Apply Forefront Endpoint Protection Exchange 2013 Exclusions via Powershell

With a large environment I wanted to find a way to copy an xml file that’s used by Forefront Endpoint Protection or FEP to apply Exchange 2013 exclusions for all my servers. While FEP and the newer version, System Center Endpoint Protection 2012 are managed through SCCM, you may find it necessary to bypass SCCM for the managing exclusions especially if you have a large number of servers or applications. This would also allow the system owner to manage the exclusions while the SCCM owner manages the deployment of definition files and remediation of infected systems.

Before deploying exclusions to your systems, you first need to build the policy template. I’m not going to spend time discussing the ins and outs of these templates, the easiest method is to take a template and reverse engineer it to work with Exchange. You can find some templates on TechNet here. http://gallery.technet.microsoft.com/System-Center-Endpoint-65917b04. For myself, I included one that I have been using in my lab. I have many custom paths primarily for log directories, I did this to prevent the thousands of logs per day from being generated on my OS drive. To get a basic understanding of the template layout I would refer you to TechNet once again. http://technet.microsoft.com/en-us/library/gg398037.aspx.

Policy XML:

<?xml version="1.0" encoding="US-ASCII"?>
<SecurityPolicy Name="Exchange 2013 Server Policy" Version="2" Description="" ProductVersion="1.0.0.0" IsBuiltIn="false" LastModifiedBy="" CreatedBy="" LastModificationTime="2014-09-04T17:23:18.2764252Z" CreationTime="2014-09-04T17:23:18.1345795Z" xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData">
 <PolicySection Name="FEP.AmPolicy" Disabled="false">
  <LocalGroupPolicySettings>
   <IgnoreKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"/>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection">
     <AddValue Name="DisableRealtimeMonitoring" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableOnAccessProtection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="RealTimeScanDirection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideDisableRealTimeMonitoring" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideDisableIntrusionPreventionSystem" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideDisableOnAccessProtection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideDisableIOAVProtection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideDisableBehaviorMonitoring" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideRealTimeScanDirection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableIntrusionPreventionSystem" Type="REG_DWORD">1</AddValue>
     <AddValue Name="DisableIOAVProtection" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableBehaviorMonitoring" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableScriptScanning" Type="REG_DWORD">1</AddValue>
     <AddValue Name="LocalSettingOverrideDisableScriptScanning" Type="REG_DWORD">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction">
     <AddValue Name="1" Type="REG_DWORD">6</AddValue>
     <AddValue Name="2" Type="REG_DWORD">2</AddValue>
     <AddValue Name="4" Type="REG_DWORD">2</AddValue>
     <AddValue Name="5" Type="REG_DWORD">2</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware">
     <AddValue Name="DisableRoutinelyTakingAction" Type="REG_DWORD">0</AddValue>
     <AddValue Name="RandomizeScheduleTaskTimes" Type="REG_DWORD">1</AddValue>
     <AddValue Name="DisableLocalAdminMerge" Type="REG_DWORD">1</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration">
     <AddValue Name="CustomDefaultActionToastString" Disabled="true" Type="REG_SZ"/>
     <AddValue Name="Notification_Suppress" Type="REG_DWORD">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Scan">
     <AddValue Name="ScheduleQuickScanTime" Type="REG_DWORD" PreviousValue="60">0</AddValue>
     <AddValue Name="ScanParameters" Type="REG_DWORD">1</AddValue>
     <AddValue Name="ScheduleTime" Type="REG_DWORD">60</AddValue>
     <AddValue Name="ScheduleDay" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideScheduleTime" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideScheduleQuickScanTime" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideScheduleDay" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideScanParameters" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableCatchupQuickScan" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableCatchupFullScan" Type="REG_DWORD">0</AddValue>
     <AddValue Name="CheckForSignaturesBeforeRunningScan" Type="REG_DWORD">1</AddValue>
     <AddValue Name="ScanOnlyIfIdle" Type="REG_DWORD">0</AddValue>
     <AddValue Name="LocalSettingOverrideAvgCPULoadFactor" Type="REG_DWORD">0</AddValue>
     <AddValue Name="AvgCPULoadFactor" Type="REG_DWORD">20</AddValue>
     <AddValue Name="DisableScanningNetworkFiles" Type="REG_DWORD">1</AddValue>
     <AddValue Name="DisableScanningMappedNetworkDrivesForFullScan" Type="REG_DWORD">1</AddValue>
     <AddValue Name="DisableArchiveScanning" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableRemovableDriveScanning" Type="REG_DWORD">1</AddValue>
     <AddValue Name="DisableHeuristics" Type="REG_DWORD">0</AddValue>
     <AddValue Name="DisableRestorePoint" Type="REG_DWORD">1</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions" Disabled="false">
     <AddValue Name=".sdb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".config" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".dia" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".wsb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".chk" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".edb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".jsl" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".log" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".que" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".lzx" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".ci" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".dir" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".wid" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".000" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".001" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".002" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".cfg" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".grxml" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".dsc" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name=".txt" Type="REG_DWORD" Disabled="false">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths" Disabled="false">
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Datastore.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\edb.chk" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\edb*.log" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res1.log" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\Res2.log" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ProgramData%\Microsoft\Search\Data\Applications\Windows" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Security\database\*.chk" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Security\database\*.edb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Security\database\*.jrs" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Security\database\*.log" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Security\database\*.sdb" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%allusersprofile%\NTUser.pol" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%SystemRoot%\System32\GroupPolicy\Machine\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%SystemRoot%\System32\GroupPolicy\User\registry.pol" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="C:\Users\Default\AppData\Local\Temp" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%SystemRoot%System32\Inetsrv" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files\" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%\Logging\POP3" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%\Logging\IMAP4" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN>" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="C:\Program Files\Microsoft\Exchange Server\V15\Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="C:\Program Files\Microsoft\Exchange Server\V15\Logging\Managed Folder Assistant" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles\Logs" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%GroupMetrics" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%Logging" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%ExchangeOAB" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath\Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles\Data\Queue" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%ClientAccess\OAB" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles\Data\SenderReputation" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%Working\OleConverter" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%FIP-FS" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles\Logs\Mailbox" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%UnifiedMessaging\grammars" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%UnifiedMessaging\Prompts" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%UnifiedMessaging\voicemail" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%UnifiedMessaging\temp" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="C:\ExchangeVolumes" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="C:\ExchangeDatabases" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%TMP%" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%ExchangeInstallPath%TransportRoles\Logs\FrontEnd" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="%windir%\Cluster" Type="REG_DWORD" Disabled="false">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes" Disabled="false">
     <AddValue Name="Cdb.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Cidaemon.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="fms.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Clussvc.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Dsamain.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="EdgeCredentialSvc.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="EdgeTransport.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="ExFBA.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Inetinfo.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.AntispamUpdateSvc.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="hostcontrollerservice.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeDagMgmt.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeMigrationWorkflow.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.AddressBook.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.ContentFilter.Wrapper.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Diagnostics.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Directory.TopologyService.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.EdgeCredentialSvc.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.EdgeSyncSvc.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Imap4.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Imap4service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Monitoring.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Pop3.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Pop3service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.ProtectedServiceHost.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.RpcClientAccess.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Search.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Servicehost.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Store.Service.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.Store.Worker.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Microsoft.Exchange.UM.CallRouter.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeDagMgmt.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeDelivery.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeFrontendTransport.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeHMHost.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeHMWorker.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeMailboxAssistants.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeMailboxReplication.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeRepl.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeSubmission.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeTransport.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeTransportLogSearch.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="MSExchangeThrottling.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="OleConverter.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Noderunner.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="ParserServer.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="Powershell.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="ScanEngineTest.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="ScanningProcess.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="TranscodingService.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="UmService.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="UmWorkerProcess.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="UpdateService.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
     <AddValue Name="W3wp.exe" Type="REG_DWORD" Disabled="false">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Quarantine">
     <AddValue Name="PurgeItemsAfterDelay" Type="REG_DWORD">14</AddValue>
     <AddValue Name="LocalSettingOverridePurgeItemsAfterDelay" Type="REG_DWORD">0</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates">
     <AddValue Name="SignatureUpdateInterval" Type="REG_DWORD">8</AddValue>
     <AddValue Name="ScheduleDay" Disabled="true" Type="REG_DWORD">0</AddValue>
     <AddValue Name="ScheduleTime" Disabled="true" Type="REG_DWORD">0</AddValue>
     <AddValue Name="SignatureUpdateCatchupInterval" Type="REG_DWORD">1</AddValue>
     <AddValue Name="conAuGracePeriod" Type="REG_DWORD">24</AddValue>
     <AddValue Name="DefinitionUpdateFileSharesSources" Disabled="true" Type="REG_SZ"/>
     <AddValue Name="FallbackOrder" Type="REG_SZ">MicrosoftUpdateServer|MMPC</AddValue>
     <AddValue Name="SourceOrderOnly" Disabled="true" Type="REG_SZ">FileShares|InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC</AddValue>
    </AddKey>
    <AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\SpyNet">
     <AddValue Name="SpyNetReporting" Type="REG_DWORD">1</AddValue>
     <AddValue Name="LocalSettingOverrideSpyNetReporting" Type="REG_DWORD">0</AddValue>
    </AddKey>
   </LocalGroupPolicySettings>
  </PolicySection>
 <PolicySection Name="FEP.HostFirewallPolicy" Disabled="true">
  <WmiPropertySettings>
   <Namespace Name="Root\Microsoft\PolicyPlatform\WindowsFirewallConfiguration">
    <Class Name="Firewall_Profile_Domain">
     <Instance Identifier="@">
      <SetProperty Name="EnableFirewall">True</SetProperty>
      <SetProperty Name="BlockAllInboundTraffic">False</SetProperty>
      <SetProperty Name="DefaultInboundActionIsDeny">True</SetProperty>
      <SetProperty Name="DisableInboundNotifications">False</SetProperty>
      </Instance>
    </Class>
    <Class Name="Firewall_Profile_Private">
     <Instance Identifier="@">
      <SetProperty Name="EnableFirewall">True</SetProperty>
      <SetProperty Name="BlockAllInboundTraffic">False</SetProperty>
      <SetProperty Name="DefaultInboundActionIsDeny">True</SetProperty>
      <SetProperty Name="DisableInboundNotifications">False</SetProperty>
     </Instance>
    </Class>
    <Class Name="Firewall_Profile_Public">
     <Instance Identifier="@">
      <SetProperty Name="EnableFirewall">True</SetProperty>
      <SetProperty Name="BlockAllInboundTraffic">False</SetProperty>
      <SetProperty Name="DefaultInboundActionIsDeny">True</SetProperty>
      <SetProperty Name="DisableInboundNotifications">False</SetProperty>
     </Instance>
    </Class>
   </Namespace>
  </WmiPropertySettings>
 </PolicySection>
</SecurityPolicy>

Now that you have your template in hand, save it off(as an .xml file type of course) to a local drive. Now, we are going to leverage the below script to copy that file you created and apply it to your servers. The below script will take either a single server name, a list of server names from a csv file or take server from the PowerShell Pipeline.  If you choose not to input a username, the script will pass the currently logged in username into the script and you will need to input your password. Once the file is copied, it will invoke  a command to kick off the local ConfigSecurityPolicy.exe to import that xml. Below you will find examples of how to use the script, the script itself and a download of the script and xml as well.

Single Server Input – Default Method:

FEP_Server_PS

Server List from CSV:

FEP_CSV_PS

Pipeline Input:

FEP_Pipeline_PS

Set-ExchFEPExclusions:

#requires -version 3

Function Set-ExchFEPExclusions() {

<#
.SYNOPSIS
The following script will apply SCEP or FEP exclusions to a server

.DESCRIPTION
This script will copy the exclusion XML file to the servers in a list and then apply the XML to the server's AV client

.PARAMETER Csv
Specify the Csv file containing the servers you are targeting

.PARAMETER ServerName
Specifiy the Server Name you are targeting

.PARAMETER Source
Specify the path to the source XML you will be pushing to the servers

.PARAMETER Username
Used if you require elevated credentials on the target server. Defaults to the currently logged in user, but will still prompt for password

.LINK
Exchange 2013 FEP Exclusions
http://technet.microsoft.com/en-us/library/bb332342(v=exchg.150).aspx

.LINK
Editing a FEP Policy
http://technet.microsoft.com/en-us/library/gg398037.aspx

.INPUTS
You can pipe server names into the script

.OUTPUTS
Currently no outputs. Will be enabling logging in a future version

.EXAMPLE
Set-ExchFEPExclusions -Server Server1 -Source C:\temp\Exchange 2013 Server Policy.xml

.EXAMPLE
Set-ExchFEPExclusions -Csv C:\scripts\computers.txt -Source C:\temp\Exchange 2013 Server Policy.xml

.EXAMPLE
get-mailboxserver | ?{$_.databaseavailabilitygroup -eq "DAGName"} | Set-ExchFEPExclusions -Source 'C:\temp\Exchange 2013 Server Policy.xml' -UserName Domain\UserName

.Notes
Author: Mike DiVergilio
Date: 9/16/2014
Version: 2.0
#>

[CmdletBinding(DefaultParameterSetName = 'AVExclusionsByServer')]
Param
(
#List of servers
[Parameter(Mandatory=$false,Position=0,ParameterSetName='AVExclusionsByList',HelpMessage='Please input the full path to the list of servers you are targeting')]
[String]$Csv,

#Single Server
[Parameter(Mandatory=$false,Position=0,ParameterSetName='AVExclusionsByServer',ValueFromPipeline=$true,HelpMessage='Please input the server name you are targeting')]
[ValidateNotNullorEmpty()]
[String]$ServerName,

#Source XML file
[Parameter(Mandatory=$true,HelpMessage='Please input the full path to the XML file you will use for your exclusions')]
[ValidateNotNullorEmpty()]
[String]$Source,

#Input for Username in the form of Domain\username
[Parameter(Mandatory=$false,HelpMessage="Please input Domain\Username if current account doesn't have the neccessary access.")]
[String]$UserName
)

BEGIN {

$SecurePW = Read-Host -Prompt 'Enter Password.' -AsSecureString
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $UserName, $SecurePW
}

PROCESS {

Function Set-AVExclusions() {

[string]$Dest = "C$\Program Files\Microsoft Security Client"
[string]$File = Get-ChildItem $Source| Select-Object -ExpandProperty name

#Opens Session to target server.
$Session = New-PSSession -ComputerName $Server -Credential $Credentials

If (test-connection -Cn $Server -Quiet) {
Write-Host 'Executing Remote Command' -ForegroundColor Yellow

#Creates path and copies file to remote server
$Path = Join-Path -Path "\\$Server.corp.cox.com" -ChildPath $Dest
New-PSDrive -Credential $Credentials -PSProvider FileSystem -Root $Path -Name $Server
Write-Host "Copying Exclusion XML to $Server"
Copy-Item -Path $Source -Destination $Path

#Adjust path to pass variables via the invoke-command cmdlet
$ParentPath = $Dest.Replace('$',':')
$FilePath = Join-Path $ParentPath -ChildPath $File
Invoke-Command -session $Session -ScriptBlock {Param([string]$FilePath)& 'C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe' $FilePath} -ArgumentList $FilePath

#Cleanup
Remove-PSDrive -Name $Server
Remove-PSSession $Session

} else {

Write-host "$Server failed to connect for AV Exclusions"

}
}
Function Set-AVExclusionsByServer() {

$Servers = $ServerName

Foreach ($Server in $Servers) {
Write-Host "Setting Exclusions to $Server" -ForegroundColor Green
Set-AVExclusions
}
}

Function Set-AVExclusionsByList() {

[array]$ServerList = Import-csv -Path $Csv -Header ServerName | Select-Object -ExpandProperty Servername

ForEach ($Server in $ServerList) {
Write-Host "Setting Exclusions to $Server" -ForegroundColor Green
Set-AVExclusions
}
}

switch ($PSCmdlet.ParameterSetName ) {
'AVExclusionsByServer'{Set-AVExclusionsByServer}
'AVExclusionsByList'{Set-AVExclusionsByList}
}
}
END {

Write-Host "The Remote Execution of Exchange 2013 FEP Exclusions is Complete"
}
}

I hope you find this post and this script useful in your administration. I welcome any improvements you may have to make this script better.

Script and XML Download

 

Updated 10/20/2014 to include modifications to the A/V Exclusions TechNet, added Windows 2012 exclusions and added FEP Policy settings.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s