FEP 2010 to SCEP 2012
-
Monday, April 23, 2012 4:04 PM
Hi,
Has anyone moved an environment from FEP 2010 to SCEP 2012 yet?
Any advice or gotchas to be aware of?
What is the recommended migration approach?
There seems limited documentation on TechNet yet for this scenario, unless I have missed it...
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
All Replies
-
Wednesday, April 25, 2012 3:04 AMModerator
Hi Jason,
Thank you for the post.
There seems limited documentation on TechNet yet for this scenario, unless I have missed it...
Yes, there is no guide so far for migrate FEP 2010 to SCEP 2012.
Since they are integrated with different SCCM versions, their migration should be same like migrate FCS to FEP 2010. Set up SCEP 2012 server side settings from zero(like SCCM2012 side-by-side migration) and push SCEP 2012 clients which may uninstall the FEP 2010 clients.
To migration FEP 2010 policy to SCEP 2012, we could use FEP2010 GP tool following the blog article below:
http://blogs.technet.com/b/configmgrteam/archive/2012/02/10/forefront-endpoint-protection-2010-group-policy-tool-is-unable-to-import-policy-files-exported-from-system-center-2012-endpoint-protection.aspxHope others may share some resources for this scenario.
Regards
Rick Tan
TechNet Community Support
- Edited by Rick TanModerator Wednesday, April 25, 2012 3:05 AM
- Marked As Answer by Jason Jones [MSFT]Microsoft Employee Wednesday, April 25, 2012 8:13 AM
-
Wednesday, April 25, 2012 8:13 AM
Hi Rick,
Thanks for your feedback, I hope to try it soon.
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
-
Tuesday, May 22, 2012 11:43 PM
Hi All,
Just to complete the loop on this one and provide future help for anyone searching, here are a few notes:
It IS possible to directly import the exported antimalware policy XML files from FEP 2010 directly into SCCM 2012. From looking at the templates in the default import folder on the SCCM 2012 server, the original FEP 2010 templates are provided in addition to a few new SCEP specific templates.
After importing the templates, it is necessary to amend the definition updates setting to ensure Configuration Manager is added as a source and ideally placed at the top of the list above WSUS.
When creating new policies, there is no longer an option in the GUI to create a policy based upon a server workload/role template. However, you can choose the import option and select one of the original FEP 2010 server workload XML files (that the templates used) in order to create a policy with the appropriate starting parameters which you can then customise. I think it is a shame this is missing from the GUI, as people may not realise the template XMLs are actually still provided.
As part of enabling SCEP, the new SCEP 2012 client will be deployed to clients, which will then use the new SCEP 2012 antimalware policies you have created.
From what I can tell, you can now apply multiple antimalware policies to a single collection, and they will be applied cumulatively rather than just one "winning" which is a great improvement over FEP 2010. I also love the ability to merge policies; this is especially useful for multi-role servers where you can combine mutiple server workload templates into a single policy if desired (DC and DNS being an obvious example combination).
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Edited by Jason Jones [MSFT]Microsoft Employee Tuesday, May 22, 2012 11:51 PM
-
Wednesday, August 15, 2012 4:55 PMRidiculously helpful, sir. Thank you.
.png)
