found on endpoints or you can select individual device classes. Click Proceed to add the selected device classes to the allow list.
    • Click Manage Existing to add existing device classes to the allow list. This list contains the predefined device classes that are provided by Microsoft and any device classes that were manually added previously. From this page, you can add or remove all available device classes, or add or remove individual device classes.

    If you added a device class using the Create option, it does not appear in this list until you save the policy.

    • Click Create to add a new device class. Specify a device class name, valid GUID, and optional description. Click Create again to add the device class to the allow list.
  7. In the Devices section, define individual devices that you want to allow in your environment. This option is useful if, for example, you want to allow a USB storage device from a specific manufacturer that is supported by your company, but no other USB storage devices. You do not need to allow the associated device classes when you allow a specific device. When you add a device, it is stored in the global device list, which you can access from the Enforce settings page. For more information on the global list, see Manage Windows device classes and devices.
    • Click Create to add a new device. Specify a device name and an optional ID. Click Create again to add the device to the allow list.

      Most devices have several hardware IDs. These IDs range from the most specific, which identifies a particular device, to a more general ID, which might identify a device type. Use the hardware ID that is appropriate for your environment.

    • Click Import to query all Windows endpoints for their installed USB storage devices and import them to the allow list. With this option, you can quickly add any USB storage devices that might be used in your environment. USB storage devices that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all USB storage devices that were found on endpoints or you can select individual USB storage devices. Click Proceed to add the selected USB storage devices to the allow list.
    • Click Manage Existing to add existing devices to the allow list. This list contains devices that were manually added previously. From this page, you can add or remove all available devices, or add or remove individual devices.
  8. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create a FileVault policy

Before you create a FileVault policy, you must have the following configuration in place:

  • A database to store encryption keys. For more information, see Configure Endpoint Encryption settings.
  • The End-User Notifications service must be installed and the End-User Notifications package must be pushed out to endpoints where the FileVault policy is enforced.
  • The Direct Connect service must be installed and the Direct Connect package must be pushed out to endpoints where the FileVault policy is enforced.

You can create FileVault policies even if one or more of these components are not in place, but the policy is not successfully enforced until the entire configuration is on the endpoint.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

If endpoints already have FileVault enabled without using the Tanium Enforce FileVault policy, you must run the Enforce - Decrypt FileVault package on those endpoints first. Then you can deploy the Enforce FileVault policy. If you fail to do this, the Enforce FileVault policy appears to be successfully enforced, but the recovery key is not backed up. Therefore recovery keys do not work.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select FileVault.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.

    If requirements for this policy are missing, that information is displayed. For more information about FileVault requirements, see Configure Endpoint Encryption settings.

  3. In the End User Notification section:
    1. Select or drag an image file (PNG, GIF, or JPG/JPEG) to use in the notifications window for all FileVault notifications.
    2. Provide a concise Window Title for the window prompt, such as FileVault Encryption.
    3. Provide a brief Message Titlethat describes the policy for the user.
    4. Provide the Message that you want to display to users. This message is the first message that displays to the user after the policy is enforced.
  4. In the Key Recovery section:
    • Select Enable Private Key if you are using an Institutional Recovery Key. For more information about generating institutional recovery keys, see Apple Documentation: How to use institutional recovery keys with Intel-based Macs.
      After the keychain is generated, remove the private key from the master keychain. Then in the Enforce policy, click Upload Public Key to locate the public key and upload it to Tanium Console. This key is sent to endpoints along with the FileVault policy. The public key, in combination with the private key you securely store elsewhere, is used to recover encrypted data if a user forgets their password.
    • Select Enable Public Key if you are using a unique, machine-generated Personal Recovery Key that is accessible to end users. If you are using the recovery portal (Postgres DB), select this key type. For more information about recovery portal configuration details, see Reference: Encryption management recovery portal.

    For Institutional Recovery Key, you must remove the private key from the master keychain before sending the FileVault policy to endpoints. If you fail to do this, the private key is placed on each endpoint along with the public key.

    After you upload a key, a Download Public Key link appears that allows you to retrieve the key to verify it, if necessary.

    After the disk is encrypted after a reboot, it can take up to an hour for recovery keys to be backed up.

  5. Configure Additional Options as needed:
    1. Select Prompt user to enable FileVault at log in only to prompt the user for the Enable FileFault password at the next attempt to sign in. If you do not select this option, the user is prompted for the Enable FileVault password at the next attempt to sign out.
    2. Select Allow user to cancel Enable FileVault log in prompt and choose a Condition.
      • Select Always allow user to cancel prompt to give the user unlimited access to the cancel the Enable FileVault password prompt.
      • Select Only allow user to cancel prompt to put a limit on the number of times the user can cancel the prompt before being forced to enter a password to enable FileVault.
  6. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create a Windows firewall management policy

When a Windows firewall management policy is enforced on an endpoint, Enforce starts the MpsSvc (Windows Firewall) service on that endpoint.

The maximum number of firewall rules for each policy is 1000.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Firewall Management - Windows.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. In the Rule Management section, choose Replace or Merge.
    The Replace option removes all existing firewall rules on the endpoint and replaces them with the rules in this policy. The Merge option leaves the existing firewall policies on the endpoint in place and adds the rules in this policy.
  4. In the Firewall Profiles section, configure the following settings:
    1. Expand Domain, Private, and Public to define the policy profiles. For more information about protocols, see Microsoft Documentation: Understanding Firewall Profiles.
    2. For Network Selection, choose Default, Enabled, or Disabled

Create a new Windows firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule and then click Create:
  3. Field Description
    Name (Required) Enter a brief name for the rule.
    Direction (Required) Select Outbound, Inbound, or Bi-directional for the direction of the connection.
    Action (Required) Select either Block or Allow depending on the type of rule you are creating.
    Network Protocol

    (Required) Select a protocol. If you specify UDP or TCP for the protocol, then you must specify at least one value in the following fields: Application Path, Local Address(es), Local Port(s), Remote Address(es), Remote Port(s), or Service Name.

    For more information about protocols, see Microsoft Documentation: Firewall Rule Properties Page: Protocols and Ports Tab.

    Group (Optional) You can specify a group name here or choose one that already exists that can help organize your firewall rules.
    Profiles Select the applicable profiles. If you do not select one or more profiles, the rule is created as if all profiles were selected.
    Application Path An example of an application path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
    Local Address(es) Use this field to target the rule to specific local IP addresses. Separate IP addresses with commas.
    Local Port(s) This field is most likely populated for Inbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Remote Address(es) This field can be used to target the rule to a specific remote IP address. Separate IP addresses with commas.
    Remote Port(s) This field is most likely populated for Outbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Service Name This field can be used for a Windows Service Display name.

Import firewall rules from a Windows TSV file

Before you can import a firewall policy into Enforce from a Windows TSV file, you must export it from Windows.

  1. In Windows, go to Windows Firewall Advanced Security.
  2. Right-click on Inbound Rules and click Export List..., and then save the file as a Text (Tab Delimited) .txt file.
  3. In the Firewall Rules section, click Import > Import from Windows TSV file.
  4. Click Select TSV File to locate the files that contains the exported firewall rules and click Open. The Import window shows the file name and how many rules are being imported.
  5. Select the Direction and then click Proceed.
  6. Repeat these steps for Outbound Rules to export them from Windows and import them into Enforce.

If the file you are importing does not include a Service column, a warning displays. If your firewall rules depend on the Service field, add the Service column and re-export the firewall rules from Windows.

To add a Service column

  1. In Windows, go to Windows Firewall with Advanced Security.
  2. Select Add/Remove Columns from the View menu.
  3. Select Service from Available columns, click Add and then click OK.
  4. Select Export List from the Action menu and save it to a file.

Import firewall rules from Tanium Endpoints

  1. In the Firewall Rules section, click Import > Import Rules from Tanium Endpoints.
  2. In the Import Rules from Tanium Endpoints window, select the rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create a Linux firewall management policy

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Firewall Management - Linux.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. In the Linux Firewall Default Chain Policies section, select Accept or Drop for the Input, Output, and Forward fields.
  4. In the Linux Firewall Default Rules section, view the default input, output, and forward rules. You cannot edit these defaults.

Create a new Linux firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule:
  3. Field Description
    Name (Required) Enter a brief name for the rule.
    Table (Required) Filter is the only supported table at this time.
    Chain (Required) Select Input, Output, or Forward to specify where in a packet's delivery path a rule is evaluated.
    Target

    (Required) Select one of the following options:

    Accept: Allows the packet.

    Drop: Drops the packet.

    Reject: Send a response back and drop the packet.

    Queue: Pass the packet to userspace.

    Network Protocol

    (Optional) Select the protocol of the rule or of the packet to check. The specified protocol can be one of the predefined options or it can be a numeric value, representing one of these protocols or a different one. Protocol all is the default when this option is omitted.

    Select the Inverse option to include everything except for the selected protocol.

    State

    (Optional) Select one of the following options:

    • New: The packet has started a new connection.
    • Established: The packet is associated with a connection which has seen packets in both directions.
    • Related: The packet is starting a new connection, but is associated with an existing connection.
    • Invalid: The packet could not be identified for some reason.
    Source Address

    (Optional) A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse option to include everything except for addresses you entered.

    Destination Address

    (Optional) A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

    Select the Inverse option to include everything except for addresses you entered.

    Optional fields that might appear depending on choices you make for some of the fields above:
    Source port(s) A comma separated list of ports or port ranges. If you are specifying port ranges, use a colon as a delimiter.
    Destination ports(s) A comma separated list of ports or port ranges. If you are specifying port ranges, use a colon as a delimiter.
    In Interface Name of an interface by which a packet was received.
    Out Interface Name of an interface by which a packet is going to be sent.

    Depending on the choices you make for the Chain, Target, and Network Protocol fields, additional optional fields might appear that you can complete.

  4. Click Create.

Import Linux firewall rules from Tanium endpoints

  1. In the Linux Firewall Rules section, click Import > Import Rules from Tanium Endpoints.
  2. In the Import Firewall Rules from Tanium Endpoints window, select the checkboxes for rules already existing on Tanium endpoints that you want to import.
  3. Click Add Rules.

Some rules might specify rule not supported..., which means that Enforce does not support this rule. But the entire rule configuration is shown in the rule listing so that you can configure it manually if needed.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create a Machine administrative template policy

Settings that can be applied using a configuration service provider (CSP) are annotated with this icon . Hover over the icon to see the earliest supported operating system for policy application using a CSP. For more information about Enforce policy application using a CSP, see Applying policy settings using configuration service providers (CSPs).

Windows 11 ADMX policies are used in Enforce 2.1.273 and later. Microsoft deprecated some settings in Windows 11 ADMX policies that were previously available in Windows 10 ADMX policies, such as Scan Packed Executables. Enforce includes this deprecated policy setting in the machine administrative template policy settings for backwards compatibility. However, if you apply the policy to a Windows 11 endpoint where this setting is not supported, the overall policy might return a Partially Applied status for the endpoint.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Machine Administrative Templates.
      Machine administrative template policies target machine-based ADMX (Active Directory administrative templates) group policy objects.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. (Optional) To configure anti-malware settings, expand the Anti-Malware Specific Settings section and select Enable.
    1. To automatically add the required Tanium exclusions to the policy, click Create exclusions for Tanium processes.
    2. Determine if you should select Deploy definition update using Tanium for Managed Definitions and then complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.

      By default, anti-malware rules are configured to retrieve definitions directly from Microsoft. If an endpoint does not receive an update within the specified grace period, it is considered unenforced. When this option is selected, anti-malware rules are configured to use Tanium to deploy anti-malware definition updates.

  4. From the list of policy setting categories, select a category and view the available policy settings.

    Expand Filters to enter criteria to filter the list of categories and settings. You can apply additional filters to the policy names within the categories.

    When you configure a policy setting, you choose one of the following states:

    • Not Configured: Setting might be determined by another group policy setting. Otherwise, default Microsoft settings are used.
    • Enabled. You must enter your own settings.
    • Disabled. Default Microsoft settings are used.

    For more information, see Microsoft Documentation: Use the Settings app Group Policy in Windows 10.

    For examples of high-level Machine administrative template policy categories, see Policy setting category examples.

    • For the full list of policy settings included in Windows administrative template files, see Microsoft Documentation: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.
    • The Set a default associations configuration file setting in the Windows Components category provides two options:
      • Default Associations Configuration File: Use this option for endpoints where the policy is applied using group policy object (GPO). Specify the path to an associations configuration XML file on the endpoint or a network drive.
      • Default Associations Configuration File (CSP): Use this option for endpoints that support policy application using a configuration service provider (CSP). Copy and paste the contents of the associations configuration XML file into the field. When the policy is enforced on an endpoint, the contents of this field is encoded into base64 and sent to the endpoint to apply the settings.

    1. Enable policy settings and configure as needed.

    2. Click Add to Policy after you configure a policy setting.

  5. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Policy setting category examples

You can configure Machine administrative template policies with a variety of policy settings. Policy settings are organized into the same categories used by Microsoft to manage group policies. The following table includes many of the high-level categories and the types of policy settings that each category contains.

Machine Administrative Template Policy Category Examples
Category (top level) Policy Setting Overview
Control Panel Includes display, personalization, regional and language options, and printers.
Google Chrome Includes cookies, Javascript, and image settings.
MS Security Guide Includes UAC restrictions and SMB server and client.
MSS (Legacy) Includes legacy Windows registry values that predate group policy.
Microsoft Edge Includes download restrictions and autofill.
Microsoft Office Includes Window security restrictions and storage of user passwords.
Mozilla Includes authentication, certificates, cookies, location, notifications, extensions, bookmarks, and other preferences.
Network Includes network connections.
OneDrive Includes OneDrive sync app, accounts, permissions, bandwidth management, and disk space options.
Printers Includes prevention of security issues with print driver installation.
Start Menu and Taskbar Includes notifications.
System Includes driver installation, display, locale services, group policy, mitigation options, logon, power management, removable storage access, and user profiles.
Windows Components Includes app runtime, attachment manager, autoplay policies, cloud content, credential user interface, edge UI, and Windows Defender antivirus.

Create a Mac Device Configuration Profile policy

Use Mac Device Configuration Profile policies to control device settings, such as DNS entries, email and LDAP accounts, and aspects of the user experience on macOS devices that enroll with Tanium Mac Device Enrollment.

The set of merged settings from multiple device configuration profiles is called the effective device configuration policy. To see the effective device configuration policy for an endpoint, view the device information for the endpoint. For information about how to view devices, see View information about enrolled devices.

Before you can create a Mac Device Configuration Profile policy, you must configure Tanium Mac Device Enrollment. For more information, see Mac Device Enrollment User Guide: Overview.

Mac Device Enrollment is currently public beta software.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.

    2. From the Policy Type dropdown list, select Mac Device Configuration Profile.

      To filter the policy type by operating system, click any of the operating system icons.

  3. (Optional) If you already have a Mac Device Configuration Profile policy, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select a policy from the list.
  4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  5. To configure macOS settings, select a setting from the list, and click Configure. Enter the required information for each setting.
    • Use Filters to sort the list of settings by category and state or to quickly search for names of specific settings.
    • You can drag one or more PLIST files to the settings navigator to configure settings in bulk.

    For information about specific profile settings, see Apple Documentation: Device Management.

  6. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Device configuration profile assignment failures can occur when a setting in the profile is invalid. If an enforcement fails, review the settings in the profile before you try to enforce it again.

Create a remediation policy

  1. From the Enforce menu, click Device Actions and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Remediation - Linux, Remediation - Mac or Remediation - Windows.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. In the Remediation section, select the task that you want to run on your endpoint(s) from the Add Task dropdown list.

    You can add the following types of tasks to a Windows remediation policy:

    • Delete File: deletes a single file or multiple files matching a pattern. See Remediation policy file pattern matching examples.
    • Delete Registry Key: deletes a registry key if it exists.
    • Edit Registry Data: modifies an existing registry value if it exists; optionally, the value can be created if it does not exist.

      For the Target Path, do not include the hive and do not use a leading slash (\).

    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Run Service Configuration: changes the startup config of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

    • Update Registry Value: changes the name of a registry value if it exists or deletes the value if the delete option is selected.

      For tasks that modify the registry and target the HKEY_USERS hive, if you use the wildcard character (*) to target all users, users that are signed out when the policy is enforced are skipped.

    • Purge - Delete all nonessential files: provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system. These changes are not reversible.
    • Purge - Freeze and lockout: provides a non-destructive lockout of the targeted system using BitLocker on computers that have a TPM chip and forces a BitLocker recovery. You can also decide if you want to immediately lock the user out of the target system.
    • Purge - Recover from freeze: reverses the purge - freeze and lockout policy by displaying the Bitlocker recovery window. At that time a key can be entered to recover the system.

      For more information about purge remediation policy types, see Create a purge remediation policy.

  4. You can add the following types of tasks to a Mac or Linux remediation policy:

    • Delete File: deletes a single file or multiple files matching a pattern.
    • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
    • Run Service Action: changes the running state of the specified service.

      For the Service Name field, enter the Service Name instead of the Service Display Name.

  5. Complete the required fields for the task that you are defining.
  6. Add other tasks as needed for the policy. When you are finished adding all tasks, click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Remediation policy file pattern matching examples

Recursive matching is not supported. Each directory level must be specified.

Definition Example
Match a file by name in an unknown directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\*\*\*\file.exe

Match any file in a known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\b\c\*

Match a specific file type in a partially known directory path.

Actual Path: c:\a\b\c\file.exe

Wildcard: c:\a\*\c\*.exe

Disable case sensitivity for the first character in a file name.

Actual Path: c:\a\b\c\File.exe

Wildcard: c:\a\b\c\[Ff]ile.exe

Match a single character in a file name.

Actual Path: c:\a\b\c\cat.exe

Actual Path: c:\a\b\c\bat.exe

Wildcard: c:\a\b\c\?at.exe

Do not match a character in a file name.

Actual Path: c:\a\b\c\cat.exe

Wildcard: c:\a\b\c\[!c]at.exe

Create a purge remediation policy

Use a remediation policy with a purge task to take action on lost or stolen endpoints by remotely wiping all nonessential data or freezing the endpoint to prevent attempts to sign in.

Test these policies in a lab or staging environment before you implement them in a production environment.

Before you begin

  • A remediation policy that contains a purge cannot have any other tasks. Conversely, if there is already a task in a remediation policy, you cannot add a purge task.
  • A remediation policy that contains a purge can only be targeted to individual computers, not computer groups.
  • The Enforce Endpoint Wipe Action privilege is required to create a purge remediation policy.

Purge tasks

Purge - Delete all nonessential files

Provides a destructive, non-recoverable wipe of all non-Tanium and non-Windows files from the targeted system by completing the following tasks:

  • Locks the endpoint, which prevents any users from accessing the endpoint, and reboots the system to close open programs
  • Takes ownership and gains permission for all files possible
  • Deletes all files that are not open, but does not delete any files (whether they are open or not) or in the c:\windows\ and %programfiles%\Tanium\Tanium Client\ folders 
  • Performs a three pass wipe on the freed disk space
  • If BitLocker is enabled with a TPM:
    • Deletes the BitLocker key from the hardware TPM
    • On startup, shows the BitLocker recovery screen instead of booting into Windows

BitLocker (with or without a TPM) is not required for the Purge - Delete all nonessential files remediation task, but some features are not available without BitLocker with a TPM.

This process can take up to an hour to complete, and these changes are not reversible.

Purge - Freeze and lockout

Provides a non-destructive user lockout of the targeted system by completing the following tasks:

  • Sets up a scheduled action after verifying endpoint requirements are met
  • Forces a shutdown of the endpoint
  • If BitLocker is enabled with a TPM:
    • Deletes the BitLocker key from the hardware TPM
    • On startup, shows the BitLocker recovery screen instead of booting into Windows

For the Purge - Freeze and lockout remediation task, if BitLocker is enabled using a password (without a TPM) or is not enabled at all, the user is prevented from signing in, but the endpoint is not prevented from booting into Windows.

Purge - Recover from freeze

Reverses the freeze and lockout. This task runs after the user manually recovers BitLocker by using the recovery key, but still cannot sign in due to the account lockout. This task restores the user account, which allows the user to sign in again.

  • Recovers locked out account
  • The user must input the recovery key and boot to windows before the machine can be unfrozen.
  • If BitLocker is enabled with a TPM, adds TPM back to the BitLocker protectors list


  1. From the Enforce menu, click Device Actions and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Remediation - Windows.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. In the Remediation section, select the purge task that you want to run on your endpoints from the Add Task dropdown list and specify the details, if needed:
    • Purge - Delete all nonessential files:
      1. In the Requested By field, enter the name of the person or business group that is requesting the purge.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up (if BitLocker is enabled).
      3. Enter the MAC address for the selected target to ensure that the correct target receives the action, as a MAC address is a more distinct identifier than a host name. If the target has multiple MAC addresses, Tanium compares each address until it finds a match. If it does not find a match then the policy does not run.
    • Purge - Freeze and lockout:
      1. In the Requested by field, enter the name of the person or business group requesting the freeze.
      2. Enter a BitLocker Pre-Boot Recovery Message. This message displays to users at start-up.
      3. Enter the MAC address for the selected target. This is to ensure that the correct target receives the action as MAC address is a more distinct identifier than host name. If the target has multiple MAC addresses, Tanium compares each address until it finds a match. If it does not find a match then the policy does not run.
      4. (Optional) Clear the User Account Lockout option if you do not want to immediately lock the user out of the target system.
    • Purge - Recover from freeze (no additional details required)
  4. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create an SRP management policy

When you enable Windows SRP for the first time, targeted endpoints must be rebooted for SRP Management policies to be enforced.

You might want to enforce an SRP Management policy that does not block anything or allows a path that is always trusted, such as the Tanium Client. With this practice, the required reboot does not have to take place when you need to push out an urgent policy, such as a policy to block a malicious application.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select SRP Management.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.

Create an SRP process rule using a path

  1. In the Path Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the path or filename in the Path field. Full paths, environment variables, and filenames are supported.
  4. Continue adding rules as necessary and click Create when you are finished.

Create an SRP process rule using a hash

  1. In the Hash Rules section, click Create.
  2. Enter a Name for the rule.
  3. Enter the MD5 Hash.
  4. Enter the File Size in bytes and click Save.
  5. Continue adding rules as necessary and click Create when you are finished.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Be aware of AppLocker Allow or Deny rules set in your Domain Policy – these rules might prevent SRP process rules created in Enforce from being enforced.

Create a Security Settings policy

Settings that can be applied using a configuration service provider (CSP) are annotated with this icon . Hover over the icon to see the earliest supported operating system for policy application using a CSP. For more information about Enforce policy application using a CSP, see Applying policy settings using configuration service providers (CSPs).

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Security Settings.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. From the list of policy setting categories, select a category and view the available policy settings.

    Expand Filters to enter criteria to filter the list of categories and settings. You can apply additional filters to the policy names within the categories.

    For the full list of policy settings included in Security Settings policies, see Microsoft Documentation: Security policy settings reference, Microsoft Documentation: Group Policy Settings Reference for Windows and Windows Server (Security tab) and Microsoft Security Compliance Toolkit 1.0.

    1. Enable policy settings and configure as needed.

    2. Click Add to Policy after you configure a policy setting.

  4. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

When you remove an enforcement for a Security Settings policy, the settings from the policy remain on the endpoint. When this scenario occurs, the following warning-level message (0) is logged in the endpoint's extensions log: Unenforced Security Policy - settings remain on endpoint.

For more information on this behavior, see the section "Persistence in security settings" in Microsoft documentation: Applying security settings.

Create a Tanium Removable Storage Access Settings policy

By default, Tanium Removable Storage Access Settings policies block access to USB devices on endpoints where the policy is enforced. In the policy configuration, you can create exception rules to allow access to devices that meet specific criteria. Each exception rule has an associated name, which is logged when an action occurs due to that rule. If you want to send events generated from Tanium Removable Storage Access Control policies to external Splunk destinations using an HTTP Event Collector (HEC) or TCP connection, create a Stream profile. For more information, see Manage Stream profiles.

Tanium Removable Storage Access Settings policies are additive; therefore, these policies are not included on the Prioritize Policies page. If you enforce more than one Tanium Removable Storage Access Settings policy on an endpoint, all rules across the policies are evaluated from most permissible to least permissible: read/write exception rules are assessed first, then read-only exception rules, and finally deny rules. For example, you can create a Tanium Removable Storage Access Settings policy to block all access to USB devices and enforce it on all endpoints in your environment. If you want to allow read/write permissions for USB devices with Vendor ID 456 on only a subset of those endpoints, create a second Tanium Removable Storage Access Settings policy with a read/write exception rule for USB devices with Vendor ID 456 and enforce it on only the subset of endpoints.

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select Tanium Removable Storage Access Control.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. (Optional) To allow read access to specific devices, click Add Rule in the Read section.
    1. Specify a name to associate with the actions for this rule when logging events.
    2. Select an attribute, operator and value for the rule.

      Acceptable wildcard characters for values are * (many characters) and ? (one character).

    3. Click Apply.

    To group additional conditions using AND or OR operators, click Add in the section for the rule.

    To add an additional, separate read exception, click Add Rule in the Read section.

  4. (Optional) To allow read and write access to specific devices, click Add Rule in the Read/Write section.
    1. Specify a name to associate with the actions for this rule when logging events.
    2. Select an attribute, operator and value for the rule.

      Acceptable wildcard characters for values are * (many characters) and ? (one character).

    3. Click Apply.

    To group additional conditions using AND or OR operators, click Add in the section for the rule.

    To add an additional, separate read and write exception, click Add Rule in the Read/Write section.

  5. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Create a User Administrative Template policy

Settings that can be applied using a configuration service provider (CSP) are annotated with this icon . Hover over the icon to see the earliest supported operating system for policy application using a CSP. For more information about Enforce policy application using a CSP, see Applying policy settings using configuration service providers (CSPs).

Some policy settings are not supported for application on Windows 11 endpoints. For more information, see Microsoft Documentation: Supported configuration service provider (CSP) policies for Windows 11 taskbar.

Create the policy

  1. From the Enforce menu, go to Policy Configurations and then click Create.
  2. In the Summary section, provide the identifying details for the policy.
    1. Enter a Name and optional Description for the policy.
    2. From the Policy Type dropdown list, select User Administrative Templates.
      User administrative template policies target user-based ADMX (Active Directory administrative templates) group policy objects.

      To filter the policy type by operating system, click any of the operating system icons.

    3. (Optional) If you already have a policy of this type, you can use that policy as the starting point for a new policy. Select Start from existing policy and then select an existing policy.
    4. (Optional) Expand Advanced Settings and select a Content Set. Leave this blank if you want to use the default content set for this policy type.
  3. From the list of policy setting categories, select a category and view the available policy settings.

    Expand Filters to enter criteria to filter the list of categories and settings. You can apply additional filters to the policy names within the categories.

    When you configure a policy setting, you choose one of the following states:

    • Not Configured: Setting might be determined by another group policy setting. Otherwise, default Microsoft settings are used.
    • Enabled. You must enter your own settings.
    • Disabled. Default Microsoft settings are used.

    For more information, see Microsoft Documentation: Use the Settings app Group Policy in Windows 10.

    For examples of high-level user administrative template policy categories, see Policy setting category examples.

    For the full list of policy settings included in Windows administrative template files, see Microsoft Documentation: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.

    1. Enable policy settings and configure as needed.

    2. Click Add to Policy after you configure a policy setting.

  4. Click Create.

Enforce policies

How you enforce a policy depends on the type of policy you want to enforce:

  • You enforce remediation policies from the Enforcements tab of the Device Actions page.
  • You enforce all other policy types from the Enforcements tab of the Policy Configurations page.

You can also click on a policy name and create an enforcement from the policy page.

For more information, see Enforcing policies.

Policy setting category examples

You can configure user administrative template policies with a variety of policy settings. Policy settings are organized into the same categories used by Microsoft to manage group policies. The following table includes many of the high-level categories and the types of policy settings that each category contains.

Machine Administrative Template Policy Category Examples
Category (top level) Policy Setting Overview
Control Panel Includes add or remove programs, display, personalization, printers, programs, and regional and language options.
Desktop Includes active directory and desktop settings.
Google Includes Google Chrome and password alert settings.
Microsoft Edge Includes Microsoft Edge and WebView2 settings.
Microsoft Office Includes settings for Microsoft Access 2016, Microsoft Excel 2016, Microsoft Office 2016, Microsoft OneNote 2016, Microsoft Outlook 2016, Microsoft PowerPoint 2016, Microsoft Project 2016, Microsoft Publisher 2016, Microsoft Teams, Microsoft Visio 2016, Microsoft Word 2016, and Skype for Business 2016.
Mozilla Includes settings for Mozilla Firefox.
Network Includes network connections, offline files, and Windows Connect Now.
OneDrive Includes OneDrive settings.
Shared Folders Includes settings for Allow DFS roots to be published and Allow shared folders to be published.
Start Menu and Taskbar Includes notifications.
System Includes ctrl+alt+del options, display settings, driver installation, folder redirection, group policy, internet communication management, locale services, logon, mitigation options, power management, removable storage access, scripts, and user profiles.
Windows Components Includes add features to Windows 10, app runtime, application compatibility, attachment manager, AutoPlay policies, calculator, cloud content, credential user interface, data collection and preview builds, desktop gadgets, desktop window manager, digital locker, Edge UI, file explorer, file revocation, IME, instant search, Internet Explorer, location and sensors, Microsoft Edge, Microsoft Management Console, Microsoft User Experience Virtualization, multitasking, NetMeeting, network sharing, OOBE, presentation settings, RSS feeds, remote desktop services, search, sound recorder, store, tablet PC, task scheduler, Windows calendar, Windows color system, Windows Defender SmartScreen, Windows error reporting, Windows Hello for Business, Windows installer, Windows logon options, Windows Media Player, Windows Messenger, Windows Mobility Center, Windows PowerShell, Windows Update, and work folders settings.

Import policies

You can import one or more policies from a JSON file.

  1. From the Enforce menu, click Policy Configurations and then click Import.
  2. Click Browse for file, select the JSON file, and click Import.
  3. Make any necessary changes and then click Save.

    You might have to change an imported policy name if the name conflicts with the name of an existing policy.

Imported policies appear on the Policies page.

Export policies

  1. From the Enforce menu, click Policy Configurations.
  2. Select the policies that you want to export. Then click Options and Export.

Each policy is downloaded as a separate JSON file. You can use each downloaded JSON file to import each policy.

Prioritize policies

A single policy can contain multiple settings. When several policies are enforced on an endpoint, unique settings across all policies are applied. If duplicate settings exist for an endpoint, the setting with the lowest priority number takes precedence. See Enforce Overview for more information about how policy settings are applied to endpoints.

  • The policy with the highest priority has the lowest priority number. For example, a policy with a priority of 1 takes precedence over a policy with a priority of 10.
  • Tanium Removable Storage Access Settings policies are additive; therefore, these policies are not included on the Prioritize Policies page. For more information, see Create a Tanium Removable Storage Access Settings policy.

Set the prioritization of policies to determine which policy setting is applied if a conflict exists.

  1. From the Enforce menu, go to Policy Configurations and click Prioritize to make the priority fields editable.
  2. Click the priority field for the policy you want to change and enter a new priority number. Click Preview updated priorities to accept the change or Cancel to undo the change. When you click Preview updated priorities , the priority number for all policies update based on your change.
  3. (Optional) To revert your changes back to the original priorities, click Cancel.
  4. To keep the new priorities, click Save.