Share via

About Configuring Clients by Using Policies

  • Article

Applies To: Forefront Endpoint Protection

Client configuration in Forefront Endpoint Protection can be accomplished in a variety of ways. While it is possible to configure each client by logging on locally, this is typically not practical and can be labor intensive. Additionally, it is a challenge to configure consistent settings for large numbers of clients if you attempt to configure all of the desired settings locally.

In order to help make client configuration consistent and reliable, you are provided with two ways to author policies and four ways to deploy policies. The way you elect to configure clients can be based on your existing environment or you may want to create the necessary environment in order to deploy client settings based on factors such as policy merge behavior or ease of deployment.

If you are running a server operating system, you can use preconfigured policy templates that contain optimized settings. Additionally, you can use the Forefront Endpoint Protection Group Policy Tool in order to convert policies that are in XML format into a format that can be used by Group Policy. You can also use this tool to merge existing policies into a single policy or to export the FEP configuration settings from a Group Policy object (GPO) into a policy that can be applied to a computer or server locally or by script. For more information about the Forefront Endpoint Protection Group Policy Tool, see Converting FEP Policies to Group Policy. For more information about preconfigured policy templates for FEP on Configuration Manager, see Creating a Policy. For more information about preconfigured policy templates for the Forefront Endpoint Protection Security Management Pack, see About Preconfigured Policy Templates.

Creating and Configuring Policies

Authoring policies consists of both creating a policy and then configuring the settings that you want to deploy to the clients that will receive the policy. Each authoring method produces an output in a different format. The method by which you author a policy may determine the method by which you can deploy a policy. The two methods available for authoring policies are Configuration Manager with Forefront Endpoint Protection installed, and by using the Group Policy Editor along with the FEP ADMX. For more information about creating and configuring policies by using Configuration Manager with Forefront Endpoint Protection installed, see FEP Policies. For more information about creating policies by using the Forefront Endpoint Protection Group Policy Tool, see Using Group Policy with FEP. For more information about the policy settings that are available through the FEP ADMX, see the FEP ADMX Reference.

You can author policies by using the following methods.

Authoring method Policy can be applied by using Additional information

Configuration Manager with Forefront Endpoint Protection installed
  • Configuration Manager with Forefront Endpoint Protection installed.

  • Group Policy. Export the policy from Configuration Manager and then use the Forefront Endpoint Protection Group Policy Tool to import the exported FEP policy into a Group Policy object.

  • Script (exported policies).

  • FEP client installation (exported policies).
  • Policy settings can be exported by using Configuration Manager with Forefront Endpoint Protection installed.

  • Exported file format is XML.

  • Fewer granular policy settings are available to configure than when using GPEDIT with the FEP ADMX.

GPEDIT with the FEP ADMX
  • Group Policy.

  • Script.

  • FEP client installation.
  • Policy settings can be exported by using the Forefront Endpoint Protection Group Policy Tool.

  • Exported file format is XML.

  • Granular policy settings are available with the FEP ADMX.

Deploying Policies

In order to apply configurations to clients, Forefront Endpoint Protection provides four ways to deploy policies. You can decide on a single way to deploy policies or use a combination of ways. For example, if you typically use Group Policy to configure and deploy policies, you might want to continue to use that method in order to deploy FEP policies. Or, you may prefer to use Configuration Manager in order to manage your FEP client settings. Additionally, you might also have non-domain-joined servers that also must receive policy settings. You can install policy settings locally on those servers, or install them by using a script.

Warning

It is not recommended to use both Configuration Manager and Group Policy in order to apply policy settings on the same client. Because Configuration Manager writes to the local policy of the computer, policy configurations deployed via Group Policy will take precedence over any conflicting FEP local policy settings.

You can deploy policies by using the following methods.

Policy deployment method Policy settings merge behavior Policies authored by Additional information

Configuration Manager with Forefront Endpoint Protection installed

Policy merging is not available.
  • Only by Configuration Manager with Forefront Endpoint Protection installed.
  • Only one policy can be applied to a computer at any given time.

  • FEP policies are written to the local policy settings.

  • If FEP GPO policy settings are also applied to the same computer, any conflicting FEP GPO policy settings will take precedence over settings that are configured by FEP policy.

Group Policy

Policy merging is available.
  • GPEDIT and ADMX.

  • Settings contained in FEP policy XML files can be imported by using the Forefront Endpoint Protection Group Policy Tool.
  • Policies merge according to Group Policy precedence order and policy filtering.

  • FEP GPO policy settings take precedence over local policy settings.

MSI install with parameter switch

Policy merging is available by using the Forefront Endpoint Protection Group Policy Tool to merge settings contained in multiple policy files. The merged settings can then be exported to a single XML file.
  • The exported XML policy file from Configuration Manager with Forefront Endpoint Protection installed.

  • Preconfigured policies from the Microsoft Download Center.

  • Policy settings exported from Group Policy to an XML policy file by using the Forefront Endpoint Protection Group Policy Tool.
  • FEP settings are written to the local policy.

  • FEP GPO policy settings take precedence over the local policy settings.

Script

Policy merging is available by using the Forefront Endpoint Protection Group Policy Tool to merge settings contained in multiple policy files. The merged settings can then be exported to a single XML file.
  • The exported XML policy file from Configuration Manager with Forefront Endpoint Protection installed.

  • Preconfigured policies from the Microsoft Download Center.

  • Policy settings exported from Group Policy to an XML policy file by using the Forefront Endpoint Protection Group Policy Tool.
  • FEP settings are written to the local policy.

  • FEP GPO policy settings take precedence over the local policy settings.