Assigning and Unassigning FEP Policies to Collections

Applies To: Forefront Endpoint Protection

You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate assigning FEP policies to collections.

The following sections demonstrate how you can assign or unassign FEP policies to a collection. The scripts define switches to specify the Configuration Manager information needed and then use that information to assign the designated policy to a collection.

FEP policies are created in Configuration Manager as packages and are distributed by using mandatory assignments.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following prerequisite software:

• Windows PowerShell (either version 1.0 or 2.0)

The following example script creates a mandatory assignment of a policy package to a specified collection.

function AssignPolicy(
    $ConfigMgrServer,              # ConfigMgr WMI site provider to connect to. e.g. MyServer
    $SiteCode,                     # ConfigMgr site code. e.g. ABC
    $PolicyName,                   # Name of FEP policy to assign. e.g. “MyPolicy”
    $CollectionID,                 # Collection ID to assign policy to. e.g. ABC00008
    [switch]$IncludeSubCollection) # Switch to include subcollections. The default is false (not include). 
{
    $ConfigMgrNamespace = "root\sms\site_$SiteCode"
    $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
    $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
    
    # Get the FEP policies package to the advertisement from
    $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
        
    # Create a new SMS advertisement instance for the FEP policy package.
    # SMS_Advertisement Server WMI Class https://msdn.microsoft.com/en-us/library/cc146108.aspx
    $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Advertisement")).CreateInstance() 
    
    $newAdvertisement.CollectionID = $CollectionID
    $newAdvertisement.PackageID = $package.PackageID
    $newAdvertisement.ProgramName = $PolicyName
    $newAdvertisement.AdvertisementName = "Assign FEP Policy $PolicyName"
    $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY | OVERRIDE_SERVICE_WINDOWS
    $newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040  # RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT | DOWNLOAD_FROM_REMOTE_DISPPOINT
    $newAdvertisement.IncludeSubCollection = $IncludeSubCollection
    $newAdvertisement.PresentTime = $now
    
    # Create a mandatory assignment schedule
    $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ST_NonRecurring")).CreateInstance()  
    $AssignedSchedule.StartTime = $now
    
    $newAdvertisement.AssignedScheduleEnabled = $true
    $newAdvertisement.AssignedSchedule = $AssignedSchedule

    $newAdvertisement.Put()
    $newAdvertisement.Get() # Refresh new advertisement
    
    # Add the advertisement to the FEP policies advertisement folder
    
    # Get the container node (notice to use localized name)
    $AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
    
    # Create a container item for the advertisement
    $newContainerItem = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ObjectContainerItem")).CreateInstance() 
    
    $newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId
    $newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
    
    $newContainerItem.Put()
    
    Write-Output "Policy $PolicyName Assigned to $CollectionID"
}

The following example script demonstrates removal of a policy assignment from a collection of endpoints.

function RemovePolicyAssignment(
    $ConfigMgrServer,   # ConfigMgr WMI site provider to connect to. e.g. MyServer
    $SiteCode,     # ConfigMgr site code. e.g. ABC
    $PolicyName,   # Name of FEP policy that its assignment should be removed. e.g. “MyPolicy”
    $CollectionID) # Collection ID to remove assignment from. e.g. ABC00008
{
    $ConfigMgrNamespace = "root\sms\site_$SiteCode"
    
    # Get the FEP policies package 
    $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
    
    # Get existing advertisements
    $filter = "PackageID='{0}' AND ProgramName='$PolicyName' AND CollectionID='$CollectionID'" -f $package.PackageID
    $advertisements = Get-WmiObject -class "SMS_Advertisement" -filter $filter -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
    
    if ($advertisements -eq $null)
    {
        Write-Output "There are no policy assignment of $PolicyName to $CollectionID."                
    }
    else
    {
        Write-Output "Removing policy assignments of $PolicyName from $CollectionID."                
        $advertisements | Remove-WMIObject
    }
}