System Center Endpoint Protection Point Role Installation


Author Nawaz and Mamata


Endpoint protection means it’s the anti-malware the machine learning the fuzzy fingerprinting all of that capability plus leveraging the cloud to push more real-time updates and monitor what applications are doing in more real-time so you get better protection of all the threats that are kind of out.

Firstly, let’s go with the overview of System Center Endpoint Protection with ConfigMgr

Endpoint Protection manages antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. When you use Endpoint Protection with Configuration Manager, you have the following benefits:

  • Configure antimalware policies, Windows Firewall settings, and manage Microsoft Defender Advanced Threat Protection to selected groups of computers
  • Use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date
  • Send email notifications, use in-console monitoring, and view reports. These actions inform administrative users when malware is detected on client computers

Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the Configuration Manager client.

Windows Defender and the Endpoint Protection client have the following capabilities:

  • Malware and spyware detection and remediation
  • Rootkit detection and remediation
  • Critical vulnerability assessment and automatic definition and engine updates
  • Network vulnerability detection through the Network Inspection System
  • Integration with Cloud Protection Service to report a malware to Microsoft. When you join this service, the Endpoint Protection client or Windows Defender downloads the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.

In this blog, we will show how to install the Endpoint Protection Point on the Primary server.

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection. It must be installed on one site system server only, and it must be installed at the top of the hierarchy on a central administration site or a stand-alone primary site.

  • In the Configuration Manager console, click Administration.
  • In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles.
  • Right-click on Primary server and click on Add Site System Roles


  • On the General page, specify the general settings for the site system, and then click Next.


  • On the System Role Selection page, select Endpoint Protection point in the list of available roles, and then click Next.


  • On the Endpoint Protection page, select the I accept the Endpoint Protection license terms checkbox, and then click Next.


  • On the Cloud Protection Service page, select the level of information that you want to send to Microsoft to help develop new definitions, and then click Next.


  • Click Next and complete the wizard.

After completion on wizard, the creation of an Endpoint protection point role on-site server is completed successfully.


  • Provides information about the installation of the Endpoint Protection site system role.
  • %Site Server installDrive%\Program Files\Microsoft Configuration Manager\Logs


Endpoint Protection Log File Description Log File Location
EPCtrlMgr.log Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database. Site system server hosting the role.

%Site Server intallDrive%\Program Files\Microsoft Configuration Manager\Logs

EPMgr.log Records the status of
Endpoint Protection site
Site system server hosting the role.

%Site Server intallDrive%\Program Files\Microsoft Configuration Manager\Logs

In our next blog, we will tell how to setup Software Update Point for and another component of SCEP  (Endpoint Protection point role) so that they are ready to be deployed on Client.

Happy Sharing!

Leave a Comment

Your email address will not be published. Required fields are marked *