SCEP Licensing for Windows 10 in ConfigMgr

SCEP Licensing for Windows 10 in ConfigMgr

A recent forum question was raised about whether or not System Center Endpoint Protection (SCEP) CALs were needed to manage Windows Defender in Windows 10 using System Center Configuration Manager (ConfigMgr). I wasn’t sure so posed the question to the product group.

First, a bit of foundational information is in order. As you may know, The Endpoint Protection component of ConfigMgr does not install SCEP onto Windows 10 systems. Instead, it simply installs a management layer on Windows 10 systems so that it can manage the built-in Windows Defender agent. It can do this because the Defender agent is nearly identical to the SCEP agent (which in turn is nearly identical to the free Security Essentials agent). Also note that to manage Windows Defender on Windows 10 systems, you must still deploy a client agent settings package to these systems that enables Manage Endpoint Protection client on client computers and Install Endpoint Protection client on client computers. Additionally, you need to deploy Defender definitions using Software Updates as described at Quick Tip: Windows Defender clients on Windows 10 fail to get software updates from Configuration Manager.

So, ultimately the answer is that yes, you still need a SCEP CAL (in addition to the ConfigMgr CAL) to manage Windows Defender on Windows 10 systems. This isn’t because you paying for Windows Defender again (which is already included in Windows 10 and has essentially always been a free product) but instead are paying for the management layer of Windows Defender in ConfigMgr that I mentioned earlier.

Most Microsoft licensing models including the Core CAL and Enterprise CAL include both CAL types so this should hopefully be a moot point for most organizations.



  1. Hey Jason, thanks very much for clearing up the issue of how to manage Windows Defender on Win10 systems via SCCM. Wasn’t sure to whether still install the endpoint protection client by client settings. Do you see more clarification from Microsoft on this grey area of SCEP and Defender?


    If you manage endpoint protection for Windows 10 computers, then you must configure System Center 2012 Configuration Manager to update and distribute malware definitions for Windows Defender. Because Windows Defender is included in Windows 10, an endpoint protection agent does not need to be deployed to client computers.

  2. Hi Jason
    Clarification is needed because the quoted article says “…an endpoint protection agent DOES NOT need to be deployed to client computers”, where you say “and Install Endpoint Protection client on client computers” ? Have I missed something here? My testing so far shows that without the EP client (Microsoft article way) then I don’t get policy, but I do if I install the EP client?

    • Sorry, I have no idea where you are getting that quote from, it’s not on the page that I linked to or my post.

      Also, I never said don’t install SCEP at all. Instead, I explicitly pointed out that doing so simply installs the management layer for Windows Defender on Win 10 systems instead of deploying SCEP itself.

  3. Thanks for this informative post. We were using McAfee AV for our 50000 machines. With Windows 10, we would like to pilot Defender and install SCEP role on the top server of SCCM hierarchy. Could you please suggest that if we need to increase the resources on our server before adding SCEP role?

    • No, SCEP itself requires very little additional overhead on ConfigMgr. There will be some for sure including DB size and with that many clients, little “bits” can add up quickly. Ultimately, SCEP uses all of the facilities in ConfigMgr that you are already using though including Software Updates (to deliver definition, engine, and client updates), state messages (to report scan and compliance state), fast channel (to perform on demand actions like scans), and the DB of course to store data.

      As long as your site is properly sized, you shouldn’t experience any issues; however, I would recommend rolling it in stages and monitor critical resources as you go just to be sure (because as noted with 50,000 clients something small can become big quickly). Disk space and DB size would be my main two concerns but watching network utilization, as well as CPU on the MPs and DPs, would be good also simply as a precautionary measure.