new SCCM install SCEP and WSUS updates

We are implementing a new sccm 2012 install which is going to handle all Endpoint (SCEP) and software updates.  The network has an existing WSUS server, but it will go away once the migration is complete.  There is no preexisting FEP infrastructure.  Existing systems have GPOs assigned to configure WSUS on the clients.
 
I've created a new OU for SCCM pilot systems as we get this running.  Unfortunately, the OU inherits all the existing GPOs in the company.  I can't filter the OU at this time.  But I need to build a NEW gpo for this OU, so that it will supersede the current WSUS GPO and free up SCCM to handle the SUP and SCEP processes.
 
When we are done, and the environment is to be totally managed by SCCM, I don't think we need ANY GPOs as SCCM handles this all via client local policy assignments.  However, I need to know what to set in my pilot GPO so that machines in my Pilot OU wont be getting conflicting GPO settings.  Can someone tell me what to set in my GPOs for my pilots so SCCM can manage the environment?
 
Since SCEP is now in the mix, I'm not sure what I need to have on and off, and based on conversations I'm seeing online, it's not exactly clear.  Most of the docs I've seen are with a FEP infrastructure external to SCCM (SCCM07, with FEP, etc), or are written assuming you have no preexisting infrastructure to migrate from.  Now I've got one integrated system managing all 3 processes, so I'm not sure what GPO to set to get the old stuff out and let the new stuff play.
 
Thanks!
 
Ed
 

the following should help, just target the GPO towards the OU in question,
using System Center 2012 Configuration Manager - Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent
Part 5. Adding WSUS, Adding the SUP role, deploying the Configuration Manager Client Agent  [June 3rd, 2012]
using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.
Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies. [August 6th, 2012]

Yes, I've seen those Anyweb, but that doesn't really answer my question.  Which is :
 
What should the GPO's say so SCEP will pull from the SCCM site server? 
 
Let me explain....
 
I'm not at all confused about the policies on the SCCM side. SCCM manages those policies for SUP/SCEP by assigning LOCAL policies on the machine.   My concern is existing GPO's and how they can supersede the local policies that SCEP and SCCM will implement.  If I have any GPO, it will be considered a 'higher authority' than the SCEP and SCCM policies, and any settings you define in the processes you linked to can be over written.  Having said that... We can put in the GPOs you discuss for client installation, but they impact SCEP.
 
This documentation is great if you are in a lab or a clean environment, where you have no pre-existing GPO policies that can create a conflict.  And in fact, I already scoured them and have used them (great work BTW).  We tried the SUP settings listed in there fhat you used for Client installation thinking they would simply duplicate the local policies the SCCM server creates.  Those are for client installation.  I would think those would work fine, but our inherited GPOs seem to create problems for our SCEP.  And in fact, so do these.  Clients can still update from MS, and if I leave everything default in SCEP, the updates still flow, but they don't pull updates from our SCCM server.  (Have you verified that your updates are pulling from your SCCM server in your lab if you have those GPOs in place and that those clients are NOT pulling SCEP updates from MS?  I'm betting they update from MS.) 
 
When we have GPO's configured as you describe, SCEP updates from our SCCM server fail for us.  (We limit where they can pull updates in our SCEP policies so they don't pull from MS sources for testing, and when we do that we fail an update process with and error: ?0x8024402c, which means it can't hit MS for updates) 
 
In these docs, you don't discuss GPOs at all with regards to SCEP because SCCM doesn't need or use them.   But MS docs for Forefront EP imply that having those settings can screw up local policies and create problems for SCEP.  So, what we end up with is a client that is updating from MS, but not from my managed site server.
 
I'm building a production environment where we are migrating from a previous WSUS infrastructure, and I need to figure out a way to migrate through existing policies without creating a conflict.  Right now, creating a GPO filter or creating a mirrored OU structure for machines while we migrate is a procress that I'd like to avoid if I can.  What I need to do is identify what GPO setting CAN we set, what SHOULD we set, and what should we NOT set so that SUP and SCEP will work right and not get conflicted or confused.
 
I've seen plenty of confusion on what you can and cannot put in the SUP/FEP/SCEP GPOs.  Some documents imply that if i specify the server AT ALL, I confuse SCEP/FEP, and it wont work as designed (because when it sees the server in the GPO, it presumes somehow that WAU and not SCCM is going to handle the downloading or similar issues).  I HOPE I can create some GPOs that will overwrite my corporate ones (existing GPOs link at a higher point on the OU structure,and I would like to create downstream ones to overwrite the inherited policies to ones that will work right).   This will make sure that SUP and SCEP both hit my SCCM box for updates.  
 
I'm pretty sure out systems are working fine when we put a machine in an OU that doesn't pull ANY GPOs that refer to WSUS settings.