FEP 2010 to SCEP 2012


All replies

  • Hi Jason,

    Thank you for the post.

    There seems limited documentation on TechNet yet for this scenario, unless I have missed it...

    Yes, there is no guide so far for migrate FEP 2010 to SCEP 2012.
    Since they are integrated with different SCCM versions, their migration should be same like migrate FCS to FEP 2010. Set up SCEP 2012 server side settings from zero(like SCCM2012 side-by-side migration) and push SCEP 2012 clients which may uninstall the FEP 2010 clients.
    To migration FEP 2010 policy to SCEP 2012, we could use FEP2010 GP tool following the blog article below:

    Hope others may share some resources for this scenario.


    Rick Tan

    TechNet Community Support

    Wednesday, April 25, 2012 3:04 AM
  • Hi Rick,

    Thanks for your feedback, I hope to try it soon.



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and

    Wednesday, April 25, 2012 8:13 AM
  • Hi All,

    Just to complete the loop on this one and provide future help for anyone searching, here are a few notes:

    It IS possible to directly import the exported antimalware policy XML files from FEP 2010 directly into SCCM 2012. From looking at the templates in the default import folder on the SCCM 2012 server, the original FEP 2010 templates are provided in addition to a few new SCEP specific templates.

    After importing the templates, it is necessary to amend the definition updates setting to ensure Configuration Manager is added as a source and ideally placed at the top of the list above WSUS.

    When creating new policies, there is no longer an option in the GUI to create a policy based upon a server workload/role template. However, you can choose the import option and select one of the original FEP 2010 server workload XML files (that the templates used) in order to create a policy with the appropriate starting parameters which you can then customise. I think it is a shame this is missing from the GUI, as people may not realise the template XMLs are actually still provided.

    As part of enabling SCEP, the new SCEP 2012 client will be deployed to clients, which will then use the new SCEP 2012 antimalware policies you have created. 

    From what I can tell, you can now apply multiple antimalware policies to a single collection, and they will be applied cumulatively rather than just one "winning" which is a great improvement over FEP 2010. I also love the ability to merge policies; this is especially useful for multi-role servers where you can combine mutiple server workload templates into a single policy if desired (DC and DNS being an obvious example combination). 



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and

    Tuesday, May 22, 2012 11:43 PM
  • Ridiculously helpful, sir. Thank you.
    Wednesday, August 15, 2012 4:55 PM