Windows has GPOs organized in a hierarchy:
Local -> Site -> Domain -> OU
The level at which MVISION Endpoint applies its policy is
Local Group Policy. Local Group Policy contains MVISION Endpoint changes when it is applied to the system:
Local (MVISION Endpoint) -> Site -> Domain -> OU
GPOs apply to a system or user in a specific order. This specific order is the same as in the acronym: LSD OU.
The settings are applied from the top down. MVISION Endpoint writes policies at the Local level, but all subsequent Group Policy layers (Site, Domain, and OU) that have the same setting configured or enabled can overwrite these settings.
It means that MVISION Endpoint sets Group Policies locally (Local Group Policy), but the system overwrites them when you set the same Group Policies in Site, Domain, or OUs GPOs.
In Active Directory, there is a topmost layer called an AD forest. An organization can have multiple forests. Within each AD forest, there can be multiple domains. Each domain can have multiple OUs and each OU can have many children OUs.
You can filter a GPO in multiple ways, but the most common are Security Filtering and WMI Filtering.
You can modify the processing of GPOs in multiple ways, but the most common ways are Link Order, Enforced, and Block Inheritance:
- Link Order specifies the order in which same level GPOs are processed.
- Block Inheritance blocks higher hierarchy GPOs from being applied. Only GPOs from the same level or below are applied.
- Enforced means that if any other subsequent OUs have enabled another setting (Block Inheritance), that GPO applies no matter what. A GPO higher in the domain or OU structure that has Enforced enabled overwrites any subordinate OUs even if they have enabled Block Inheritance.
Other issues that might arise when endpoint is enrolled in a domain:
- After MVISION Endpoint applies current policies in Local Group Policy, the Group Policy component starts processing GPOs and applies them. Domain Controller Server must be available during this process to supply Domain GPOs to the endpoint. If Domain Controller Server can't be reached, MVISION Endpoint policies related to Windows components (Windows Defender Antivirus and Windows Defender Firewall) are not applied.
- Local Group Policy processing is not disabled with a domain Group Policy.
- Enable registry policy processing to run in the background. Otherwise, applying MVISION Endpoint policies related to Windows components (Windows Defender Antivirus and Windows Defender Firewall) needs a restart. In particular, the following setting needs to be done in Domain GPO: Configure registry policy processing, Do not apply during periodic background processing, Disabled.
- Applying MVISION Endpoint policies related to Windows components (Windows Defender Antivirus and Windows Defender Firewall) can take some time. The time is expected to be similar to the interval for the command gpupdate /force to complete.
To see what GPOs are applied on an endpoint, run the following two commands as an administrator:
gpupdate /force
gpresult /f /scope computer /h rsop.html
In the generated file
rsop.html, in the sections related to Windows Defender Antivirus and Windows Defender Firewall, all settings need
Winning GPO set to
Local Group Policy so that MVISION Endpoint policies take effect on the endpoint.