Migrating from Forefront Client Security to Forefront Endpoint Protection

Applies To: Forefront Endpoint Protection

The management infrastructure of Forefront Endpoint Protection (FEP) is built on the System Center family of products, while the management infrastructure of Forefront Client Security (FCS) runs on a customized version of Microsoft Operations Manager 2005.

Because the management infrastructure on which these programs run is different, you cannot directly upgrade from FCS to FEP. In order to migrate from FCS to FEP, you must perform the following steps:

  1. In the FCS console, document the settings for each policy you want to preserve for FEP.

  2. In WSUS, unapprove all of the FCS client installation packages. These packages are listed as follows:

    • Classification: Updates

    • Product: Forefront Client Security

    The updates have names in the following format:

    Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)

    where xxxx is the specific build number for each package. You must unapprove all of the updates.


    You should not uninstall the FCS client software. Doing so would leave your client computers unprotected. When you deploy the FEP client software, the FEP client software uninstalls the FCS client software for you.

  3. Install a new FEP installation on a System Center Configuration Manager server. For steps explaining how to do this, see FEP 2010.

  4. Create FEP policies that contain the settings that you want to continue to enforce on your client computers. For more information about FEP policies, see Configuring Client Settings by Using Policies.

  5. Deploy the FEP client software to the computers in your organization that are running the FCS client software. For steps on how to deploy the FEP client software, see FEP 2010.

    The FEP client software uninstalls the FCS client software before installing. For more information, see FEP 2010.


    The uninstall of the FCS client software also uninstalls the Microsoft Operations Manager 2005 agent.

  6. After you confirm that all computers running the FCS client software are successfully running the FEP client software, you should undeploy the FCS policies. In the FCS console, undeploy the policy you created to install the FCS client software. For more information about monitoring FEP client software deployment, see Validating Deployment. For more information about undeploying FCS policies, see Removing an existing installation of Client Security (http://go.microsoft.com/fwlink/?LinkId=206850).


If you uninstall the FCS management infrastructure (the management, collection, collection database, reporting, and reporting database roles), the data stored in the reporting database is no longer accessible.

In order to preserve the historical reporting information stored in the FCS reporting database, you should not uninstall your FCS management infrastructure until you no longer need this data.