Endpoint Protection

Applies to: Configuration Manager (current branch)

Endpoint Protection manages antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy.


You must be licensed to use Endpoint Protection to manage clients in your Configuration Manager hierarchy.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

  • Configure antimalware policies, Windows Firewall settings, and manage Microsoft Defender Advanced Threat Protection to selected groups of computers
  • Use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date
  • Send email notifications, use in-console monitoring, and view reports. These actions inform administrative users when malware is detected on client computers.

Beginning with Windows 10 and Windows Server 2016 computers, Windows Defender is already installed. For these operating systems, a management client for Windows Defender is installed when the Configuration Manager client installs. On Windows 8.1 and earlier computers, the Endpoint Protection client is installed with the Configuration Manager client. Windows Defender and the Endpoint Protection client have the following capabilities:

  • Malware and spyware detection and remediation
  • Rootkit detection and remediation
  • Critical vulnerability assessment and automatic definition and engine updates
  • Network vulnerability detection through Network Inspection System
  • Integration with Cloud Protection Service to report malware to Microsoft. When you join this service, the Endpoint Protection client or Windows Defender downloads the latest definitions from the Malware Protection Center when unidentified malware is detected on a computer.


The Endpoint Protection client can be installed on a server that runs Hyper-V and on guest virtual machines with supported operating systems. To prevent excessive CPU usage, Endpoint Protection actions have a built-in randomized delay so that protection services do not run simultaneously.

In addition, you manage Windows Firewall settings with Endpoint Protection in the Configuration Manager console.

Example scenario: Using System Center Endpoint Protection to protect computers from malware Endpoint Protection and the Windows Firewall.

Managing Malware with Endpoint Protection

Endpoint Protection in Configuration Manager allows you to create antimalware policies that contain settings for Endpoint Protection client configurations. Deploy these antimalware policies to client computers. Then monitor compliance in the Endpoint Protection Status node under Security in the Monitoring workspace. Also use Endpoint Protection reports in the Reporting node.

Additional information:

Managing Windows Firewall with Endpoint Protection

Endpoint Protection in Configuration Manager provides basic management of the Windows Firewall on client computers. For each network profile, you can configure the following settings:

  • Enable or disable the Windows Firewall.

  • Block incoming connections, including those in the list of allowed programs.

  • Notify the user when Windows Firewall blocks a new program.


Endpoint Protection supports managing the Windows Firewall only.

For more information, see How to create and deploy Windows Firewall policies for Endpoint Protection.

Microsoft Defender Advanced Threat Protection

Endpoint Protection manages and monitors Microsoft Defender Advanced Threat Protection (ATP), formerly known as Windows Defender ATP. The Microsoft Defender ATP service helps enterprises detect, investigate, and respond to advanced attacks on the corporate network. For more information, see Microsoft Defender Advanced Threat Protection.

Endpoint Protection Workflow

Use the following diagram to help you understand the workflow to implement Endpoint Protection in your Configuration Manager hierarchy.

Endpoint Protection Workflow