T
tickermcse76
I do not have SCCM in the environment, but I see an option in the SCCM documentation, a configuration option for Endpoint Protection Policy - Advanced to "Allow users to exclude files and folders, file types, and processes" with values yes or no.
In GPO, I do not see the equivalent setting available. I can of course add my list of paths, extensions, and executable files which do get pushed with my GPO.
In testing what I have found is on clients under this GPO, my exclusions list will get implemented, but the menu options to add exclusions of any type are wide open to the users. I feel this is a significant security risk as a bad actor would have the ability to implement a wide range of exclusions. The only option I could find that would disable this ability is to disable the UI (Client Interface/Enable headless UI mode). But it's too drastic a measure as seeing (but not changing) some of the menu data is very useful.
Any advice? Am I just missing the setting? Test environment is all 2016 Server.
Continue reading...
In GPO, I do not see the equivalent setting available. I can of course add my list of paths, extensions, and executable files which do get pushed with my GPO.
In testing what I have found is on clients under this GPO, my exclusions list will get implemented, but the menu options to add exclusions of any type are wide open to the users. I feel this is a significant security risk as a bad actor would have the ability to implement a wide range of exclusions. The only option I could find that would disable this ability is to disable the UI (Client Interface/Enable headless UI mode). But it's too drastic a measure as seeing (but not changing) some of the menu data is very useful.
Any advice? Am I just missing the setting? Test environment is all 2016 Server.
Continue reading...