Saturday, 31 August 2013

Config Mgr 2012 Endpoint Protection: Enable SCEP on clients

Back to Endpoint Protection menu

Back to ConfigMgr 2012 menu

Previously we added our Endpoint Protection Point and created our own custom Antimalware Policy. We then deployed this policy to a test collection.

However none of this is of any use if we do not enable Endpoint Protection on clients.

Navigate to Administration > Site Configuration > Client Settings. As before we do not want to interfere the with Default Client Settings so we will create a Custom Client Device Settings.

Right click and choose "Create Custom Client Device Settings".

Enter a suitable name, select "Endpoint Protection" and click OK.

You receive a pop-up with client reboot information. Click OK to acknowledge.

Right click and choose Properties.

Select Yes to "Manage Endpoint Protection client on client computers"

Select Yes to "Install Endpoint Protection client on client computers".
Click OK to Save.

Now right click and deploy to your test collection.

SCEP client will now be installed on all computers in the test collection when they retrieve their machine policy. They will be defined by our custom antimalware policy.

You can monitor the progress of the SCEP client installation using the EndpointProtectionAgent.log file.

Endpoint has been triggered.

SCEPInstall.exe starts. See the policy file used.

A SCEP icon will appear in the system tray. It is minimised but will open if you click on it.

You can see the application installing if you wish.

EP client is successfully installed.

SCEP 2012 icon now available.

New processes running.

New service.

New registry settings.

SCEP now completely installed on client. Let's review the settings that have been configured by policy.

Virus and spyware definitions are shown as up to date.

Quarantined items.

Settings - note they are all greyed out as there are defined by policy. Let's review the individual settings.

Scheduled Scans.

Default Actions.

Real-time protection.

Excluded files and locations.

Excluded file types.

Excluded processes.



Navigate to Monitoring > Endpoint Protection Status > System Center 2012 Endpoint Protection
Choose a collection and see the client count starting to rise.

Right click a client and see the possible console actions.


  1. How can we make FEP2010 notify users like a pop up when the scans are running on client machines ?

  2. Unfortunately there is no pop-up. You'll see the Endpoint Protection icon in the notification area. Whenever a scan is in progress, the Endpoint Protection icon in the notification area will also display an animation to let you know that it's scanning your computer. Click the icon to see which type of Forefront Endpoint Protection scan is in progress, how long it’s been running, and how many items have been scanned.

  3. Is there a way to turn off all SEP popup?
    If an machine running on prod environment and prod team doesn't want to see any kind of pops when they are on operation. Not even when virus directed. Can anyone has answer to this.
    They are getting popup which asking to send a file to Microsoft team or not.

  4. Gerry, really appreciate your blog! In regards to the above article, SEP is not running on my Primary site and the SEP client device settings are greyed out. Is there a fix for this?
    SCCM2012 R2 SP1 on Server201 2R2

    Thx, SkeetsMB