News Stay informed about the latest enterprise technology news and product updates.

Microsoft brings endpoint protection to Configuration Manager

With Forefront Endpoint Protection 2010, Microsoft aims to make client security one with systems management, and those running SCCM 2007 should see the biggest lift.

Microsoft’s goal of merging endpoint security with systems management is one step closer to reality – at least for folks already working with System Center. But with a focus on the enterprise, the release is unlikely to make much of a splash with small businesses or those not already using Microsoft tools for desktop management. 

The release candidate for Forefront Endpoint Protection (FEP) 2010, the follow-up to Microsoft’s Forefront Client Security product, was announced at TechEd Europe this week. The product is built on System Center Configuration Manager (SCCM) to create a unified infrastructure for Windows endpoint management and security.

Adwait Joshi, Microsoft senior technical product manager, said the intent is to simplify endpoint management while at the same time reducing costs.

“The idea was that if we build [FEP] on SCCM, the day-to-day operations for security can be done by the same person that’s doing your desktop management -- patching, pushing client deployments and those kinds of things,” he said. “That will then enable the security guys to focus on end-to-end security issues.”

Joshi added that combining FEP with System Center should also alleviate the costs associated with maintaining separate infrastructures for endpoint security and desktop management.

A shorter learning curve with SCCM
The release could be ideal for organizations already running SCCM in their environments, as administrators can access the FEP dashboard directly from the Configuration Manager console. The dashboard can then be used to monitor malware and even manage client firewalls using familiar SCCM processes.

While there is an “unmanaged option” for running FEP separate from SCCM, Microsoft stresses that the two are designed to work together. “That’s our first recommendation. That’s the way we intend that product to be used,” said Joshi.

For this reason, FEP 2010 might not be a fit for organizations not using some form of SCCM. Johan Blom, a Microsoft MVP and Forefront blogger, said that such companies would most likely stick with competitor endpoint protection products from Symantec, McAfee or Trend Micro.

Blom added, however, that strictly from a feature standpoint, Microsoft’s Forefront security product stacks up well with competitors. “They are up there with the top vendors,” he said, adding that many of the environments he’s worked in have shown improvement when switching over to Forefront for client security.

“There had been malware on these systems, which the other products -- and I’ve pretty much migrated from all of them -- did not detect. So the [FEP] detection is really top notch,” he said.

For companies that currently run third-party endpoint protection with SCCM, the switch to FEP 2010 should be relatively painless. Microsoft designed the product to automatically uninstall existing anti-malware software when FEP is deployed, allowing organizations to upgrade client security in one step. Blom said the migration process should be a major improvement over Forefront Client Security (FCS).

“On the client side, [FEP 2010] will automatically uninstall FCS and just move on to the next version. So that should be easy,” he said, noting that the built-in deployment functionality of SCCM should help. “With FCS we didn’t have that; you had to have your own deployment solution.”

Forefront Endpoint Protection also includes a revamped antivirus core engine, which is the same engine used with the company’s anti-malware consumer offering, Microsoft Security Essentials. New features include anti-rootkit enhancements and dynamic emulation for testing potential malware in a workshop setting before it reaches the client.

What about SMBs?
Blom said he’s still waiting for Microsoft to come out with a similar new release for small businesses. “Microsoft is targeting enterprises and customers that have SCCM, but for customers that don’t have SCCM and are small businesses, I’d like to see a solution,” he said.

Blom added that while Microsoft’s enterprise segment starts at around 1,000 computers, any organization running Configuration Manager can take advantage of FEP 2010, no matter how big or small the company is. He noted, however, that smaller companies are unlikely to put something like SCCM into production.

“[Configuration Manager 2007] is a complex product, so if you have 50 machines, you’re not going to install SCCM just to run something like FEP,” he said.

The release candidate for Forefront Endpoint Protection 2010 is currently available for download at the Microsoft website. Though no date has been announced, an official release to manufacturing (RTM) is expected before the end of the year.

You can follow on Twitter @WindowsTT.

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.