Forefront without SCCM-add SCCM later?

ldoccc used Ask the Experts™
Hello,  We currently have an SCCM server that is not working properly/most likely was not setup right to begin wtih.  In the future, we will be getting rid of the existing SCCM server and building a new SCCM server the right way.

However, we are on a deadline to uninstall our existing antivirus solution and install Forefront  Endpoing Protection before we are able to rebuild SCCM.  Our current plan is to install Forefront without SCCM and use Group Policy to uninstall our existing antivirus and install/update Forefront.  We realize this is not the ideal or recommended configuration.

The question(s) is... if we follow our current plan and later get SCCM up and running, will we be able to easily integrate the existing Forefront installations with SCCM? or will it cause lots of problems/issues or just not be possible?

If you have any additional thoughts, ideas, or suggestions, all input is welcome.

Thank you for your time
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

From the above link :

Now the licensing stuff… As I mentioned, things have changed: in order to be able to centrally manage your FEP clients, you need SCCM Server… and a SCCM CAL per client being managed. This is good news for customers that are already using this technology (and those who bought the CoreCAL Suite which includes SCCM), but not so good for the others, who will need in fact to implement a SCCM Solution in order to remotely manage their FEP clients.
But this can also be a great opportunity to get the conversation started on our System Center suite of products. Lots of customers out there still aren’t using any type of management strategy; you can now also drive the System Center discussion through the Forefront protection features. SCCM is just one of the 5 components of the System Center Suite of products; positioning  SCCM is a foot in the door to talk about Operations Manager, Data Protection Manager (another component that can help secure clients), Virtual Machine Manager and Service Manager.

That being said, the Forefront Clients can run without the SCCM management component but the client will not be managed, i.e. the customer will have no ability for monitoring.

Seems like the above link has your answer :

These 3 questions keep popping up on these forums, one after the other. To conclude this in 4 easy answers:
1.      You want to have a standalone FEP? You have only 2 options:
a. you can manage it with Group Policy. For an overview of this type of setup see:
A nice overview: or on TechNet:
 b. You keep it as a standalone installation. Then again, you could also use any other free antivirus product, and you would not need to acquire licenses. In this case, it's refered to as an 'unmanaged' installation.
2.      Question 2 above relates to the first question. Basically the SMB is left in the dark here, unless you take the time and effort to start searching through forums, look for the wanted info on TechNet, Google for it... nevertheless, there is (as far as i can see) no clear and distinct answer on this. The fact that this is confusing for so many, is very likely because FCS (Forefront Client - the previous version), at least had an Administrator Console for it, hence everyone who wanted to, could use it. This is with FEP no longer the case.
3.      You have System Center Essentials 2007/2010, and you want to install FEP? You have 3 options here:

a. Probably your best option here (if you want a central management console), is to wait for a third-party product, which is in development now (they are aiming at Q1 2011): for more info about this product (their is a risk this product is going to be rather expensive, we will see)

b. Your second option is to use Group Policy for management:
On TechNet:

c. You keep it as a standalone installation. Then again, you could also use any other free antivirus product, and you would not need to acquire licenses. In this case, it's refered to as an 'unmanaged' installation.


Have a look at the above links, seems like you can !
I have only managed to skim through the links above – so a good read would help you in your decision.

Keith AlabasterEnterprise Architect
Top Expert 2008

Missed this question somehow. I have seen a couple of 'standalone' FEP installs and none have lasted as most users are not robots and, despite issued guidance, most could not (would not) follow the instructions in respect to letting us know that issues were noted etc.

Flip side could be that having an AV solution installed even though you have no idea of whether it is effective or not must be better than not having one at all.

When you get to deploy sccm again cleanly, you can force an overwrite anyway on each client based upon your deployment package so shouldn't be an issue for the future.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial