none
Managing SCEP 2012 with group policy? RRS feed

  • Question

  • Is it possible to manage SCEP 2012 settings on clients through group policy? Our existing FEP 2010 group policy settings do not seem to apply to SCEP 2012, and I haven't been able to find any ADML and AMDX files for 2012.
    Monday, September 10, 2012 1:43 PM

Answers

All replies

  • Hi,

    Thank you for the post.

    There is no ADML/ADMX GP template for SCEP 2012. But you could use fep2010gptool to import SCEP policy to group policy.

    http://blogs.technet.com/b/configmgrteam/archive/2012/02/10/forefront-endpoint-protection-2010-group-policy-tool-is-unable-to-import-policy-files-exported-from-system-center-2012-endpoint-protection.aspx

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Tuesday, September 11, 2012 7:50 AM
    Moderator
  • So if I understand this correctly, I would:

    1) Export a policy file from SCEP 2012

    2) Make the changes to the XML file as the link illustrates

    3) Use the fep2010gptool to import that XML file back into GPO

    If that's the general idea, how do I go about exporting a policy file from SCEP 2012? Or can I instead export my existing FEP 2010 GPO to an XML file, modify the XML file, then import it back into a GPO?

    Tuesday, September 11, 2012 12:40 PM
  • Hi,

    If that's the general idea, how do I go about exporting a policy file from SCEP 2012?
    Just in SCCM console right click the policy--click export.

    Deploy.png
    Or can I instead export my existing FEP 2010 GPO to an XML file, modify the XML file, then import it back into a GPO?
    Yes. But some registry keys are changed in SCEP 2012, you need to compare SCEP 2012 XML to change it. In this case, it's easy to configure policy in new SCEP policy in SCCM console.

    Regards,


    Rick Tan

    TechNet Community Support


    Wednesday, September 12, 2012 2:27 AM
    Moderator
  • The problem is I'm not running SCCM. That's why I want to use GPO to manage my clients.
    Wednesday, September 12, 2012 11:28 AM
  • Hi,

    Until now, I'm afraid that you cannot manage SCEP without SCCM.

    Regards,


    Rick Tan

    TechNet Community Support

    Thursday, September 13, 2012 2:01 AM
    Moderator
  • That's a really disappointing answer.  I am in a similar position - we don't have SCCM (or SCOM), yet I want to manage the scan schedule settings for SCEP clients via GP.

    Rick, could I obtain such a policy file from yourself or someone else (ie Microsoft support).

    A second option might be to use GP to deploy a scheduled task to run msseces.exe with a switch to do a full scan, but that would only give me control of a the full scan settings, and not all the other options.  Would you know of any of those switches?

    crhosu, were you able to find the policy file anywhere?

    Monday, October 8, 2012 11:25 AM
  • I have not been able to find anything that helps me manage SCEP 2012 without SCCM. So for the time being we are not rolling it out to any clients. The loss of basic group policy functionality is a major disappointment and will probably cause us to look for a different vendor.

    Being able to obtain a basic GPO from someone else running SCCM sounds interesting. I'd also like to know if this is possible.

    Monday, October 8, 2012 12:14 PM
  • Rick Tan,

    I am working on migrating SCCM 2007 to SCCM 2012 mainly for moving broken FCS antivirus to SCEP 2012.

    Ideal way of deploying would be replace existing FCS group policies with SCEP 2012 policies.

    as There is no ADML/ADMX GP template for SCEP 2012. I am planning to use fep2010gptool to import SCEP policy to group policy.

    http://blogs.technet.com/b/configmgrteam/archive/2012/02/10/forefront-endpoint-protection-2010-group-policy-tool-is-unable-to-import-policy-files-exported-from-system-center-2012-endpoint-protection.aspx

    Are there any further suggestions for doing this?

    Thanks

    Dilip

    Wednesday, October 24, 2012 7:00 PM
  • I have followed your instructions, but its still not displaying in Group Policy. Any suggestions?
    Wednesday, February 26, 2014 11:49 AM
  • Hey guys,

    I do not know if you are still in need, but I managed to build a GPO template using the admx template from this download:

    http://www.microsoft.com/en-US/download/details.aspx?id=13088

    There you can download the fep2010grouppolicytools-en-us.exe which contains an admx and adml file. You can use it as-is or customize the titles by simply replacing "forefront_endpoint_protection_2010" with "system_center_endpoint_protection_2012_r2" (looks better in GPO editor :-)

    In my environment I had to customize the following line because of an error message when opening GPO editor:

    <target prefix="MicrosoftAntimalware" namespace="Microsoft.Policies.Antimalware" /> TO <target prefix="MicrosoftAntimalware" namespace="Microsoft.Policies.Antimalware.SCEP" />

    I wanted to show the settings on top of the menus so I removed the following line:

          <parentCategory ref="windows:System" />

    Now it looks like this:

    In it you will find all the settings for configuring SCEP. :-)

    Best regards,

    Ben

    • Proposed as answer by FrankPSB Thursday, November 10, 2016 7:35 PM
    Friday, July 18, 2014 9:58 AM
  • SCEP 2012 ADMX files ship with the SCEP 2012 4.10 client. On any system that has SCEP 2012 4.10 installed, you will find GPO templates in c:\program files\microsoft security client\ADMX.

    Sorry I'm late to the party, just saw this thread when I was hunting for something else.

    Tuesday, September 10, 2019 3:05 PM