Forefront Endpoint Protection 2010 组策略工具无法导入从 System Center 2012 Endpoint Protection 导出的策略文件
症状:
在使用 Forefront Endpoint Protection (FEP) 2010 组策略工具导入从 System Center 2012 Endpoint Protection 导出的策略文件时,导入失败,并出现类似下面的屏幕截图:
原因:
XML 命名空间缺失,并且几个注册表值类型在 System Center 2012 Endpoint Protection 中已发生更改,从而导致错误。
解决方法:
手动执行以下更改
- 在策略文件的“SecurityPolicy”部分中添加“xmlns="https://forefront.microsoft.com/FEP/2010/01/PolicyData"”。
- 打开策略文件,在“AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates"”部分中,将“FallbackOrder”类型“REG_DWORD”替换为“REG_SZ”。
- 打开策略文件,在“AddKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Signature Updates"”部分中,将“DefinitionUpdateFileSharesSources”类型“REG_DWORD”替换为“REG_SZ”。
使用“脚本”部分中的脚本自动进行更改
可以使用“脚本”部分中的脚本对策略文件进行更改。也可以编写一个 Java 脚本工具来自动执行脚本。例如,可以在“脚本”部分中将脚本命名为 FepGPFileCorrector.js,然后使用如下命令:
cscript.exe FepGPFileCorrector.js <originpolicyfile>.xml
其中,originpolicyfile 是导出的 System Center 2012 Endpoint Protection 策略文件。目前支持以下内容:
- 本地 xml 文件的完整路径。例如 c:\test\output.xml
- 网络共享文件的完整路径。例如 \\atc-dist-01\test\output.xml
- 运行脚本工具的文件夹下的文件。
目标/输出策略文件将被命名为 Converted-<originpolicyfile>.xml。
参考:
Forefront Endpoint Protection 组策略工具用于将配置的 FEP 策略中包含的策略设置转换为组策略使用的格式。可从 Microsoft 下载中心 (https://go.microsoft.com/fwlink/?LinkId=207729) 作为 FEP 2010 组策略工具下载程序包的一部分获得该工具。
System Center 2012 Endpoint Protection 提供多个默认策略模板文件,可在站点服务器安装目录的 AdminConsole\XmlStorage\EPTemplates 子文件夹下找到这些文件。默认情况下,可以使用 FEP 2010 Forefront Endpoint Protection 组策略工具导入策略模板文件。
脚本:
@set @debug = false
//******************************************************************************
//
// Constants
//
//******************************************************************************
var c_sSecurityPolicy = "SecurityPolicy";
var c_sPolicySection = "PolicySection";
var c_sLocalGroupPolicySettings = "LocalGroupPolicySettings";
var c_sXmlns = "xmlns";
var c_sNameSpace = "https://forefront.microsoft.com/FEP/2010/01/PolicyData";
var c_sAddKey = "AddKey";
var c_sAddValue = "AddValue";
var c_sName = "Name";
var c_sType = "Type";
var c_sDisabled = "Disabled";
var c_sFallbackOrder = "FallbackOrder";
var c_sDefinitionUpdateFileShareSources = "DefinitionUpdateFileSharesSources";
var c_sDWord = "REG_DWORD";
var c_sSZ = "REG_SZ";
var c_sHelp = "cscript.exe FepGPFileCorrector.js <originpolicyfile> \r\n"
+ "\r\n"
+ "originpolicyfile Original exported SCEp2012 policy file.\r\n"
//******************************************************************************
//
// Globals
//
//******************************************************************************
var g_fso = null; // Scripting.FileSystemObject
var g_xmlSource = null; // Source XML document
var g_xmlTarget = null; // Target XML document
var g_shell = null;
var g_environment = null;
var g_sScriptDir = null; // cscript.exe running directory
var g_sOriginPolicyFile = null; // Original FEP2012 exported policy file
var g_sOriginFileName = null; // Original FEP2012 exported policy file name
var g_sOriginPolicyPath = null; // The directory hosting original FEP2012 exported policy file
//******************************************************************************
//
// GetAttribute
//
//******************************************************************************
function GetAttribute(oNode, sAttrib, bAllowNull)
{
var attrib = oNode.attributes.getNamedItem(sAttrib);
if (attrib != null)
{
return attrib.text;
}
else if (bAllowNull)
{
return null;
}
return null;
}
// Validate script host version
if (Number(WScript.Version) < 5.6)
{
WScript.Echo(
"This script requires Windows Script Host v5.6 or later. "
+ "Go to https://www.microsoft.com/scripting for download"
);
WScript.Quit(1);
}
if (WScript.FullName.toLowerCase().indexOf("cscript.exe") < 0)
{
WScript.Echo(
"This script can only be executed with Cscript."
);
WScript.Quit(1);
}
if ((WScript.Arguments.length < 1) || (WScript.Arguments(0) == "/?"))
{
WScript.Echo(c_sHelp);
WScript.Quit(1);
}
// Initialize
g_fso = new ActiveXObject("Scripting.FileSystemObject");
g_shell = new ActiveXObject("WScript.Shell");
g_environment = g_shell.Environment("Process");
g_sScriptDir = g_fso.GetParentFolderName(WScript.ScriptFullName);
g_sOriginPolicyFile = String(WScript.Arguments(0));
// If g_sOriginPolicyFile has not path
if ((g_sOriginPolicyFile.indexOf(":") > 0) && (g_sOriginPolicyFile.charAt(0) != "."))
{
g_sOriginPolicyPath = g_sOriginPolicyFile.substr(0, g_sOriginPolicyFile.lastIndexOf("\\"));
g_sOriginFileName = g_sOriginPolicyFile.substr(g_sOriginPolicyFile.lastIndexOf("\\") + 1);
}
else if ((g_sOriginPolicyFile.charAt(0) == "\\") && (g_sOriginPolicyFile.charAt(1) == "\\"))
{
g_sOriginPolicyPath = g_sOriginPolicyFile.substr(0, g_sOriginPolicyFile.lastIndexOf("\\"));
g_sOriginFileName = g_sOriginPolicyFile.substr(g_sOriginPolicyFile.lastIndexOf("\\") + 1);
}
else
{
g_sOriginPolicyPath = g_sScriptDir;
g_sOriginFileName = g_sOriginPolicyFile;
}
if (!g_fso.FileExists(g_sOriginPolicyFile))
{
WScript.Echo("XML file " + g_sOriginPolicyFile + " does not exist!");
throw new Error(1, "The XML file does not exist!");
}
//var oFile = g_fso.GetFile(g_sOriginPolicyFile);
//oFile.Attributes = oFile.Attributes & (~1);
g_xmlSource = new ActiveXObject("MSXML2.DOMDocument.6.0");
// Load original SCEP2012 exported policy file
if (!g_xmlSource.load(g_sOriginPolicyFile))
{
var pe = g_xmlSource.parseError;
INFO(
"XML load failed:\n"
+ " Location: " + pe.line + ", " + pe.linepos + "\n"
+ " Source: " + pe.srcText + "\n"
+ " Reason: " + pe.reason + "\n"
);
throw new Error(-1, "Policy file is invalid.");
}
var oSrcSecurityPolicyNode;
//var oRootNodes = g_xmlSource.documentElement.selectNodes(c_sSecurityPolicy);
var oRootNodes = g_xmlSource.childNodes;
if (!g_xmlSource.hasChildNodes())
{
WScript.Echo("XML file " + g_sOriginPolicyFile + " might not need to process, exit directly.");
WScript.Quit(1);
}
for (var iIndex = 0; iIndex < oRootNodes.length; iIndex++)
{
if (oRootNodes[iIndex].nodeName == c_sSecurityPolicy)
{
oSrcSecurityPolicyNode = oRootNodes[iIndex];
if (oSrcSecurityPolicyNode != null)
{
if (oSrcSecurityPolicyNode.attributes.getNamedItem(c_sXmlns) != null)
{
WScript.Echo("XML file " + g_sOriginPolicyFile + " might not need to process, exit directly.");
WScript.Quit(1);
}
}
break;
}
}
g_xmlTarget = new ActiveXObject("MSXML2.DOMDocument.6.0");
var sTargetXmlFile = g_sOriginPolicyPath + "\\Converted-" + g_sOriginFileName;
if (g_fso.FileExists(sTargetXmlFile))
{
var oFile = g_fso.GetFile(sTargetXmlFile);
oFile.Attributes = oFile.Attributes & (~1);
g_fso.DeleteFile(sTargetXmlFile);
}
WScript.Echo("The target converted policy file: " + sTargetXmlFile);
var oSrcAddKeyNodes;
var oSrcAddValueNodes;
var sNameAttribute;
var sTypeAttribute;
var sDisabledAttribute;
var sNodeValue;
var oTargetAddKeyNode;
var oTargetAddValueNode;
var oAttributes;
// Check "SecurityPolicy" node in source XML
if (oSrcSecurityPolicyNode != null)
{
// Create "SecurityPolicy" node for target XML
var oTargetSecurityPolicyNode = g_xmlTarget.createNode(1, c_sSecurityPolicy, c_sNameSpace);
// Add attributes under "SecurityPolicy" child node to target node
oAttributes = oSrcSecurityPolicyNode.attributes;
for (var index = 0; index < oAttributes.length; index++)
{
if (oAttributes.item(index).name != c_sXmlns)
{
oTargetSecurityPolicyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
}
}
// Check "PolicySection" child node in source XML
var oSrcPolicySectionNode = oSrcSecurityPolicyNode.selectSingleNode(c_sPolicySection);
if (oSrcPolicySectionNode != null)
{
// Create "PolicySection" node for target XML
var oTargetPolicySectionNode = g_xmlTarget.createNode(1, c_sPolicySection, c_sNameSpace);
// Add attributes under "PolicySection" child node to target node
oAttributes = oSrcPolicySectionNode.attributes;
for (var index = 0; index < oAttributes.length; index++)
{
oTargetPolicySectionNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
}
// Check "LocalGroupPolicySettings" child node
var oSrcLocalGroupPolicySettingsNode = oSrcPolicySectionNode.selectSingleNode(c_sLocalGroupPolicySettings);
if (oSrcLocalGroupPolicySettingsNode != null)
{
// Create "LocalGroupPolicySettings" node for target XML
var oTargetLocalGroupPolicySettingsNode = g_xmlTarget.createNode(1, c_sLocalGroupPolicySettings, c_sNameSpace);
oSrcAddKeyNodes = oSrcLocalGroupPolicySettingsNode.selectNodes(c_sAddKey);
for (var iKeyIndex = 0; iKeyIndex < oSrcAddKeyNodes.length; iKeyIndex++)
{
// Create one "AddKey" node for target XML
oTargetAddKeyNode = g_xmlTarget.createNode(1, c_sAddKey, c_sNameSpace);
// Add attributes under "AddKey" child node to target node
oAttributes = oSrcAddKeyNodes[iKeyIndex].attributes;
for (var index = 0; index < oAttributes.length; index++)
{
oTargetAddKeyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
}
oSrcAddValueNodes = oSrcAddKeyNodes[iKeyIndex].selectNodes(c_sAddValue);
for (var iValueIndex = 0; iValueIndex < oSrcAddValueNodes.length; iValueIndex++)
{
// Create "AddValue" node
oTargetAddValueNode = g_xmlTarget.createNode(1, c_sAddValue, c_sNameSpace);
// Add attributes under "AddValue" child node to target node
sNameAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sName);
oTargetAddValueNode.setAttribute(c_sName, sNameAttribute);
sTypeAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sType);
if (sNameAttribute == c_sFallbackOrder)
{
if (sTypeAttribute == c_sDWord)
{
oTargetAddValueNode.setAttribute(c_sType, c_sSZ);
}
else
{
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
}
}
else if (sNameAttribute == c_sDefinitionUpdateFileShareSources)
{
if (sTypeAttribute == c_sDWord)
{
oTargetAddValueNode.setAttribute(c_sType, c_sSZ);
}
else
{
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
}
}
else
{
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
}
if (oSrcAddValueNodes[iValueIndex].attributes.getNamedItem(c_sDisabled) != null)
{
sDisabledAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sDisabled);
oTargetAddValueNode.setAttribute(c_sDisabled, sDisabledAttribute);
}
sNodeValue = oSrcAddValueNodes[iValueIndex].text;
oTargetNodeValue = g_xmlTarget.createTextNode(sNodeValue);
oTargetAddValueNode.appendChild(oTargetNodeValue);
// Append "AddValue" child node under current "AddKey" node
oTargetAddKeyNode.appendChild(oTargetAddValueNode);
}
// Append "AddKey" child node under "LocalGroupPolicySettings" node
oTargetLocalGroupPolicySettingsNode.appendChild(oTargetAddKeyNode);
}
// Append "LocalGroupPolicySettings" child node under "PolicySection" node
oTargetPolicySectionNode.appendChild(oTargetLocalGroupPolicySettingsNode);
}
// Append "PolicySection" child node under "SecurityPolicy" node
oTargetSecurityPolicyNode.appendChild(oTargetPolicySectionNode);
}
// Append "SecurityPolicy" node
g_xmlTarget.appendChild(oTargetSecurityPolicyNode);
g_xmlTarget.save(sTargetXmlFile);
}
This posting is provided "AS IS" with no warranties, and confers no rights.