In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
1. Endpoint Settings
2. General
3. DNS Security
4. Patch & Assets
5. Endpoint Detection
6. Privileges & App Control
7. Remote Desktop
ENDPOINT SETTINGS
In the Endpoint Settings, you have a section dedicated to Windows endpoints where you can create and manage Group Policies that are applied to the endpoints inside your organization. The Modules Overview button gives a presentation of the status of each Group Policy in the Windows GPs list. In the Windows GP tab, you can change their priorities according to your needs (by using drag & drop), you can duplicate/enable/disable a Group Policy or you can use the Group Policy Inheritance mode feature and the Opt-in Reseller Master GP feature (if activated by your reseller).
Group Policy Inheritance
Group Policy Inheritance works only for the 3rd Party Patch Management product and merges the settings for the 3rd Party Application list (automatic install/automatic update/manual install) across multiple Group Policies (it does NOT merge Delay, Version, Scheduler, or Application Blocklist settings). This feature does NOT apply to endpoints that are manually applying a Group Policy (specific Group Policy). Thus, the inheritance will only work on endpoints that are automatically applying a Group Policy. Group Policy Inheritance also considers the AD Groups membership of an endpoint if the HEIMDAL Dashboard Group Policies are linked to AD Groups (AD Computer Group/AD User Group, but not Azure AD Groups) to achieve a more granular customization of the Group Policy settings that will apply to an endpoint or multiple endpoints.
When Group Policy Inheritance is enabled, an endpoint will apply the 3rd Party Application settings (automatic install/automatic update/manual install) specified in the Group Policy that is applying to it, but it will also apply the 3rd Party Application settings (automatic install/automatic update/manual install) from the rest of the Group Policies that match the endpoint (from the highest priority to the lowest priority). The criteria that will merge from other Group Policies are the Install, Update, Allow Install checkboxes, and the Infinity Management checkbox.
In case the same application is managed by 2 Group Policies, the Group Policy with the highest priority will take priority. In the case below, if Group Policy A (Google Chrome x64 is set to install the Latest Version) has a priority of 5 and Group Policy B (Google Chrome x64 is set to stay on Version 112.0.5615.50) has a priority of 6, the HEIMDAL Agent will keep Google Chrome x64 on version 112.0.5615.50 because Group Policy B is the group policy with the highest priority.
SCENARIO 1 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON PRIORITIES
a. An endpoint that is applying Group Policy A (priority 6, the highest) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
b. An endpoint that is applying Group Policy B (priority 5) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
c. An endpoint that is applying Group Policy C (priority 4) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
SCENARIO 2 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON AD COMPUTER/USER GROUPS
a. An endpoint that is applying Group Policy A (priority 6) due to the fact that the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 2, Custom 1 (Group Policy A is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
b. An endpoint that is applying Group Policy B (priority 5) due to the fact that the endpoint is a member of the Marketing AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy B, Custom 2, Custom 1 (Group Policy B is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
c. An endpoint that is applying Group Policy C (priority 4) due to the fact that the endpoint is a member of the Support AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy C, Custom 2, Custom 1 (Group Policy C is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
d. In the snippet below, an endpoint that is applying Group Policy A (priority 3) due to the fact that the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 1 and Custom 2 (Group Policy A is automatically applied to the endpoint, while Custom 1 and Custom 2 are also merged because they are not linked to any AD Computer/User Groups).
e. In case the endpoint is applying a Group Policy where Applications Blocklist is targeting (for uninstall) a 3rd Party Application that is managed/merged from another inherited Group Policy, that 3rd Party Application will be disregarded if enabled for install/update.
Reseller Master GP Distribution
Reseller Master GP Distribution is a feature that allows resellers to deploy a Reseller Group Policy to all the customers that have selected to opt-in to the Reseller Master GP. The Reseller Master GP Distribution feature can be activated only from the Reseller account and enables the Opt-in Reseller Master GP functionality on the reseller's customers. A reseller can create one or multiple Reseller GPs.
Opt-in Reseller Master GP allows the customer (or the reseller) to apply the Group Policy settings configured by the Reseller in the Reseller Master GP. This GP cannot be edited or disabled by an Enterprise customer, but its priority can be changed in the Group Policy list.
The Download button allows you to download an Excel file with all the Group Policies and the settings in each Group Policy.
GENERAL
The General tab is into 3 modules: General Management, BitLocker Management, and Scripting.
GENERAL MANAGEMENT
In the General Management tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.
Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints;
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list;
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
External IPs - this option allows you to assign the Group Policy based on an External IP or more External IPs. Adding multiple IPs is done by separating them by using a comma but you can also add an IP range (1.1.1.1 - 1.1.1.254) :
Specific Azure Groups - allows you to bind the current GPs assigning to an Azure Active Directory Group or multiple Azure Active Directory Groups (Microsoft 365 Groups, Distribution Groups, Mail-enabled Security Groups, Security Groups). The users that are members of the specified Azure Active Directory Group(s), will get the current Heimdal Group Policy;
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 min ;
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent;
CPU Threshold - allows you to set the CPU Threshold for the wanring notifications displayed in the Status column of each endpoint (in the Device Info view). The default setting for CPU Threshold is 50%;
Memory Threshold - allows you to set the Memory Threshold for the warning notifications displayed in the Status column of each endpoint (in the Device Info view);
- Example: The memory is running at 65 % | The CPU is running at 55 %
Proxy Settings
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Use system default - the HEIMDAL Agent will automatically pick up the Proxy settings from the computer's Internet Settings. If this option is enabled, the HEIMDAL Agent will impersonate the user that is currently logged in on the computer to pick up the Proxy configuration. If no user is logged in, the HEIMDAL Agent will not be able to collect the Proxy information;
No proxy - the user does not use a Proxy;
Manual proxy - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Additional Settings
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
Do not show GUI - run the HEIMDAL Agent without the GUI. This feature is recommended for File Servers, Citrix Servers, Terminal Servers, or RDP Servers where multiple users are connecting at the same time;
Realtime communication - allows the HEIMDAL Agent to communicate with the HEIMDAL Dashboard (with a delay of under 1 minute) and apply GP updates, Next-Gen Antivirus on-demand scans, Logs requests, Wake-on-Lan requests;
Skip prompting the client when requesting logs - allows you to request the HeimdalLogs or the Event Viewer Logs from any endpoint without the explicit approval of the user. If this option is disabled, the HEIMDAL Agent will display a pop-up on the end-user endpoint each time the HEIMDAL Dashboard Administrator tries to collect the HeimdalLogs or the Event Viewer Logs from the endpoint to confirm that he allows the Administrator to collect the Logs. The HEIMDAL Support Team also has access to this feature. If the option is enabled the HEIMDAL Support Team can collect the info without the confirmation of the user;
Only merge with AD groups specific policies - allows you to merge the current GP with other GPs that match the endpoint's AD Computer Group or AD User Group (available only if Inheritance Mode is ON). If this option is enabled, you will be able to apply multiple Group Policies to machines that are part of different AD groups;
Enforce uninstall password - allows you to set up an uninstall password that will be required when uninstalling HEIMDAL Agent from any endpoint that is applying the current Group Policy. It prevents unauthorized users to uninstall the HEIMDAL Agent or performing other changes;
Synchronize with time server – this feature syncs the endpoint's time with the Windows Time to ensure correct communication between the HEIMDAL Agent and the HEIMDAL servers. The HEIMDAL Agent will run w32tm /resync and net time /set /y in the background every time a Group Policy check is performed;
Wake on LAN - enables/disables the Wake-on-LAN functionality. Wake-on-LAN is not supported if:
- the endpoint is in an IPv6 network;
- the endpoint is connected through Wi-Fi;
- the endpoint uses a logical adapter for VPN (logical adapters don't have MAC Addresses);
- the endpoint uses a docking station;
Allow network scan - allows you to select an endpoint (from the Device Info view) and scan the network for devices/endpoints that are not running the HEIMDAL Agent;
Collect Telemetry data - enhances the data/log collection by installing Sysmon (Microsoft System Monitor) to get more data for incident resolution in the Event Viewer Logs. The Sysmon logs come with a retention time of 30 days. If you are already using the Microsoft System Monitor (Sysmon), we will overwrite your existing configuration, but if Sysmon is not installed on your endpoint(s), enabling this feature will install it;
Auto-collect logs on isolation - collects the Heimdal Agent logs, the Event Viewer Logs, and the Remote Desktop logs once an endpoint is isolated (this option is greyed out if the Firewall is turned OFF and the isolation functionality is also turned OFF);
Use Priority update servers - allows you to set a Priority Update Server and prioritize 3rd Party Applications deployment over an active Internet connection. Once enabled, any computer that is applying the current Group Policy can be marked down as Priority Update Server (from the Device Info view, by selecting the endpoint and by marking it as Priority Update Server from the dropdown menu), thus, overwriting the Default Update Server. All 3rd Party Application patches/HEIMDAL Agent versions downloaded on the Priority Update Server can be distributed to other endpoints in the environment via P2P instead;
Keep cached files indefinitely - the cached files (3rd Party Applications or HEIMDAL Agent versions) will be stored indefinitely on the Priority Update Server until they are manually deleted. If you disable the option, the disk will not be cleared;
Additional check interval for normal computers - allows you to set the interval of minutes used by the endpoints to communicate with the Priority Update Server.
BITLOCKER MANAGEMENT
Enabling BitLocker Management will enable BitLocker on the endpoints applying the Group Policy.
BitLocker Management - turn ON/OFF the BitLocker product/service;
Force disk encryption - initiates the encryption process according to the following settings;
OS Volume - encrypts the System drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - allows you to select a Key Protector type (TPM and PIN or Passphrase).
Data Volumes - encrypts the data drive and displays the Encryption Method and the Key Protector Type that need to be configured;
- Encryption Method - allows you to choose between the encryption methods (XTS-AES 128-bit, XTS-AES 256-bit, AES-CBC 128-bit, AES-CBC 256-bit);
- Key Protector Type - comes with the Passphrase Key Protector type;
- Auto-Unlock - automatically unlocks volumes that don't host an operating system when the OS volume is unlocked. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking.
SCRIPTING
Enabling Scripting will enable Scripting on the endpoints applying the Group Policy.
Scripting - turn ON/OFF the Scripting functionality;
Add Task - allows you to create a new task that will deploy one of the scripts that you select from the repository.
General - here you can set a Task Name and a Task Description:
Triggers - allows you to select how a script is being triggered and when (the trigger type can be set to: On a Schedule, At Log On, At Start Up, On Idle, On Workstation Lock, On Workstation Unlock);
Once a trigger has been set, remember to turn the trigger ON.
Actions - allows you to select the script that you want to deploy (from the Repository);
Conditions - allows you to trigger an action on Idle conditions (start the task if the endpoint is idle for a specific time, stop it if the endpoint ceases to be idle, or restart if the idle state resumes) or Power conditions (start the task only if the endpoint is on AC power, stop if the endpoint switches to battery power or wake the endpoint to run the task);
Settings - allows you to configure multiple settings: bypass execution protection (for PowerShell scripts), run the task as soon as possible after a scheduled start is missed, if the task fails, restart every time specified in the dropdown or if the task is running, then apply one of the selected rules.
Scripts are deployed by the HEIMDAL Agent and can be seen within the Task Scheduler (under Task Scheduler Library -> Heimdal folder):
USB MANAGEMENT
Enabling USB Management will enable the USB Management on the endpoints applying the Group Policy.
USB Management - turn ON/OFF the USB Management functionality;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function;
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus, allowing it to run;
USB Reporting mode - this functionality will monitor all the plugged-in USB devices without taking any action. All detected USB devices will be listed on the USB Management page;
USB Allowlist - allows you to whitelist a USB device based on Hardware ID, Class ID, or Device instance path. You can give a Friendly name to each entry and you can also import an Allowlist from a CSV file.
IMPORTANT
The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as, shown below:
The Class ID is being shared by all USB Devices of the same type and this is how it can be found:
It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure all the USB devices that are preceding the target one aren't blocked (allowed) as well. In our case, the following devices have to be allowed so that the target USB thumb drive can be allowed as well:
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
USB devices nested under each other in the PnP tree
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.
DNS Security
DNS Security is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL DNS Security engine embedded in the HEIMDAL Agent.
DARKLAYER GUARD
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from getting infected.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to automatic DNS (served by the DHCP). By default, this option is disabled and DarkLayer Guard should work just fine on any type of computer. It is recommended only if you use a VPN product/service that resets the DNS IP Address (after disconnecting) and sets the DNS on Obtain DNS server address automatically on the NIC.
This option is NOT recommended if:
- You use a static DNS IP Address(es) on your NIC;
- You are applying it to a Domain Controller/DNS Server.
Use default loopback address - this feature tells the DarkLayer Guard to set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between DNS Security Endpoint and certain VPN products, as well as other software you may use, such as virtualization products;
Improve TTPC accuracy - installs and updates the sysmon Windows addon (if not installed already) to improve the interception of processes that perform malicious DNS requests (if the endpoint is running another application that uses sysmon, this might cause a conflict for this functionality);
- You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22;
- When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon and it queries the Window processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information so a generic “-” will be displayed in the HEIMDAL Dashboard;
- There is a 2-minute wait time when the same domain it’s accessed and this will result in displaying only one entry for that specific domain even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.
Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment);
Compatibility Settings
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ DNS Security;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint;
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortinet. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again);
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6 (to solve a conflict between Cisco's AnyConnect mechanism and the DarkLayer Guard). This option is greyed out by default and becomes active when Cisco AnyConnect/Fortinet compatibility mode is enabled;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database;
DNS over HTTPS Server - allows you to specify a DoH domain or an IP Address to be used by the DarkLayer Guard engine as DNS Server. DNS over HTTPS Server is filtering traffic only when the computer is outside of the organization's network/environment. When a computer is locally connected to the domain or via VPN, DNS over HTTPS Server will not filter the traffic, but resolve the traffic with the internal DNS IP Address. Usually, DoH Servers are using different IP Addresses depending on the location, but the common practice is that DoH Server can be identified by DNS Name (which is the same);
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ DNS Security. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Block by Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ DNS Security- Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Custom block pages - this feature allows you to set your organization's name, craft a personalized message to be displayed on the block page, and incorporate your logo that will replace the default Heimdal block page when DNS Security - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain). The maximum allowed size for the logo is 1 MB. Exceeding this size will prompt you with an error;
Install Block Page Certificate – this feature allows DarkLayer Guard to display the Heimdal or Custom block page for HTTPS websites. This will automatically install the required certificate on all machines associated with the respective GP.
VECTORN DETECTION
The VectorN Detection engine is a feature that searches for patterns within the blocks of HEIMDAL's DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
VectorN Detection - turn ON/OFF the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);
PATCH & ASSETS
Patch & Assets is structured into 2 modules: 3rd Party Patch Management and Microsoft Updates. This Group Policy section is designed to manage the HEIMDAL Patch & Assets components embedded in the HEIMDAL Agent.
3RD PARTY PATCH MANAGEMENT
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;
General Settings
Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
Software Asset Management - allows you to manage the software license details for an application that is installed in your environment in a dedicated view found under Patch & Asset Management -> 3rd Party Patch Management. You can input Software Name, Version, Publisher, License Type, Quantity, Price, Expiration Date, etc.
Manage Applications
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Push Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:
Install Delay Pop-up - allows end users to delay the installation of 3rd Party applications when the Install delay pop-up is enabled. While applications in the Heimdal supported list of 3rd party vendors are silent, non-disruptive installations, this is a feature recommended if you're using Infinity Management to deploy software packages that can lead to end-user disruption (latency, reboots, etc.). The pop-up presented by the HEIMDAL Agent on the endpoint looks as follows:
Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore (this works ONLY for the 3rd Party Applications that can be uninstalled through the HEIMDAL Agent, where Uninstall is supported);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Install delay pop-up - allows you to give users the possibility of delaying the update/patch operation of 3rd Party Applications that might be in use, according to the delay interval and the number of postpones that is set below (the update/patch can be delayed by 5 to 60 minutes and it can be postponed up to 5 times. Once enabled, you can choose what 3rd Party Application(s) can be updated/patched with the Install Delay pop-up option (from the Install Delay pop-up column in the table above). In case only a few 3rd Party Applications are enabled to be updated/patched with Install Delay pop-up, the HEIMDAL Agent will first update/patch all the 3rd Party Applications that are not marked with Install Delay pop-up, followed by the ones that are marked with Install Delay pop-up.
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module:
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blocklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all endpoints that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.
- The example below targets the Poly Lens application that is installed on the endpoint(s);
- If you target a specific application you have to add the exact application name (like it is displayed in Control Panel - Programs and Features' list) to be uninstalled (like in the example below: Java 8 Update 291 (64-bit);
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application in the Application Blocklist.
OPERATING SYSTEM UPDATES
The Patch & Asset Management - Operating System Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download and deploy available Operating System Updates that are specific to any endpoint in your environment. HEIMDAL Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them and select to suppress the reboot of the endpoints after completing the Operating System Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Operating System Update).
Operating System Updates - turn ON/OFF the Operating System Updates product;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them.
General Settings
Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do NOT require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot) when they are released by Microsoft on the Microsoft API. The computer will not reboot automatically even if an installed update requires a reboot in order to complete. The reboot will be carried out manually by the user/administrator;
Installation of optional updates - allows you to enable/disable the automatic download and installation of optional updates (like Microsoft Feature Updates);
Prevent Windows 11 auto-upgrade - allows you to prevent the computers from installing the Upgrade to Windows 11;
Enhanced reboot detection - the HEIMDAL Agent will perform another check to see if a reboot is required to complete the installation of a Windows Update. This feature may put the endpoint(s) in a continuously reboot state;
Installation by category - allows you to enable/disable the automatic download and installation of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:
Installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products listed here: https://learn.microsoft.com/en-us/windows/deployment/update/update-other-microsoft-products;
OS Updates Exclusions - allows you to exclude Windows Updates from being installed by KB or Title. Exclusions will have priority over the installed Windows Updates selected for installation in the Group Policy. The Exclusions section allows you to import a CSV file in case you have multiple KBs or Titles that need to be excluded;
Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
Server Source- allows the HEIMDAL Agent to download the available Windows Updates from the server source you chose.
- Default- searches for updates on the intranet Microsoft update service location (if specified) configured in theLocal Group Policy Editor -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update, or on the Microsoft Default source (if nothing is specified);
- Windows Updates- searches for updates directly on the Microsoft Update servers (bypassing any specified intranet location).
The section below allows you to hide or delete specific Windows Updates that are manually set for installation:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
Delayed OS Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
OS Schedule - allows you to configure the interval(s) when the deployment of available Windows Updates takes place. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and First Week means that the OS Updates will run on the 1st of September. Choosing a combination of Monday and First Week means that OS Updates will on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Update scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when the download and installation of Windows Updates take place to minimize the impact on the workflow in your environment;
OS Reboot Scheduler - allows you to configure the interval(s) when an endpoint can reboot in order to complete the installation of available Windows Updates Updates that require a reboot. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and the First Week means that the reboot will occur on the 1st of September. Choosing a combination of Monday and the First Week means that the reboot will be on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Reboot scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when an endpoint can reboot in order to complete the installation of Windows Updates that require a reboot to minimize the impact on the workflow in your environment;
OS Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:
OS Reboot Delay can allow the user to postpone the reboot event outside the scheduled interval. The reboot delay postpones notifications are being displayed even if Agent notifications for reboot functionality is disabled.
Please see below how the postpone reboot delay pop-up will be displayed for the end-user.
Delivery Optimization - allows you to enable/disable the delivery optimization functionality to reduce bandwidth consumption by sharing the work of downloading packages across multiple devices within the organization;
Limit bandwidth for download - set the maximum foreground and background download bandwidth in MBs/second that the device can use across all concurrent download activities.
IMPORTANT
OS Updates is not designed to support the installation of Windows Updates that are approved via WSUS. Although an endpoint can be pointed to look for updates on a WSUS location, the HEIMDAL Agent is not able to discover the updates approved in WSUS and install them. The recommendation is to allow HEIMDAL's OS Updates to manage them by searching and installing them right from the Microsoft Update servers.
ENDPOINT DETECTION
Endpoint Detection is structured into 3 modules: Next-Gen Antivirus, Firewall Management, and Ransomware Encryption Protection. This Group Policy section is designed to manage the HEIMDAL Endpoint Detection components embedded in the HEIMDAL Agent.
NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
General Settings
AutoScan USB Ports - turn on/off the automatic scan of any USB Removable Device (like flash drives, storage devices, HDDs) that is plugged into a computer. On Enterprise users, the option will automatically launch a popup with the Scan Window that runs;
USB Silent Mode Scan - do not display a Scan window on the end-user computer. This option works only for USB Removable Devices (it does not work with other plug-and-play devices like headphones, cameras, mice, or keyboards). This feature can be turned on only if AutoScan USB Ports is turned on. The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as reading, writing or executing so that malicious activities can be detected immediately;
Device protection actions - a dedicated table will be displayed, in which the Dashboard user can select one or multiple actions (Isolate, Shutdown, or Logout) to be taken in case of detections occurring in either NGAV, Firewall, or REP modules.
IMPORTANT
In case Device protection actions is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the Endpoint isolation setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to Ransomware Encryption Detection, will be disabled (not actionable). For the Firewall module, the only available protection action is Isolation and it will be triggered after a minimum of 100 occurrences of public Brute Force Attacks. Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the Device protection actions feature will not disable the Firewall module and the Endpoint isolation setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
Agent Baloon Notifications - allow the HEIMDAL Agent to display a balloon notification on detected files;
Hide Windows Defender interface - allows you to hide the Windows Defender interface (within Windows Security Center). Hiding the interface will make it so that the Virus & Threat protection section in Windows Security Center gets hidden also.
While hidden, the Security providers section will display No providers in the Antivirus field.
Antivirus Settings
Isolate on Tamper Detection - isolates a computer from the Internet if one or more HEIMDAL Security services are stopped by external intervention. The Firewall product will be enabled if it is disabled;
Allow users to stop AV Service - allows the end-users to stop the Heimdal Antivirus service on the endpoint based on a password set by the IT Administrator. Once enabled, you can set the password and the Auto-Restart interval for the Antivirus service (between 2 and 60 minutes). Password must be greater than 6 characters, and the Pause interval is in the range of 2-60 minutes:
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Zero-Trust Execution Protection
Zero - Trust Execution Protection - enables the protection against zero-hour threats compromising your environment (it can also be enabled/disabled from the Privileges & App Control -> Privileged Access Management module and from the Privileges & App Control -> Application Control module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - scans and logs all the processes with Zero-Trust Execution Protection to the HEIMDAL Dashboard without taking any action (allow or block);
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDF’s) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
Schedule Scan
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity: C:\Program Files\Common Files, C:\Program Files (x86)\Common Files, C:\Windows, C:\Windows\system32, C:\Windows\SysWOW64;
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder. This scan type works with Mapped Network Drives but does NOT work with Network locations:
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu and then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or during the month and the time interval when to run the selected Scan Type.
IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Priorities
Low (former Normal Exclusions) - scans the object first and excludes it after;
Medium (former Real-Time Exclusions) - excludes the object directly from the real-time driver and it pre-scans it. Only use this when the low priority doesn't work. It is recommended to use this priority for applications, and external drives to avoid having their files/folders blocked instantly by the Antivirus scanning if they are used regularly and for longer periods of time.
High - excludes the object without performing any scan. This priority type allows up to 5 High priority exclusions. A toaster warning is displayed if a user tries to add more than five High priority exclusions.
Types
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi). We don’t recommend using filename exclusions as malware might have the same name as that of a file that you trust. Therefore, in order to avoid excluding potential malware from being scanned, use a fully qualified path to the file that you want to exclude. If you still want to use the filename exclusions, please be aware that due to the changes in the improved basic detection engine made in the 3.5.0 Release, files that have been excluded based on filename might not run from the first attempt. If this happens, please allow a few seconds to pass from the first try and then launch the file again (this slight delay is caused due to the fact that when the first execution attempt happens, the file could be detected and quarantined and, behind the scenes, we will remove it from quarantine and make it available for execution);
File Path- allows you to specify the file path where the file is located on the hard drive (e.g.C:\Users\Username\Desktop\test.exe, C:\test.exe);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. C:\Users\Username\Desktop, C:\Downloads);
Pattern - allows you to specify a pattern (e.g. C:\test\*.*, *.bat) that should be excluded from scanning. This option does not work with System Variables (%USERPROFILE%, %TEMP%, or others ).
Profiles
The Profiles allow you to exclude known paths for specific server roles:
- Domain Controller
- Exchange Server
- File and Storage Server
- Microsoft SQL Server
- MySQL Server
- Print Server
- RDP Server
These profiles come with predefined exclusions for folders/files associated with the server.
This section allows you to import a CSV list of exclusions, but you can also download an existing exclusion list in CSV format.
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added to the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.
Scan Settings
Next-Gen AV CPU Throttling Limit % - adjusts the CPU Throttling Limit of the Next-Gen AV scans. This can be achieved with a slider, ranging from 5% to 90% CPU Throttling Limit.
Note: keep in mind that instantaneous values will sometimes spike beyond the set limit, however this feature brings the average CPU usage below the set value.
OS-specific settings
Real-Time Protection - the endpoints will be scanned in real-time to catch both known and unknown threats;
Real-Time Archive Scan - enables the scan of archives and their contents. After enabling this option you can also set the Maximum Recursion depth (scans the parent archive and the child archives included in the parent archive, up to the 10th level)and Maximum archive files (scans the selected number of files included in an archive and only up to 100 files). Enabling this feature will impact the CPU performance as it requires more processing power;
False Positive Control - allows the Next-Gen Antivirus to identify exceptional false positives detections in real-time and prevent them from impacting the performance of antimalware scanning;
Protection Cloud - sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Real-Time Scan Network Files - enables the Next-Gen Antivirus to do a real-time scan each time a change is performed on your network drivers;
Heuristic Settings - turn ON/OFF the detection of unknown viruses by analyzing affected code and scanning for virus-specific functions. Based on the selected Heuristic Detection Level (Low, Medium, High) the appropriate number of detection rules are activated, increasing or decreasing the aggressiveness level of detection (please be aware that a Heuristic Level High can increase the number of false positives and that for desktop environments Heuristic Level Low and Medium are recommended);
Scan Mode - allows you to select the way the real-time engine performs system scans:
- SMART - the real-time engine will scan all files based on the file type and file content by sophisticated algorithms. This option will speed up a system scan and provide the same level of protection;
- ALL - the real-time engine will scan all files (but it will take considerably more time to finish).
Default Scan Action on Infected - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting an infected file: Deny (block the file without taking any action on it), Quarantine, Allow, or Delete. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy;
Default Scan Action on Suspicious - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting a suspicious file: Deny (block the file without taking any action on it), Quarantine, or Allow. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy.
FIREWALL
This module allows you to control the Windows Firewall from the HEIMDAL Dashboard.
Firewall Management - turn ON/OFF the management of the Windows Firewall. Turning the Firewall Management ON will enable the Windows Firewall on the endpoints if it is disabled, but turning it OFF will not disable the Windows Firewall on the endpoints;
General Settings
Block RDP port on brute force detection - automatically blocks the default RDP Port (3389) on the endpoint where an audit breach is detected for both TCP and UDP. Once the RDP Port is blocked on an endpoint, you'll see a Blocked RDP icon in the Status column (in the Device Info view). To unblock the RDP Port, you have to select the endpoint in question and click on Unblock RDP Port from the dropdown menu. The RDP port is not getting blocked in case the BFAs are originating in the private network.
RDP Port - this field allows you to change the default RDP Port (3389) to another port number (in case of another RDP Port usage);
Enforce manual added rules when computer is isolated - keep the manually added firewall rules in the Group Policy even when the computer is isolated (this makes sure that rules added in the Group Policy are not disabled by the HEIMDAL Agent when the computer gets isolated);
Allow ICMP Echo Requests - creates a rule that allows PING requests inside your network;
Use automatic rules - allows you to select any of the profiles to enable/disable the Inbound/Outbound connections;
Allow isolation - allows you to isolate an endpoint in your network from the rest of the endpoints. If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems. Once the option is enabled, the endpoint can be isolated from the Device Info view, by selecting the endpoint you want to isolate and by pressing the Isolate button:
Isolate on Tamper Detection - allows you to automatically isolate an endpoint when the end-user is trying to stop/pause the HEIMDAL services (when the end-user is trying to break the Anti-Tamper Protection);
Isolation Allowlist Rules - allows you to add specific predefined rules in the Windows Firewall if the computer is isolated. The rules come as a group (more specifically as a profile that adds some rules for a certain application, e.g. TeamViewer, Heimdal RD). The rules will be deleted when the endpoint is unisolated. Please note the fact that any HEIMDAL process/application is allowed by default.
Note: In order for the setting to take effect, the isolation profile needs to be enabled in the GP, PRIOR to the isolation event taking place.
If the Isolation Profile is enabled and the machine isolation is triggered via any of the available methods, a new Firewall rule is added to the Windows Firewall.
Device protection actions - a dedicated table will be displayed, in which the dashboard user can select one or multiple actions (Isolate, Shutdown, or Logout) to be taken in case of detections occurring in either NGAV, Firewall, or REP modules.
Notes: In case the “Device protection actions” is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the “Endpoint isolation” setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to REP, will be disabled (not actionable). For the Firewall module (Brute Force Attacks or Failed Local Password Attempts) the only available protection action is “Isolation” (and it will be triggered after a minimum of 5 detections). Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the “Device protection actions” feature will not disable the Firewall module and the “Endpoint isolation” setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
An email alert/ notification is sent for instances in which an “automatic” machine isolation occurs (either as a result of the selection made in “Device Protection Actions” or as a result of the “Isolate on Taper Protection” functionality kicking in). The email notification will be generated and sent to the users (corp. customers and reseller levels) who have the Next-Gen Antivirus alert enabled, within the “Accounts” section of the Heimdal dashboard.
Firewall Rules - this option allows you to add/edit/remove Firewall rules in the Windows Defender Firewall. In order to create a Firewall Rule you need to follow the required conditions:
- Name - allows you to set the rule name (the name of the rule needs to be unique). Each rule will include a suffix (corresponding to the protocol type) in the rule name (e.g. Block SQL Server port-TCP or Block SQL Server Port-UDP);
- Application - specify the application path or * for any application;
- Remote IP - specify an IP Address or * for any IP Address;
- Port - specify the port value or * for any Port (values can be set only for TCP or UDP protocols);
- Direction - specify the direction of the flow (In, Out, Both directions);
-
Protocol - specify the protocol type (TCP, UDP, or Any);
- Permission - specify whether to block or allow;
-
Profile Types - specify on what profile the rule applies (Domain, Private, Public).
Additional Settings - Local AD Computer Groups - allows you to apply the rule to the computer(s) that are part of the specified Local Active Directory Computer groups;
- Remote AD Computer Groups - allows you to apply the rule to any remote IP Address belonging to computers that are part of the specified AD Computer Groups (this setting will take into consideration the selected IP type: public/private/both);
- Local IP - allows you to apply the rule to a computer that uses the specified IP Address(es). Multiple IP Addresses can be specified, separating them by a comma;
-
IP Type - allows you to select between Public, Private or Both
Firewall Predefined Rules - allows you to enable/disable predefined rules based on a list of groups. These firewall groups are mapped in order to provide network connectivity for Windows programs and services and the user cannot alter them.
- Permission - specify whether to block or allow;
The Show details button allows you to see additional details regarding the predefined rules (that are not present in the grid).
Allowlist Brute Force IP - allows you to add an IP Address that is detected as Brute Force Attack and is considered a false positive;
RANSOMWARE ENCRYPTION PROTECTION
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;
General Settings
Reporting mode - enabling it will report the processes detected by Ransomware Encryption Protection without blocking them;
Agent Baloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Isolate on Tamper Detection - allows you to turn ON/OFF the isolation feature when a Tamper Detection is being made. When enabled, it will ensure the Firewall product/service is enabled and that the endpoint where this behavior is being observed will be isolated from the network (thus, preventing lateral movement). For the functionality to work, you need to have the Next-Gen Antivirus & MDM and Firewall products/services licensed, and, even if the Firewall product is disabled, we will automatically activate it (otherwise the corresponding tick box will be grayed out/non-functional);
Device protection actions - a dedicated table will be displayed, in which the dashboard user can select one or multiple actions (Isolate, Shutdown, or Logout) to be taken in case of detections occurring in either NGAV, Firewall, or REP modules.
Notes: In case the “Device protection actions” is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the “Endpoint isolation” setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to REP, will be disabled (not actionable). For the Firewall module (Brute Force Attacks or Failed Local Password Attempts) the only available protection action is “Isolation” (and it will be triggered after a minimum of 5 detections). Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the “Device protection actions” feature will not disable the Firewall module and the “Endpoint isolation” setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
Exclusions - allows you to exclude a filename, file path, directory path, MD5, or wildcard (*\MyFolder\*, *\MyFolder\*.exe, D:\*\MyFolder\*, D:\*\MyFolder\*.exe, *\Folder\app.exe, C:\Folder\*, C:\Folder\*\folder2\app.exe) from being blocked by the REP module. The Exclusions section has a Download button that will download a CSV Report with the exclusions list.
PRIVILEGES & APP CONTROL
Privileges & App Control allows to you control user permissions in your organization and enables you to manage elevations and special permissions to applications that are used on each endpoint. Privileges & App Control is structured into 2 modules: Privileged Access Management and Application Control.
PRIVILEGED ACCESS MANAGEMENT
The Privileged Access Management module will allow you to give users the ability to install software they need for a period you select using the Administrator Session or the Run with Privileged Access Management option for single file elevation. Rights granted can be revoked at any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his machine by sending a request to the Heimdal Dashboard System Administrator who can deny or accept his request.
Privilege Elevation and Delegation Management - turn ON/OFF the Privilege Elevation and Delegation Management module;
Deny elevation of system files - allows you to deny elevation of system files (e.g. cmd.exe, powershell.exe, services.msc);
Forbid elevation if CVSS >= 7 - denies elevation requests made from endpoints where a 3rd Party Application (managed by the HEIMDAL Agent through the 3rd Party Patch Management) is detected as vulnerable (with a CVSS score of 7 or higher) if the elevation approval mode is set to Auto-mode. This applies to endpoints where 3rd Party Patch Management is enabled;
User token elevation - installs a kernel mini-driver that allows the user to elevate files only under the User context (Run with Admin Privilege under the User context, instead of the System context). This functionality does NOT work if the user is a member of the Network Configuration Operators group. However, Run with Admin Privileges works if the user is moved to any of the following groups: Device Owners, Distributed COM Users, Event Log Readers, Hyper-V Administrators, Access Control Assistance Operators, IIS_IUSR, Network, Performance Log Users, Performance Monitor Users, Power Users, Remote Desktop Users, Remote Management Users, System Managed Accounts Group, Backup Operators;
Multi Factor Authentication - any type of elevation request will require an MFA code after which it will proceed to the flow configured in the GP. Once the option gets activated in the GP, the end user will receive an MFA pop-up with a QR code for registration using an authenticator application. Resetting the authenticator: Heimdal Agent -> Settings -> Privileges and App Control -> Privilege Elevation and Delegation Management -> Reset MFA button.
Primary user - allows only the primary user to request any admin privileges on that specific machine and will start collecting information (over 30 days’ timeframes) about each user that logs in on that particular machine, to determine the primary user, based on the selected settings.
- Primary user based on AAD - will set the Primary User to be the one defined in the Microsoft Azure AD configuration. This info will be retrieved through an API call, if available, and will automatically set that user as the “Primary User”;
- Primary user based on first login - will set the Primary User to be the username that is the first non-admin one to log in on each machine that is part of the GP where the feature is enabled, whether it is a local or a domain account.
Note: If both options are enabled, the AAD settings will prevail over the first login mechanism when determining the Primary user.
De-elevate and block elevation for users with risk of infections - automatically removes the Administrator privileges and blocks elevation requests for a user if there were any malware detections found on the endpoint by the Heimdal Agent's Next-Gen Antivirus (statuses: None, QuarantinePending, ExcludePending, RepairPending, DeletePending, ErrorRepair, ErrorDelete, ErrorQuarantine) or VectorN detections in the past 7 days;
Enable PEDM Compliance data retrieval - allows the HEIMDAL Agent to retrieve information about the administrators found on the endpoints where the HEIMDAL Agent is installed;
Webhooks - allows IT Administrators to manage elevations from their own 3rd Party management applications. Enabling Webhooks will open 2 new fields that can get a Friendly Name and a URL (maximum 5 URLs are allowed). You can also decide whether the information should be sent as an adaptive card or not (this option is enabled by default). When Adaptive card is enabled, the transmitted data will be sent as an Adaptive Card, allowing for a rich, interactive user experience. If disabled, the data will be sent as a simple JSON object.
Run as Administrator
Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation. You can also choose to enable Require phone number, Require email and Elevation reason no. of characters;
Elevation reason no. of characters - The functionality includes two text fields, meant to specify the minimum (default 1) and maximum (255 characters) character limits for the "Reason" field. If the feature is disabled and an elevation, falling under the aforementioned scenario, is requested, the default character range will remain between 30 and 1000, as before;
Prevent spawning other processes - any process that is spawned by an application started with the Run with AdminPrivilege will be terminated;
Disable Windows consent - in the case of processes/operations that prompt the Windows UAC, this functionality will replace the UAC with the HEIMDAL UAC;
Machine Learning auto-approval - allows a file elevation request to be automatically approved by the HEIMDAL server if the elevation for the same file/processes has been historically granted by an IT Administrator, an X number of times, which is equal or higher than the set threshold. ML auto-approved files/processes are listed in the History tab of the Privileged Access Management view;
Elevation approvals threshold - allows you to set the approval threshold for the Machine Learning auto-approval;
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Local token elevation - requires the requesting user to enter a local token (no matter if the endpoint is online or offline) provided by the HEIMDAL Dashboard Administrator (a local token can be generated by the HEIMDAL Dashboard Administrator from each client specifics in the Privileges & App Control tab -> Privileged Access Management);
Approval via Dashboard when online - the elevation request is approved via the HEIMDAL Dashboard only (if the endpoint is online), without requiring a local token. If the endpoint is offline, the elevation request can be approved via the local token provided by the HEIMDAL Dashboard Administrator;
Disable Windows Consent - when enabled, the UAC prompt will be replaced with a PAM prompt, and running an application will require just a double-click. This checkbox is alterable (enable/ disable) only if the User token elevation functionality is enabled;
Administrator Session
Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation although the user has Administrator rights;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation. You can also choose to enable Require phone number or Require email:
Automatically close all processes started during an elevation when the session ends - all processes that were started during an Administrator session will be terminated once the elevation session ends;
Allow user to end elevation - allows the elevated user to stop/revoke the Administrator session;
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Local token elevation - requires the requesting user to enter a local token (no matter if the endpoint is online or offline) provided by the HEIMDAL Dashboard Administrator (a local token can be generated by the HEIMDAL Dashboard Administrator from each client specifics in the Privileges & App Control tab -> Privileged Access Management);
Approval via Dashboard when online - the elevation request is approved via the HEIMDAL Dashboard only (if the endpoint is online), without requiring a local token. If the endpoint is offline, the elevation request can be approved via the local token provided by the HEIMDAL Dashboard Administrator;
Allow user to end elevation - allows the user to revoke/stop the elevation;
Azure login - allows the member of an Azure AD group (the group can be specified in the Azure Group Name field that is displayed after enabling the option) to log in with the Azure AD credentials to be able to request elevation on an endpoint. This feature is meant for Administrators who remote on the endpoints of standard users to get elevated with their credentials. In Azure, you will need to allow the Heimdal Security PAM Sign-in action so that the function will allow you to sign. This functionality is supported in hybrid environments. Azure AD-only or on-prem-only environments are NOT supported;
Do not allow Run with AP when session elevated - prevents the user from running with Admin Privileges while the system is already running an Administrator session. This means that the Run with Admin Privileges option (in the context menu) will not be available;
Keep user elevated on screen lock - allows end users to remain elevated even if their machine’s screen is locked. The following actions will still de-elevate the current user: Shutdown (turning off the computer will terminate all user sessions, including that of the current user), Restart (rebooting the system will also close all active sessions, causing the current user to lose their elevated privileges or session state), Sign out (this action will end the user's session, de-elevating their privileges), Other user connected with RDP to the machine - if another user connects to the machine via Remote Desktop Protocol (RDP), it can force the current user to be logged out, which also results in de-elevation, another user signing into a different account on the same machine - if this occurs while the main account is in an elevated session, the main account will lose its elevated status;
SESSION LENGTH (2 MIN -24 H) - allows you to set the interval for the elevation session;
Group Settings
Allow only a specific user to request elevation rights - allows only a specific user to initiate elevation requests from a specific workstation. Their name has to be the same or is included in the hostname of the workstation from which the elevation is requested and the username must be separated from the rest of the workstation name by the '-' character.(e.g. MyLaptop-Username1 or Username1-MyLaptop);
Map users to group - allows you to specify a single local group name to allow the users that are members of the local group to request elevations (this field is case sensitive). The group must be present locally in the Local Users and Groups and only the members of that group will be allowed to request elevation;
Additional Settings
Accepted requests availability time - allows you to specify the time interval until an approved elevation can be started If the approved elevation session is not started in the specified timeframe, it will be automatically revoked after 24 hours. When this feature is turned OFF, the approved elevation session is revoked after 24 hours if it is not started by the user that requested it;
Time to live (1-24 hours) - allows you to set the time interval for the above-mentioned option;
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - allows the scan and logging of the applications with Zero - Trust Execution Protection, without taking any action: allow, block.
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Revoke existing local admin rights - allows you to downgrade the Administrator users (both Local and Domain users) to Standard users. The HEIMDAL Agent takes a snapshot of the local Administrators' Group on each endpoint and removes all the members, users, and Groups, (except the default Administrator user) from that group, thus, downgrading them to Standard permissions. Once enabled, the users that are logged in will preserve the Administrator permissions until the first logoff/reboot. On domain-joined computers, the downgrading of the members of the local Administrators' Group will be performed only if the endpoint is communicating with the domain (domain controller). If the computer is not able to communicate with the domain (domain-controller), the members of the local Administrators' Group will NOT be removed from the group. The members of the local Administrators group are cached on service start (preserved users are not cached because they will not be removed) in our local storage. The members of the local Administrators Group are added back on service stop or when the Revoke existing local admin rights feature is disabled;
Preserved Users - allows you to preserve the Administrator permissions of the specified users/domain groups on a specific computer/group of computers (or all computers). If the user/domain group is preserved, the HEIMDAL Agent will not remove it from the local Administrators Group. Preserving a hostname without specifying a username (or a domain group) means that all users on that endpoint will be members of the local Administrators Group. Preserving a username (or a domain group) without specifying the hostname means that all users with this username will be a member of the local Administrators group on all the computers that are applying this Group Policy policy. The Username field allows you to select from the local Administrators that are detected on the endpoints. If the username that you are looking for is not among the ones present in the dropdown selector, you can manually type the username you want to preserve. For this case, ".\admin" is not an accepted value and is not supported;
Enforce token refresh - this option works, only if the above-mentioned option (Revoke existing local admin rights) is enabled and forces a log-off on the user that is logged in (if he is part of the local Administrators Group) to revoke his membership from the local Administrators Group. A popup will appear in the right-side corner of the screen, to inform the user that he will be automatically logged off in 5 minutes, to completely remove his Administrator privileges. The popup has a button that allows the user to log off right away;
Disable interactive logon - allows you to disable interactive logon to force the users that are logging in to enter both the username and password. Enabling/disabling this option will modify the following registry value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplayusername.
When Interactive Logon is disabled, we get the current value of that registry and override it with 1. The current value is then saved in our repository in the Windows Registry, with the key CachedDontDisplayLastUsername. When Interactive logon is re-enabled, we update dontdisplaylastusername value with the one we cached and then will delete our cached value. This improvement was made because we used to set by default dontdisplaylastusername to 0 if Revoke existing local admin rights was disabled (which it was, by default), even though some of our users needed to set that value to 1.
APPLICATION CONTROL
The Application Control module allows you to control how processes (and applications) are executed on endpoints inside your organization. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the HEIMDAL Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.
Application Control - turn ON/OFF the Application Control module;
Privileged Access Management to bypass the ruleset - allows the Privileged Access Management module to bypass any defined rules during the elevation session;
General Settings
Full Logging Mode - allows the HEIMDAL Agent to intercept any process(es) running on the endpoints that are applying this Group Policy;
User token elevation - installs a kernel mini-driver that allows the user to elevate files only under the User context (Run with Admin Privilege under the User context, instead of the System context). This functionality does NOT work if the user is a member of the Network Configuration Operators group. However, Run with Admin Privileges works if the user is moved to any of the following groups: Device Owners, Distributed COM Users, Event Log Readers, Hyper-V Administrators, Access Control Assistance Operators, IIS_IUSR, Network, Performance Log Users, Performance Monitor Users, Power Users, Remote Desktop Users, Remote Management Users, System Managed Accounts Group, Backup Operators;
Internal port for AppControl - allows you to edit the internal port used by the Application Control module. 8001 is the default port number used by Application Control;
App. Control driver interception - installs and uses the Application Control kernel mini-filter driver that enhances the speed of the HEIMDAL Agent when intercepting and blocking a process;
Ruleset Mode - allows you to turn on/off the ruleset or to report the processes matched by the defined rules and to take action on them;
- Disable - disables the rules set in the ruleset;
- Enable - enables the rules set in the ruleset;
- Reporting only - intercepts and reports (in the Application Control view) the processes matched by in the ruleset;
Default file action - this dropdown allows you to select the default action that will be performed (allow or block) if the processes that are executed are not matching any rules set in the Ruleset. System Files will be allowed to run unless they are matched on the Ruleset list;
If the Ruleset Mode is set to Enable and the Default file action is set to Block, the Apply default action to script tickbox is activated to be enabled or not. This means that you can allow the selected script extensions from the dropdown field to run no matter the Default file action.
Application Control Rules
You can add a rule to match a process based on several conditions:
- Priority - the higher the priority value, the higher the priority is;
- Subject - depending on the rule type, you can specify a Software name (Microsoft Edge), Path (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), MD5 (eaa5674047232d4a08e3f5a80ae41847), Publisher (Microsoft Corporation - the Publisher information is taken from the CN value of the Subject field inside the Certificate of a signed file or the Company Name detail of an unsigned file), Signature (c774204049d25d30af9ac2f116b3c1fb88ee00a4), Wildcard path (%SystemRoot%, %SystemDrive%, %SystemDirectory%, %ProgramFiles%, %ProgramFiles(x86), %ProgramData%, %AppData%, %TEMP%, %SystemDrive%\Test\*\download.exe, C:\test\*\download.exe, C:\test\*), Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf), Certificate subject (CN=Google*C=US*) - the rule will match the first part of the process certificate subject until the first *;
- Friendly name - a friendly name that can be used to search between rules;
- Allow Auto Elevation - specify whether the matched process will run under Administrator elevation or not. For Rule Types other than Path/Wildcard Path, you need to enable App. Control driver interception for the Auto Elevation functionality to work; Note: To gain access and use the"Allow auto elevation" functionality you will require a Privileged Access Management (PAM) module license.
- Spawns - specify whether the matched process will allow the spawns of other child processes or not;
- Rule type - define the rule by Software Name, Path, MD5, Publisher, Signature, Wildcard path, Command Line Arguments, Certificate subject;
- Action Type - allows you to select between Allow and Block;
- Action - allows you to allow or block the defined process;
In the Ruleset table, you can enable Allow auto elevation for the selected rule to allow the matched process to run with Administrator permissions (requires the Application Control driver to be enabled, otherwise the Allow auto elevation will be available only for Path and Wildcard path-type rules). The Spawns tickbox allows the process to spawn other processes. The Deny file permissions tickbox will deny user permissions (Full Control, Read, Write, etc.) when the user is trying to a access file matching the rule that is set to Block. You also have the possibility of searching through the rules and using the Download button to download a .csv file with all the rules in the Ruleset.
Due to possible performance issues, we recommend you keep the number of rules as low as you can (at least when it comes to MD5-type rules). This scenario is also impacted by the size of the files that are matched by rules. The performance issue is not caused by the HEIMDAL Agent itself, but by the fact that the MD5 needs to be computed every time the process is launched (especially with big executable files).
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - allows the scan and logging of the applications with Zero - Trust Execution Protection, without taking any action: allow, block.
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
REMOTE DESKTOP
By enabling the Remote Desktop, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
Remote Desktop - turn ON/OFF the Remote Desktop and allow Supporters from your organization to connect remotely to other computers;
Unattended Remote Desktop session - allows the Supporter to automatically connect remotely to any endpoint in your organization without needing the end user's approval. When connecting to an attended remote session, the end-user will get a pop-up to Accept or Reject the incoming connection;
Automatically record Record Desktop sessions - allows the remote computer (applying this Group Policy) to record the remote session and makes it available to be downloaded from the HEIMDAL Dashboard.
The Supporters section allows you to see a list of all devices & usernames that are assigned the Supporter role to be able to perform an unattended remote session on the computers applying the specified Group Policy/Group Policies. The bin button allows you to remove any Supporter from the Supporter list.
Copy changes to other policies
Pressing the Update GP button displays a pop-up message that allows you to save the changes that you made to the current Group Policy, to specific Group Policies, or all Group Policies.
Current Group Policy - saves the changes you performed to the current Group Policy;
Specific Group Policies - allows you to select the Group Policies to which the new settings (only the new changes, not all the Group Policy settings) should be applied;
All Group Policies - allows you to apply the new settings (only the new changes) to all of the Group Policies.
Corner cases
-
Schedulers - changing an existing scheduler in the Group Policy and copying the changes to another Group Policy or multiple Group Policies will not work if the module is disabled (if the change doesn't also enable the module).
Example: GP1 has the 3rd Party Software enabled and you change the time interval in the Patching Scheduler. In this case, copying the new Patching Scheduler settings to GP2 will not be possible if 3rd Party Software is disabled in GP2; - Schedulers - changing an existing scheduler and copying the changes to another Group Policy or multiple Group Policies that don't use a scheduler will not work/apply;
- Regular lists - copying the Domains Allowlist / Domains Blocklist to a Group Policy that does not have Domains Allowlist / Domains Blocklist enabled will not enable the options but the lists are copied and they become available once the Domains Allowlist / Domains Blocklist are enabled;
-
in the Custom Block Page, changing the custom block page file/filename will not get copied to the Group Policy or Group Policies where you want to copy if the Custom Block Page option is not enabled;
- Patch & Assets -> 3rd Party Software - copying changes for regular 3rd Party Applications work, however, the changes that affect 3rd Party Applications that are added to Infinity Management are NOT copied if the Infinity Management option is disabled (and it does not enable Infinity Management);
- Pre-determined Category lists - copying a Category List to a Group Policy where the feature is disabled will not enable the feature but it will carry the copied Category List and the user can see it by enabling the feature;
- Remote Desktop Supporters - the list of supporters cannot be copied from one Group Policy to another as this data is handled from the Products -> Remote Desktop -> Remote Desktop view.