Forefront Endpoint Protection (FEP): what changed

Forefront Client Security (FCS) was replaced by Forefront Endpoint Security in January 2011. While this might just sound like a rebranding exercise, it’s actually a lot more, both from a product functionality and a licensing standpoint.

SCCM to centrally manage your systems…. and Forefront.

One of main differentiator between FCS and FEP is around managing Forefront client agents.

FCS had its own separate Management console, that was in fact a separate SKU all together that had to be purchased on top and above the client subscription. It was a stand-along piece that used an instance of MOM 2005 (Microsoft Operations Manager) underneath the covers to provide monitoring and reporting. That instance of MOM 2005 could not be used for anything else and actually required SQL 2005 specifically.

FEP management is now integrated into SCCM. This is particularly interesting because our customers now have a single solution to manage all key aspects of a secure desktop: patch management, software deployment, compliance management, antivirus, firewall, inventory, etc. In addition, FEP inherits all of the functionality of SCCM (ex. wake up on LAN, over Internet management, delegated administration, branch scenarios support).  FEP management is fully handled via SCCM console which also offers an additional node for anti-virus management.

To more secure clients

The Anti-Virus component of FEP is also more advanced and is based on the Microsoft Security Essentials, providing better support for rootkit detection, host intrusion prevention, and cloud based threat analysis.

Conceptually the services offered by FEP are the same as FCS; while the old console did not offer client deployment functionalities, SCCM now allows to deploy your agents remotely, facilitating Forefront implementation in the environment.

Licensing requirements

Now the licensing stuff… As I mentioned, things have changed: in order to be able to centrally manage your FEP clients, you need SCCM Server… and a SCCM CAL per client being managed. This is good news for customers that are already using this technology (and those who bought the CoreCAL Suite which includes SCCM), but not so good for the others, who will need in fact to implement a SCCM Solution in order to remotely manage their FEP clients.

But this can also be a great opportunity to get the conversation started on our System Center suite of products. Lots of customers out there still aren’t using any type of management strategy; you can now also drive the System Center discussion through the Forefront protection features. SCCM is just one of the 5 components of the System Center Suite of products; positioning  SCCM is a foot in the door to talk about Operations Manager, Data Protection Manager (another component that can help secure clients), Virtual Machine Manager and Service Manager.

That being said, the Forefront Clients can run without the SCCM management component but the client will not be managed, i.e. the customer will have no ability for monitoring.

Additional resources

I would suggest listening to this Gartner webcast on the convergence of desktop management and security. The decision to integrate AV into SCCM is not primarily based on technical reasons, but mainly to align with the current trends in the industry. I am sure that once those trends are understood, articulating the value of SCCM + FEP will be easier for our partners.

Also:
- Forefront Endpoint Protection – Main product page
- Pricing and Licensing.

May the Force of Licensing be with You,
Mathias

Comments

  • Anonymous
    March 01, 2011
    Mathias, Your explanation has answered some of my questions on the topic of FCS and FEP. However, if the customer cannot move to SCCM at this point in time, will the scenario below work ? a) Customer subscribes to FEP but downgrades to use FCS. Will the updates still work ? b) Customer continues to use the management console for FCS to manage the clients.

  • Anonymous
    June 30, 2011
    The comment has been removed