Managing ForeFront Endpoint with SCCM2012

Posted on 2014-08-10
Medium Priority
Last Modified: 2014-08-14
I believe with SCCM2012, Administrator can Deploy ForeFront Endpoint Protection client, configure it, set up policy for it, update it and monitor it.

If I understand Microsoft also has ForeFront server. I wonder if ForeFront Server is designed also to deploy the EndPoint Protection client, configure it , and do all that SCCM2012 can do regarding ForeFront EndPoint Management.

Since SCCM2012 as well as ForeFront Server are both Microsoft, I wonder if I can just use SCCM2012 and do without ForeFront, when it comes to EndPoint Protection ???

Any help will be very much appreciated.

Question by:jskfan
  • 2
  • 2
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 40252866
Couple of means for deploying FEP client
#1 Deploying the FEP client manually
#2 Deploying and managing the FEP client with SCCM
#3 Managing the FEP client with Group Policy
#4 Managing the FEP client with SCOM

The preferred way to deploy and manage FEP on client PCs is using the System Center Configuration Manager 2007 R3 platform. If you have SCCM, or if you deploy SCCM just to manage FEP, running the FEP server setup on top of SCCM 2007 R3 adds some huge functionality to SCCM.
In the past SCCM version, it is shared in further details on Automatically Deploying Forefront Endpoint Protection Updates via System Center Configuration Manager

Down the road, there is mention for SCCM 2012 as well as monitoring of FEP client which include below.
o Computers not targeted by FEP (will never get FEP client installed)
o Computers with out of date FEP Versions (have FEP installed, but is out of date)
o Computers Pending FEP Deployment (deploy is scheduled, but not started/finished yet)
o Run Antimalware Definition updates (=update the virus engine)
o Run Quickscan
o Run Full scan
o FEP email settings
o FEP Alerts

With System Center 2012 release, Microsoft has eventually adopted different approach to just using FEP server. They have included the endpoint protection service with Configmgr 2012.   Therefore now you can manage forefront via SCCM console.

So I see SCCM 2012 does suffice if the a/m is good enough if using FEP and I am not seeing any lacking (I am not going to drill into FEP specific capability comparing with other HIPS endpoint)

Author Comment

ID: 40253418
I have not used ForeFront as Antivirus/Antimalware.
I have used TrendMicro in the past. it has a console , you can discover computers in Active Directory, then deploy the TrendMicro agent to computers. Computers will report back to TrenMicro server from which you can manage and monitor the function of TrendMicro Clients..

I wonder if ForeFront has the same concept ? if so then using SCCM seems like you can do the same thing from 2 different products : ForeFront Server and SCCM

The point I want to make is  what is Forefront able to do that SCCM is not, and vice-versa, in matter of Antivirus and Antimalware.

LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40253461
SCCM discover the asset and is still recommended if you see those links. FEP Policies are assigned to SCCM collections.  I see Forefront Endpoint Protection is built on System Center Configuration Manager. By default, the FEP Security Management Pack is configured to discover endpoints that are running server operating systems. If you want to monitor endpoints that are running client operating systems, you must perform manual procedure.

How to deploy Forefront Endpoint Protection 2012 beta on SCCM 2012 beta
After we installed the FEP 2012 server components in the previous step, this chapter gives a basic overview of the default FEP 2012 beta topics in the SCCM 2012 beta console.
The following SCCM options are available in Software Library console:
- Software Library / Overview / Application Management / Packages /
o FEP Deployment
o FEP Operations
o FEP Policies
Integrate Forefront Endpoint Protection (FEP) 2012 in System Center Configuration Manager (SCCM) 2012
Now that FEP 2012 is installed, how does it behave and how do you control it?
FEP functionality works via workstation collection membership – default policies are deployed via the Software Library to collections whose membership is kept up-to-date dynamically via SCCM discovery methods. Admins don’t actually need to do anything to ensure that FEP is deployed and updated correctly, as there’s enough default functionality in the system to guarantee that this happens automatically.

Forefront Endpoint Protection in SCCM 2012
Head over to Assets and Compliance –> Endpoint Protection –> Antimalware Policies (There you will have a default client policy, which is the only we are going to alter, since this applies to all SCEP agents in the site) You can also choose import a policy, Forefront comes with a bunch of premade policies that Microsoft has created.
When FEP is combined with SCCM, it give that Enterprise standing and in high term  - you can take a hands-off maintenance approach with the FEP client, get constant at-a-glance statistics, centralized logging, and centralized management, and you get to leverage your existing management infrastructure etc

Author Closing Comment

ID: 40262340
Thank you

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question