Converging Endpoint Security and Management: “It just makes sense”

In October we announced the strategic decision to build Forefront Endpoint Protection (FEP) on System Center Configuration Manager, Microsoft’s market-leading change and configuration management product.  Part of our Business Ready Security strategy, this approach better aligns with our customers’ desktop management and security solutions, helping them simplify deployment and reduce costs.  Chris Christiansen of analyst firm IDC puts it well:

"Converging endpoint security and operations can improve an organization's overall security posture and efficiency. As security management overlaps with other IT functions, Microsoft's integration of Forefront Endpoint Protection and System Center Configuration Manager just makes sense."

We’ve been working to deliver on this strategy and, this week at the Microsoft Management Summit, we demonstrated this convergence for the first time.  (You can view corporate vice president Brad Anderson’s keynote speech with a demo here.)  We’re planning on releasing a beta of FEP in the third quarter of this year.   Learn more about FEP here.  We will also be sharing more about FEP at TechEd North America in June.

Separate infrastructure for endpoint protection and management is costly, inefficient and can expose a company to more security risks.  Disconnected management consoles and responsibilities, often spread across multiple teams, adds IT costs and can impact the productivity of both IT and business employees.  The right approach is to centralize endpoint security information - such as patches, deployment and policy - on a platform that can scale to hundreds of thousands of clients. 

This approach will improve security by reducing the attack surface of PCs and accelerating incident response.  It will make life much easier for desktop managers and also boost the effectiveness of security administrators, because they can more easily cover endpoint security basics and spend more time on newer capabilities to combat the latest threats.

By building FEP on Configuration Manager, customers will save capital costs on roll-out.  They will also reduce training costs, because administrators won’t have to learn yet another management user interface.  One of our customers, Kristaps Cudars, Senior System Virtualization Specialist at Rigas Stradina University in Europe, said:

“We like Microsoft’s strategy to integrate Forefront Endpoint Protection with System Center Configuration Manager.  We expect this approach of merging endpoint security with overall endpoint management will simplify deployment and management, lowering the total cost of ownership per desktop.”

With this convergence, all the information that the client management team needs to make security decisions is provided in a single pane of glass, enabling them to both mitigate security risks more easily and generate reports about compliance for the security team.


We feel this approach is the future of endpoint security.  And Microsoft is driving this convergence for both large and mid-sized organizations.  In addition to building FEP on Configuration Manager, the newly introduced Windows Intune solution for mid-sized companies provides a cloud-based solution for PC security and management, using core Forefront and System Center technologies.

Comments (6)

  1. Marc says:

    I understand the decision to integrate forefront with management tools, but keep in mind that not all businesses that have deployed FCS are running SCCM. Speaking for my own installed base of FCS, some of my customers are running SCCM, others are running SCE, some don't have any management tools and some have third party management tools. Will there be any solution for those customers not running SCCM?


  2. Internet SecuritT Group says:

    We love Forefront security, it works well with all of our machines. The protection does what it is supposed to without removing or restricting files without notification.

    For our home users we set up with the /nomom option. This is great that it does not require additional licensing.

    But for our corporate users the management and intergration with our active directory and WSUS is very practicle and makes management a snap.

  3. D.C. Type says:

    Are there any plans to offer an API to other AV vendors to allow their patches to be released?  The chance of them using it is between zero and none but I was just curious for environments that aren't pure Microsoft.  Are there any plans to integrate McAfee's HBSS with System Center R3 or System Center 2010/2011?

  4. Bryan B says:

    Release date?  I cant find anything recent on a release date except 2nd half of 2010.  Really want to roll this out for real or I have to renew Kaspersky.  Help…….wanna spend money with you!

  5. Gabriel N. says:

    Volume Licensing availability is 01 Jan 2011

Skip to main content