Applying Policies from the Command Prompt
Applies To: Forefront Endpoint Protection
You can apply preconfigured FEP policy templates downloaded from the Microsoft Download Center, FEP policies exported by using the FEP Group Policy Tool, and FEP policies exported from Configuration Manager, from the command prompt.
It is important to note that when applying FEP policies from the command prompt, the resultant policy settings on the client are cumulative. For this reason, you must apply the policies in the proper sequence in order to obtain the desired configuration results.
For example, if you apply one policy that sets Turn on behavior monitoring: Enabled, and also sets Allow users to pause a scan: Enabled, and you then apply a second policy to the same server that sets Turn on behavior monitoring: Disabled, the resulting policy settings on the client will be Turn on URL exclusions: Disabled, and Allow users to pause a scan: Enabled. However, configurations that were set locally on the server that do not pertain to FEP, such as enabling a screen saver, will not be overwritten. For this reason, it is important to not only be aware of the settings in the policy template that you are applying; you must also apply policy templates in the proper order. It is recommended that when you apply multiple policy templates from the command prompt, you apply the default server policy template first, and then apply additional policy templates.
Warning
When applying policies to domain-joined computers, regardless of whether the policy settings are contained in a preconfigured policy template or an exported policy file, the domain-joined computer will not apply the settings contained in the policy until it is able to communicate with the domain controller. Clients running the FEP software will indicate that the policy was received and applied successfully. However, communication with the domain controller is required in order to apply the settings contained in the policy. Settings will be immediately applied when the domain-joined computer is able to communicate with the domain controller. This warning does not apply to non-domain-joined clients.
Applying Preconfigured Policy Templates
There are two separate downloads available that contain preconfigured policy templates. The FEPServerRolePoliciesForUseWithGPO.exe download contains the policy templates that you can use in order to apply preconfigured policy settings from the command prompt. The latest version of FEPServerRolePoliciesForUseWithGPO.exe is available for download from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=207730).
Important
Before proceeding with these steps, verify that the client software that is installed on the endpoint is the latest supported version. If the client software is not the latest version, uninstall the client software, and then install both the client software and the policy. For more information about how to install the client software at the command prompt along with a policy, see Deploying the Client Software by Using the Command Prompt.
To apply a preconfigured policy to a client locally
Copy FEPInstall.exe and FEPServerRolePoliciesForUseWithGPO.exe to the server on which you want to apply a preconfigured policy to an existing client.
Double-click FEPServerRolePoliciesForUseWithGPO.exe in order to extract the preconfigured policy file templates.
From an elevated command prompt, navigate to the %programfiles%\Microsoft Security Client folder, and then run the following command:
ConfigSecurityPolicy.exe [full path]\[ policy file]
Important
You must change the path to this directory and run the command from that location.
For example, if you want to apply a policy template named FEP_DHCP.xml to a server running DHCP, run the following command:
ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml
where servername is the name of the server hosting the share, and share is the name of the shared folder on that server.Important
You must always specify the full path for the policy location.
Wait for approximately three minutes in order for the settings to update in the user interface, and then open the Forefront Endpoint Protection client software. Verify that the settings defined in the policy are shown in the client software.
Applying Exported Policies
You can export policy settings to a Forefront Endpoint Protection .xml policy file by using the Forefront Endpoint Protection Group Policy Tool or Configuration Manager, depending on the location of the policy settings. For more information about exporting Group Policy settings, see Exporting Policy Settings to a FEP Policy File. For more information about exporting FEP policies in Configuration Manager, see Exporting a Policy.
Important
Before proceeding with these steps, verify that the client software that is installed on the endpoint is the latest supported version. If the client software is not the latest version, uninstall the client software, and then install both the client software and the policy. For more information about how to install the client software at the command prompt along with a policy, see Deploying the Client Software by Using the Command Prompt.
To apply an exported policy to a client locally
From an elevated command prompt, navigate to the %programfiles%\Microsoft Security Client folder, and then run the following command:
ConfigSecurityPolicy.exe [full path]\[ policy file]
Important
You must change the path to this directory and run the command from that location.
For example, if you want to apply a policy template named My_Exported_Policy.xml to a server, run the following command:
ConfigSecurityPolicy.exe \\servername\share\My_Exported_Policy.xml
where servername is the name of the server hosting the share, and share is the name of the shared folder on that server.Note
You must always specify the full path for the policy location.
Wait for approximately three minutes in order for the settings to update in the user interface, and then open the Forefront Endpoint Protection client software. Verify that the settings defined in the policy are shown in the client software.