In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
1. Endpoint Settings
2. General
3. DNS Security
4. Patch & Assets
5. Endpoint Detection
6. Privileges & App Control
7. Remote Desktop
ENDPOINT SETTINGS
In the Endpoint Settings, you have a section dedicated to Windows endpoints where you can create and manage Group Policies that are applied to the endpoints inside your organization. The Modules Overview button gives a presentation of the status of each Group Policy in the Windows GPs list. In the Windows GP tab, you can change their priorities according to your needs (by using drag & drop), you can duplicate/enable/disable a Group Policy, or you can use the Group Policy Inheritance mode feature and the Opt-in Reseller Master GP feature (if activated by your reseller).
Group Policy Inheritance
Group Policy Inheritance works only for the 3rd Party Patch Management product and merges the settings for the 3rd Party Application list (automatic install/automatic update/manual install) across multiple Group Policies (it does NOT merge Delay, Version, Scheduler, or Application Blocklist settings). This feature does NOT apply to endpoints that are manually applying a Group Policy (specific Group Policy). Thus, the inheritance will only work on endpoints that are automatically applying a Group Policy. Group Policy Inheritance also considers the AD Groups membership of an endpoint if the HEIMDAL Dashboard Group Policies are linked to AD Groups (AD Computer Group/AD User Group, but not Azure AD Groups) to achieve a more granular customization of the Group Policy settings that will apply to an endpoint or multiple endpoints.
When Group Policy Inheritance is enabled, an endpoint will apply the 3rd Party Patch Management settings (automatic install/automatic update/manual install) specified in the Group Policy that is applying to it, but it will also apply the 3rd Party Application settings (automatic install/automatic update/manual install) from the rest of the Group Policies that match the endpoint (from the highest priority to the lowest priority). The criteria that will merge from other Group Policies are the Install, Update, Allow Install checkboxes, and the Infinity Management checkbox.
In case the same application is managed by 2 Group Policies, the Group Policy with the highest priority will take priority. In the case below, if Group Policy A (Google Chrome x64 is set to install the Latest Version) has a priority of 5 and Group Policy B (Google Chrome x64 is set to stay on Version 112.0.5615.50) has a priority of 6, the HEIMDAL Agent will keep Google Chrome x64 on version 112.0.5615.50 because Group Policy B is the group policy with the highest priority.
SCENARIO 1 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON PRIORITIES
a. An endpoint that is applying Group Policy A (priority 6, the highest) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
b. An endpoint that is applying Group Policy B (priority 5) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
c. An endpoint that is applying Group Policy C (priority 4) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
SCENARIO 2 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON AD COMPUTER/USER GROUPS
a. An endpoint that is applying Group Policy A (priority 6) because the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 2, Custom 1 (Group Policy A is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
b. An endpoint that is applying Group Policy B (priority 5) because the endpoint is a member of the Marketing AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy B, Custom 2, Custom 1 (Group Policy B is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
c. An endpoint that is applying Group Policy C (priority 4) because the endpoint is a member of the Support AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy C, Custom 2, Custom 1 (Group Policy C is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
d. In the snippet below, an endpoint that is applying Group Policy A (priority 3) because the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 1 and Custom 2 (Group Policy A is automatically applied to the endpoint, while Custom 1 and Custom 2 are also merged because they are not linked to any AD Computer/User Groups).
e. In case the endpoint is applying a Group Policy where Application Uninstall is targeting (for uninstall) a 3rd Party Application that is managed/merged from another inherited Group Policy, that 3rd Party Application will be disregarded if enabled for install/update.
Reseller Master GP Distribution
Reseller Master GP Distribution is a feature that allows resellers to deploy a Reseller Group Policy to all the customers who have selected to opt in to the Reseller Master GP. The Reseller Master GP Distribution feature can be activated only from the Reseller account and enables the Opt-in Reseller Master GP functionality on the reseller's customers. A reseller can create one or multiple Reseller GPs.
Opt-in Reseller Master GP allows the customer (or the reseller) to apply the Group Policy settings configured by the Reseller in the Reseller Master GP. This GP cannot be edited or disabled by an Enterprise customer, but its priority can be changed in the Group Policy list.
The Download button allows you to download an Excel file with all the Group Policies and the settings in each Group Policy.
GENERAL
The General tab is divided into 5 modules: General Management, BitLocker Management, Scripting, USB Management, and Device Info Notifications.
GENERAL MANAGEMENT
In the General Management tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints.
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list.
Targeted machine type - allows you to select whether the Group Policy applies to all devices, endpoints, or servers. By default, a Group Policy will apply to all types of devices (endpoints and servers), but the Admin can choose to apply the Group Policy to endpoints only or to servers only. Note that changing from the default value might reassign devices not about the selected value.
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP.
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP.
External IPs - this option allows you to assign the Group Policy based on an External IP or multiple External IPs. Adding multiple IPs is done by separating them by using a comma, but you can also add an IP range (1.1.1.1 - 1.1.1.254) :
Specific Azure Groups - allows you to bind the Group Policy to an Azure Active Directory Group or multiple Azure Active Directory Groups (Microsoft 365 Groups, Distribution Groups, Mail-enabled Security Groups, Security Groups). The users who are members of the specified Azure Active Directory Group(s) will get the current Heimdal Group Policy.
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 minutes.
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent.
CPU Threshold - allows you to set the CPU Threshold for the warning notifications displayed in the Status column of each endpoint (in the Device Info view). The default setting for CPU Threshold is 50%.
Memory Threshold - allows you to set the Memory Threshold for the warning notifications displayed in the Status column of each endpoint (in the Device Info view).
- Example: The memory is running at 65 % | The CPU is running at 55 %
Proxy Settings
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Use system default - the HEIMDAL Agent will automatically pick up the Proxy settings from the computer's Internet Settings. If this option is enabled, the HEIMDAL Agent will impersonate the user who is currently logged in on the computer to pick up the Proxy configuration. If no user is logged in, the HEIMDAL Agent will not be able to collect the Proxy information;
No proxy - the user does not use a Proxy;
Manual proxy - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Additional Settings
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
Terminal server enhancement - this feature works on computers running Windows Server and prevents the HEIMDAL Agent from automatically performing a Group Policy check every time a user logs into the OS. The Group Policy check will run on the interval configured in the Policy check interval. This is dedicated to Terminal Servers on which multiple users are logging in;
Do not show GUI - run the HEIMDAL Agent without the GUI. This feature is recommended for File Servers, Citrix Servers, Terminal Servers, or RDP Servers where multiple users are connecting at the same time;
Realtime communication - allows the HEIMDAL Agent to communicate with the HEIMDAL Dashboard (with a delay of under 1 minute) and apply Server Messages/operations triggered from the HEIMDAL Dashboard. Some of the operations are: Group Policy update requests, Next-Gen Antivirus on-demand scans, log requests, PEDM elevation notifications, Wake-on-LAN requests, isolation requests, unisolation requests, scan for non-Heimdal devices;
Skip prompting the client when requesting logs - allows you to request the HeimdalLogs or the Event Viewer Logs from any endpoint without the explicit approval of the user. If this option is disabled, the HEIMDAL Agent will display a pop-up on the end-user endpoint each time the HEIMDAL Dashboard Administrator tries to collect the HEIMDAL Logs or the Event Viewer Logs from the endpoint to confirm that he allows the Administrator to collect the Logs. The HEIMDAL Support Team also has access to this feature. If the option is enabled, the HEIMDAL Support Team can collect the info without the confirmation of the user;
Only merge with AD groups specific policies - allows you to merge the current GP with other GPs that match the endpoint's AD Computer Group or AD User Group (available only if Inheritance Mode is ON). If this option is enabled, you will be able to apply the 3rd Party Patch Management settings of multiple Group Policies to the endpoints that are part of matching AD groups;
Enforce uninstall password - allows you to set up an uninstall password that will be required when uninstalling HEIMDAL Agent from any endpoint that is applying the current Group Policy. It prevents unauthorized users from uninstalling the HEIMDAL Agent or performing other changes;
Synchronize with time server – this feature syncs the endpoint's time with the Windows Time to ensure correct communication between the HEIMDAL Agent and the HEIMDAL servers. The HEIMDAL Agent will run w32tm /resync and net time /set /y in the background every time a Group Policy check is performed;
Wake on LAN - enables/disables the Wake-on-LAN functionality. Wake-on-LAN is not supported if:
- the endpoint is in an IPv6 network;
- the endpoint is connected through Wi-Fi;
- the endpoint uses a logical adapter for VPN (logical adapters don't have MAC Addresses);
- the endpoint uses a docking station;
Allow network scan - allows you to select an endpoint (from the Device Info view) and scan the network for devices/endpoints that are not running the HEIMDAL Agent; Attention! By enabling this option, it doesn't mean the agent will automatically scan for non-Heimdal devices.
Collect Telemetry data - enhances the data/log collection by installing Sysmon (Microsoft System Monitor) to get more data for incident resolution in the Event Viewer Logs. The Sysmon logs come with a retention time of 30 days. If you are already using the Microsoft System Monitor (Sysmon), we will overwrite your existing configuration, but if Sysmon is not installed on your endpoint(s), enabling this feature will install it;
Auto-collect logs on isolation - collects the Heimdal Agent logs, the Event Viewer Logs, and the Remote Desktop logs once an endpoint is isolated (this option is greyed out if the Firewall is turned OFF and the isolation functionality is also turned OFF);
P2P Settings
P2P Transfer - when active, it allows the Heimdal Agent to share and retrieve 3rd Party Application patches and agent updates within the local network, reducing the reliance on external internet bandwidth for every individual machine.Use Priority Update Servers - this feature prioritizes local P2P delivery over an active internet connection. Once enabled, it allows designated endpoints (Priority Update Servers) to act as the primary local source for installers. Client machines will first attempt to retrieve updates from these local servers before falling back to the default Heimdal update source.
PUS Devices - this setting enables the Enhanced PUS Flow, providing administrators with granular control over the P2P environment. Through a dedicated grid and a "Add priority update server" modal, administrators can explicitly assign specific endpoints as Priority Update Servers. When active, client endpoints will proactively target these specific servers via hostname (or IP fallback) rather than using the standard broadcast-based discovery. The priority of can be changed by dragging and dropping the servers in the list.
PUS Retry Count - a configurable slider (ranging from 1 to 5) that defines the number of connection attempts a client agent should make to a Priority Update Server. If the PUS is unreachable after the specified number of retries, the agent will automatically fall back to the standard download mechanism to ensure the update is still delivered.
Keep cached files indefinitely - the cached files (3rd Party Applications or HEIMDAL Agent versions) will be stored indefinitely on the Priority Update Server until they are manually deleted. If you disable the option, the disk will not be cleared;
Additional check interval for normal computers - allows you to set the interval of minutes used by the endpoints to communicate with the Priority Update Server.
Compliance Settings
Automatic session locking - the endpoint session will automatically lock once the configured idle time is reached. Upon enabling the option, a timeout slider becomes available, allowing administrators to define the maximum permitted inactivity period before the session is locked. The default timeout is set to 15 minutes and can be adjusted according to organizational security requirements, within a range of 1 to 30 minutes.
Note: Changes to the Automatic Session Locking setting (enablement or disablement) take effect only after a system restart or user sign-out.
Automatic Security logs retrieval - when enabled, the Heimdal Agent retrieves the Security logs from the Windows Event Viewer on a daily basis and stores them for compliance and auditing purposes.
Note: Logs are collected automatically every 24 hours, and the retrieval process does not require any user interaction. If a device is offline or unavailable during a scheduled retrieval, the system retrieves the logs retroactively based on the timestamp of the last successful retrieval. This ensures that there are no gaps in log collection.
All retrieved logs are stored and made available for download, with a retention period of 90 days. These logs can be accessed from the Heimdal Dashboard under Unified Management -> Device Info -> select a Windows OS hostname -> UEM -> Logs -> Windows Event Viewer Logs.
Dashboard users can easily distinguish between Full Event Viewer Logs and Security Logs based on the Type specified in the corresponding column.Note: Manual, specific retrieval of Security logs is not supported. When the feature is enabled, log retrieval is performed exclusively through the automated process. Manual retrieval is available only for Full Event Viewer Logs.
BITLOCKER MANAGEMENT
Enabling BitLocker Management will enable BitLocker on the endpoints applying the Group Policy.
BitLocker Management - turn ON/OFF the BitLocker product/service;
Force disk encryption - initiates the encryption process according to the following settings;
OS Volume - encrypts the System drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - allows you to select a Key Protector type (TPM, TPM and PIN or Passphrase).
Data Volumes - encrypts the data drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - comes with the Passphrase Key Protector type;
- Auto-Unlock - automatically unlocks volumes that don't host an operating system when the OS volume is unlocked. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.
SCRIPTING
Enabling Scripting will enable Scripting on the endpoints applying the Group Policy.
Scripting - turn ON/OFF the Scripting functionality;
Add Task - allows you to create a new task that will deploy one of the scripts that you select from the repository.
General - here you can set a Task Name and a Task Description:
Triggers - allows you to select how a script is being triggered and when (the trigger type can be set to: On a Schedule, At Log On, At Start Up, On Idle, On Workstation Lock, On Workstation Unlock);
Once a trigger has been set, remember to turn the trigger ON.
Actions - allows you to select the script that you want to deploy (from the Repository);
Conditions - allows you to trigger an action on Idle conditions (start the task if the endpoint is idle for a specific time, stop it if the endpoint ceases to be idle, or restart if the idle state resumes) or Power conditions (start the task only if the endpoint is on AC power, stop if the endpoint switches to battery power or wake the endpoint to run the task);
Settings - allows you to configure multiple settings: bypass execution protection (for PowerShell scripts), run the task as soon as possible after a scheduled start is missed, if the task fails, restart every time specified in the dropdown or if the task is running, then apply one of the selected rules.
Scripts are deployed by the HEIMDAL Agent and can be seen within the Task Scheduler (under Task Scheduler Library -> Heimdal folder):
USB MANAGEMENT
Enabling USB Management will enable the USB Management on the endpoints applying the Group Policy.
USB Management - turn ON/OFF the USB Management functionality;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function;
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus allowing it to run;
USB Reporting mode - this functionality will monitor all the plugged-in USB devices without taking any action. All detected USB devices will be listed on the USB Management page;
USB Allowlist - allows you to whitelist a USB device based on Hardware ID, Class ID, or Device instance path. You can give a Friendly name to each entry, and you can also import an Allowlist from a CSV file.
IMPORTANT
The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as, shown below:
The Class ID is being shared by all USB Devices of the same type and this is how it can be found:
It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure all the USB devices that are preceding the target one aren't blocked (allowed) as well. In our case, the following devices have to be allowed so that the target USB thumb drive can be allowed as well:
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
USB devices nested under each other in the PnP tree
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.
DEVICE INFO NOTIFICATIONS
Device Info Notifications, streamlines notification preferences. This feature includes 22 types of notifications, some of which are enabled by default for newly created Group Policies, organized into 5 sections. Notifications associated with specific products, such as Next-Gen AV, Firewall, or OS Updates, will be disabled if those products are not activated for the user.
Note: The device info notifications settings will only apply to new and updated agents. The settings will only apply to agents with newer versions (starting from 4.5.0), after they get the latest GP.
DNS Security
Uptime Faulted - The notification is triggered when DNS Security was disabled by the uptime checker;
DNS Poisoning - The notification is triggered when the machine has a rick of DNS poisoning.
Patch & Assets
Windows Updates Restart Required - The notification is triggered when the machine requires a restart to complete the OS updates installation.
Windows Update Shutdown Detected - The notification is triggered when a shutdown or reboot (required to complete a Windows update) is detected;
Windows Updates Available Updates Collection Empty - The notification is triggered when no Microsoft Updates have been retrieved for more than 20 days;
Windows Updates Available Updates Error - The notification is triggered when OS updates fail to install.
Endpoint Detection
Antivirus Incompatibilities - The notification is triggered when a different antivirus is installed on the machine;
Antivirus Restart Required - The notification is triggered when a machine restart is required for NGAV to properly function;
Antivirus Status - The notification is triggered to report a faulty or missing AV;
Antivirus Update Error - The notification is triggered to report NGAV engine update issues;
Antivirus Realtime Error - The notification reports NGAV Realtime detection issues;
Firewall Status - The notification reports a missing or faulty firewall;
Firewall Incompatibilities - The notification reports incompatibilities between GPO (Windows) Firewall set-up and Heimdal Firewall (GP) settings;
Firewall Audit Breach Events Not Set - The notification is triggered when BFA subcategory audit events, generated by user account logon attempts on a computer, cannot be intercepted.
Device Stats
Processor Utilization Above Limit - The notification is triggered when the processor utilization exceeds the threshold set in the GP;
Memory Utilization Above Limit - The notification is triggered when the memory utilization exceeds the threshold set in the GP;
Disk Utilization Above Limit - The notification is triggered when the disk utilization exceeds the threshold set in the GP.
General
DLL hijacking - The notification is triggered when DLL hijacking is detected and stopped;
Self Update - The notification is triggered when a self-update is started or completed;
Uninstall - The notification is triggered when the HEIMDAL Agent is uninstalled on the machine (notification is persistent and will be present until the HEIMDAL Agent is reinstalled, and the license key is activated);
Agent Deployment - The notification is triggered when the machine has deployed the HEIMDAL Agent to a different device;
Digital signature missing - The notification is triggered when the digital signature for one of the Heimdal services is missing;
Sysmon Install Error - The notification is triggered when the Sysmon install fails.
Settings
Identical notifications threshold [days] - the HEIMDAL Agent will not trigger new notifications unless the selected number of days has passed since the generation of the last notification of the same type has been surpassed.
SYSTEM RESTORE MANAGEMENT
The System Restore Management feature focuses on restore point creation, automation, storage allocation, and management, enabling you to maintain system stability and leverage recovery workflows in case of unstable operating system updates.
System Restore Management - turn ON/OFF the System Restore feature;
System restore reporting only - retrieves checkpoints (if available) without making changes to the system settings of a device;
General Settings
Create restore point before applying Windows Updates - this creates a restore point before applying any Windows Update. This functionality works only if OS Updates is enabled and System restore reporting only is disabled.
Data Volumes - creates restore points for non-OS volumes;
Scheduled automatic point creation - enable/disable automatic restore point creation based on the configured schedule;
Assign disk space - allows you to assign the desired disk space percentage and have more control over the managed data volumes and the disk space they are using.
DNS Security
DNS Security is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL DNS Security engine embedded in the HEIMDAL Agent.
DARKLAYER GUARD
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will activate the network filter, which protects the computer from infection. The settings are described here.
VECTORN DETECTION
The VectorN Detection engine is a feature that searches for patterns within the blocks of HEIMDAL's DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically. The settings are described here.
PATCH & ASSETS
Patch & Assets is structured into 2 modules: 3rd Party Patch Management and Microsoft Updates. This Group Policy section is designed to manage the HEIMDAL Patch & Assets components embedded in the HEIMDAL Agent.
3RD PARTY PATCH MANAGEMENT
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security. The settings are described here.
OPERATING SYSTEM UPDATES
The Patch & Asset Management - Operating System Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download, and deploy available Operating System Updates that are specific to any endpoint in your environment. HEIMDAL Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them, and select to suppress the reboot of the endpoints after completing the Operating System Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Operating System Update). The settings are described here.
ENDPOINT DETECTION
Endpoint Detection is structured into 3 modules: Next-Gen Antivirus, Firewall Management, and Ransomware Encryption Protection. This Group Policy section is designed to manage the HEIMDAL Endpoint Detection components embedded in the HEIMDAL Agent.
NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away. The settings are described here.
EXTENDED THREAT PROTECTION
XTP allows you to collect information on the events that take place on a computer in your environment, based on the rules defined by the HEIMDAL specialists. The settings are described here.
FIREWALL & RAP
This module allows you to control the Windows Firewall from the HEIMDAL Dashboard. The settings are described here.
RANSOMWARE ENCRYPTION PROTECTION
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it gives the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers. The settings are described here.
PRIVILEGES & APP CONTROL
Privileges & App Control allows you to control user permissions in your organization and enables you to manage elevations and special permissions to applications that are used on each endpoint. Privileges & App Control is structured into 2 modules: Privileged Access Management and Application Control.
PRIVILEGED ACCESS MANAGEMENT
The Privileged Access Management module will allow you to give users the ability to install software they need for a period you select, using the Administrator Session or the Run with Privileged Access Management option for single file elevation. Rights granted can be revoked at any time, and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over their machine by sending a request to the Heimdal Dashboard System Administrator, who can deny or accept their request. The settings are described here.
APPLICATION CONTROL
The Application Control module allows you to control how processes (and applications) are executed on endpoints inside your organization. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the HEIMDAL Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run. The settings are described here.
REMOTE DESKTOP
By enabling the Remote Desktop, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs. The settings are described here.