none
Endpoint Protection Antimalware Policy Client-Side Merge

    Question

  • Hello,

    I was wondering if I could get some guidence on the client-side merge functionality in SCEP 2012 SP1 please?

    I've been running the 2012 version of endpoint protection on my clients since RTM but I've held off on the servers so far- too many bad memories of configuring exclusions in FEP on SCCM 2007.

    I imagine what I want to do is fairly common in most environments...

    Lets say the following scenario exists:

    I have three servers- server1 (DC), server2(DC & DNS), server3 (DC, DNS & DHCP)

    I have three collections populated by queries - "All DCs", "All DNS Servers" and "All DHCP Servers"

    Server1, Server2 and Server3 are all a member of "All DCs"

    Server2 and Server3 are both members of "All DNS Servers"

    Server3 is a member of "All DHCP Servers"

    If I import the FEP_Default_DC, FEP_Default_DHCP and FEP_Default_DNS templates and deploy them to the appropriate collections will the client-side merge ensure the appropriate exclusions are in place or will the highest priority template settings take effect? I have read the SCEP documentation through a few times, so I know what the documentation says should happen, I'd just like to get an opinion of somebody who has this running in production!

    Thanks

    Steve

    Friday, July 19, 2013 12:40 PM

Answers

  • I haven't used those default templates in our environment. But I can tell you that we have setup multiple AM policies tied to different collections and when those collection memberships overlap for a client the settings do merge. For example, I have a base AM policy attached to a collection for all servers and a custom query that makes a SQL collection for any server with SQL installed. I have a separate AM policy with only SQL related exclusions applied to the SQL collection. The net result is that the SQL servers get all of the base settings and all of the exclusions from the SQL AM policy as well. For us this has been working very well.
    Friday, July 19, 2013 2:55 PM

All replies

  • I haven't used those default templates in our environment. But I can tell you that we have setup multiple AM policies tied to different collections and when those collection memberships overlap for a client the settings do merge. For example, I have a base AM policy attached to a collection for all servers and a custom query that makes a SQL collection for any server with SQL installed. I have a separate AM policy with only SQL related exclusions applied to the SQL collection. The net result is that the SQL servers get all of the base settings and all of the exclusions from the SQL AM policy as well. For us this has been working very well.
    Friday, July 19, 2013 2:55 PM
  • Thanks Ninja, I'll give it a try
    Monday, July 22, 2013 8:09 AM