One the best features in FEP was the use of policy templates. Microsoft included a list of pre-configured policies for just about every type of server-based application that they offer (SQL, Exchange, IIS, and so on). These policy templates were based off Microsoft's best practices for OS-level anti-virus products and included all the exclusions and exceptions needed to maximize performance, while maintaining a proper level of security.
Luckily, Microsoft has decided to include these policy templates in SCEP, but the way they are accessed and utilized is a little bit different from before. In this recipe, we will be building a policy for an Exchange 2010 server.
For this recipe, you will need to be utilizing an account that has at least the SCEP administrator role assignment attached to it.
Follow these steps:
- Log into your SCCM CAS server and launch your SCCM 2012 management console, and navigate to
Assets and Compliance|Overview|Endpoint Protection|Antimalware Policies. - Click on the Import button on the top left-hand side of the user interface; an explorer window should open up to display a long list of XML files, as shown in the following screenshot:
- Locate the file titled FEP_Default_Exchange and select it, then click on the Open button.
- The Create Antimalware Policy wizard should open with its options pre-populated, as shown in the following screenshot:
- You have the option to change any settings that are not in line with your organization's policies. Once you are happy with the policy, click on OK to close the wizard.
- Deploy the policy to a collection that contains the intended target PCs. In this example, you would want to choose a collection that contains only Exchange servers. Such a collection would need to be created with a query that identifies Exchange servers by looking for Exchange 2010 in their Add/Remove programs.
The SCEP product team has worked with different server application product teams to build policy templates that include the ideal set of exclusions and exceptions. Although the XML files for these policy templates start with the letters FEP, they are still valid for use in SCEP.
Merging policy templates:
One way in which policy templates could be useful is to merge them with your existing general server policy. In this scenario, your own server policy would be chosen as the base during the merge. The end result would be a policy that has all your standard settings for scheduled scan times, update sources, and so on, and the additional settings for the necessary folder and file exclusions that Microsoft recommends to keep the given application running at peak performance.
If you have a server that runs two or more Microsoft applications, you could also merge the policies for both applications to create a new super policy that includes the exclusions for both products.