I find that most companies as a component of their SCCM deployments are looking to also push out System Center Endpoint Protection vs. retaining their existing antivirus tools. I’ve had a very good experience with SCEP as a principal antimalware tool as both a user and a consultant. That said, I was working on a deployment where that was not the case and I found something really interesting. I didn’t deploy the Endpoint Protection site role and as an added layer of protection decided to configure the client settings that endpoint protection should not be installed or configured. I found that in order to configure these settings you must actually have the management point deployed. If the management point is not deployed the client settings remain grayed out.
Here is the TechNet reference, which shows how easy it is to disable System Center Endpoint Protection on specific collections, once the settings are enabled. This is helpful if you have sub groups of users who should not get the client or the settings.
Personally, I found this really strange, since someone could accidentally deploy the site role and then the client could get deployed easily and enabled. I decided that the best course of action was training of the client and instruction on these roles, as well as significantly limiting who could make these changes, such as limiting who the full administrators of the system are. The other option is to install the endpoint protection role and then disable it on all systems, but I considered that a higher risk, since removing the client setting would be pretty easy to do unintentionally.