How can I tell what Forefront Endpoint Protection (FEP) policy is ultimately applied to a workstation and/or server?

With a workstation or server being in multiple collections and having multiple policies applied along with policy precedence it may be confusing what the end policy is.  The quickest and simplest way I’ve found is to look on the workstation or server in the help section of FEP.  There you’ll find the policy name and policy applied fields.  In the example below the policy name that is on the workstation is windows 7 standard workstations and it was applied on 1/25/2011 at 8:13 PM.  Well it’s only 2:20 PM now so it looks like the time is in UTC format.   If the workstation didn’t get a policy that was created by someone it would have the default desktop policy.  If it was a server it would have the default server policy.



Another way is to look at the registry

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft Security Client] "LastSuccessfullyAppliedPolicy"="Test– Workstation Base Policy (jd01261032)" "LastSuccessfullyAppliedPolicyTimeUTC"="2011-01-31T20:27:02.067Z" "LastFailedToApplyPolicy"="Test– Workstation Base Policy (jd01261032)"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s