Managing ForeFront Endpoint with SCCM2012

Posted on 2014-08-10
Last Modified: 2014-08-14
I believe with SCCM2012, Administrator can Deploy ForeFront Endpoint Protection client, configure it, set up policy for it, update it and monitor it.

If I understand Microsoft also has ForeFront server. I wonder if ForeFront Server is designed also to deploy the EndPoint Protection client, configure it , and do all that SCCM2012 can do regarding ForeFront EndPoint Management.

Since SCCM2012 as well as ForeFront Server are both Microsoft, I wonder if I can just use SCCM2012 and do without ForeFront, when it comes to EndPoint Protection ???

Any help will be very much appreciated.

Question by:jskfan
    LVL 60

    Assisted Solution

    Couple of means for deploying FEP client
    #1 Deploying the FEP client manually
    #2 Deploying and managing the FEP client with SCCM
    #3 Managing the FEP client with Group Policy
    #4 Managing the FEP client with SCOM

    The preferred way to deploy and manage FEP on client PCs is using the System Center Configuration Manager 2007 R3 platform. If you have SCCM, or if you deploy SCCM just to manage FEP, running the FEP server setup on top of SCCM 2007 R3 adds some huge functionality to SCCM.
    In the past SCCM version, it is shared in further details on Automatically Deploying Forefront Endpoint Protection Updates via System Center Configuration Manager

    Down the road, there is mention for SCCM 2012 as well as monitoring of FEP client which include below.
    o Computers not targeted by FEP (will never get FEP client installed)
    o Computers with out of date FEP Versions (have FEP installed, but is out of date)
    o Computers Pending FEP Deployment (deploy is scheduled, but not started/finished yet)
    o Run Antimalware Definition updates (=update the virus engine)
    o Run Quickscan
    o Run Full scan
    o FEP email settings
    o FEP Alerts

    With System Center 2012 release, Microsoft has eventually adopted different approach to just using FEP server. They have included the endpoint protection service with Configmgr 2012.   Therefore now you can manage forefront via SCCM console.

    So I see SCCM 2012 does suffice if the a/m is good enough if using FEP and I am not seeing any lacking (I am not going to drill into FEP specific capability comparing with other HIPS endpoint)

    Author Comment

    I have not used ForeFront as Antivirus/Antimalware.
    I have used TrendMicro in the past. it has a console , you can discover computers in Active Directory, then deploy the TrendMicro agent to computers. Computers will report back to TrenMicro server from which you can manage and monitor the function of TrendMicro Clients..

    I wonder if ForeFront has the same concept ? if so then using SCCM seems like you can do the same thing from 2 different products : ForeFront Server and SCCM

    The point I want to make is  what is Forefront able to do that SCCM is not, and vice-versa, in matter of Antivirus and Antimalware.

    LVL 60

    Accepted Solution

    SCCM discover the asset and is still recommended if you see those links. FEP Policies are assigned to SCCM collections.  I see Forefront Endpoint Protection is built on System Center Configuration Manager. By default, the FEP Security Management Pack is configured to discover endpoints that are running server operating systems. If you want to monitor endpoints that are running client operating systems, you must perform manual procedure.

    How to deploy Forefront Endpoint Protection 2012 beta on SCCM 2012 beta
    After we installed the FEP 2012 server components in the previous step, this chapter gives a basic overview of the default FEP 2012 beta topics in the SCCM 2012 beta console.
    The following SCCM options are available in Software Library console:
    - Software Library / Overview / Application Management / Packages /
    o FEP Deployment
    o FEP Operations
    o FEP Policies
    Integrate Forefront Endpoint Protection (FEP) 2012 in System Center Configuration Manager (SCCM) 2012
    Now that FEP 2012 is installed, how does it behave and how do you control it?
    FEP functionality works via workstation collection membership – default policies are deployed via the Software Library to collections whose membership is kept up-to-date dynamically via SCCM discovery methods. Admins don’t actually need to do anything to ensure that FEP is deployed and updated correctly, as there’s enough default functionality in the system to guarantee that this happens automatically.

    Forefront Endpoint Protection in SCCM 2012
    Head over to Assets and Compliance –> Endpoint Protection –> Antimalware Policies (There you will have a default client policy, which is the only we are going to alter, since this applies to all SCEP agents in the site) You can also choose import a policy, Forefront comes with a bunch of premade policies that Microsoft has created.
    When FEP is combined with SCCM, it give that Enterprise standing and in high term  - you can take a hands-off maintenance approach with the FEP client, get constant at-a-glance statistics, centralized logging, and centralized management, and you get to leverage your existing management infrastructure etc

    Author Closing Comment

    Thank you

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Viewers will learn the different options available in the Backstage view in Excel 2013.
    In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now