SOLVED: How to DISABLE Forefront For Exchange Without Killing Exchange

If you have ever tried to shut down Forefront services on an Exchange server you have found that it will shut down your Exchange… so don’t do that.

I recently worked with a Microsoft tech who explained the following simply command line to (temporarily) unhook Exchange from Forefront:

  1. Open a comand prompt
  2. Change to the Forefront directory which in my case was:
    • cd “C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\”

To re-enable Forefront after you are done whatever you were doing (troubleshooting in my case) go back to the same command prompt and type FSCUTILITY /ENABLE .

Other switches for the FSCUTILITY are:

  • /statusUse this option to display the status of Forefront Security and of the Exchange server or the SharePoint server.
  • /enableUse this option to enable Forefront Security if the Exchange server or the SharePoint server services have been stopped.
  • /disableUse this option to disable Forefront Security if the Exchange server or the SharePoint server services have been stopped.
  • /remove Use this option to remove Microsoft Forefront Security’s registry keys.
  • /regmon Use this option to register FSCMonitor.
  • /unregmon Use this option to unregister FSCMonitor.

If you want to confirm Forfront is unhooked in or unhooked, open an Exchange Power Shell and type:


It should result in something like:

[PS] C:\Windows\system32>Get-TransportAgent

Identity                                           Enabled         Prior
——–                                           ——-         —–
Connection Filtering Agent                         True            1
Content Filter Agent                               False           2
Protocol Analysis Agent                            True            3
Transport Rule Agent                               True            4
Journaling Agent                                   True            5
AD RMS Prelicensing Agent                          False           6
Sender Id Agent                                    True            7
Sender Filter Agent                                True            8
Recipient Filter Agent                             True            9
FSE Routing Agent                                  True            10
FSE Connection Filtering Agent                     True            11
FSE Content Filter Agent                           True            12

If the last three items (FSE…) show, then the Forefront is still connected to Exchange, if they are absent, then Forefront is unhooked from Exchange.

Note that you can also manually turn off each of the filter agents using an Exchange Command Prompt command:

Disable-FSE Connection Filtering Agent
Disable-FSE Content Filter Agent

This article will help if you have more questions

You might also find the NETSTAT -E command useful in detecting network errors.

Questions or Comments?