Microsoft's Endpoint Protection is worth the licensing pains

SCCM 2012 integrates the security client for easier management -- once you navigate Microsoft's maze of licensing options

The recently released System Center Configuration Manager (SCCM) 2012 has received rave reviews for its ease-of-use and extensive management feature set. But you may have missed the fact that Microsoft has slipped Endpoint Protection (formerly called Forefront Endpoint Protection) into the product as a paid add-on. Endpoint Protection is an antimalware product, plain and simple. Its integration with SCCM 2012 makes a great deal of sense, given SCCM's role in deploying and updating software.

Too bad the client licensing plans for Endpoint Protection on Windows Server are so wildly confusing. At first glance, it appears you have to pay quite a bit more for smaller environments -- those with one or two servers -- than you would in larger environments. Upon further research, it turns out you can purchase Endpoint Protection for stand-alone server systems or as part of various licensing options under a Core Client Access License (CAL), Enterprise CAL, or other Microsoft CAL plan.

[ Windows 8 is coming, and InfoWorld can help you get ready with the Windows 8 Deep Dive PDF special report, which explains Microsoft's bold new direction for Windows, the new Metro interface for tablet and desktop apps, the transition from Windows 7, and more. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]

If you can figure out the licensing options, the addition of Endpoint Protection to System Center Configuration Manager 2012 brings along some very nice features. For example, you can create antimalware policies configured for groups of systems; these policies can run scans on custom schedules. You can also configure real-time settings, exclusion settings, and advanced settings, such as creating a system restore point before computers are cleaned.

The available policy settings also let you alter the type and order for update sources such as Configuration Manager, Windows Server Update Services (WSUS), Windows Update, Microsoft Malware Protection Center, and Windows Universal Naming Convention (UNC) file shares. Additionally, you can set the firewall settings for clients. When specifying the installation of the endpoint client, you can remove previously installed antimalware software, including previous versions of Endpoint Protection.

By using System Center Configuration Manager for managing Endpoint Protection, it's easier to keep your information on deployments in one place, as well as to monitor overall endpoint protection client status and malware remediation status for your systems from the SCCM dashboard you're using for overall administration every day. You can also select a client in the SCCM dashboard and immediately initiate a quick or full scan, as well as download the latest definitions, if you don't want to wait for the policy to do it.

This integration with your core systems management tool simply makes sense, especially given Endpoint Protection's configurability. Persevere through the crazy maze of licensing options to get Endpoint Protection in your SCCM 2012 environment. The licensing effort offers a reward that's worth the twists and turns.

This story, "Microsoft's Endpoint Protection is worth the licensing pains," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.