This content is part of the Buyer's Guide: Endpoint security tools: A buyer's guide

The various offers of Microsoft System Center Endpoint Protection

Expert Ed Tittel examines System Center Endpoint Protection, Microsoft's native Windows antivirus and antimalware security product.

Microsoft System Center Endpoint Protection (SCEP) is an antivirus/antimalware product for Windows environments that includes a Windows Firewall manager. SCEP (formerly called Forefront) is integrated into System Center, an enterprise system management product comprised of multiple modules that manages a Windows-based enterprise IT environment.

SCEP is dependent on Microsoft System Center Configuration Manager to deploy the SCEP agent to clients and distribute updates. Designed for midsize to enterprise environments, SCEP is not a practical endpoint protection option for small organizations.

The information in this article is based on SCEP 2016.

Feature set

SCEP provides real-time, policy-based protection from malware, spyware and other threats; administrator alerts in potentially dangerous situations; the ability to schedule scans; automatic detection actions; and the ability to configure Windows Firewall settings. The application also provides file cleaning, during which infected files are replaced with clean versions that are downloaded from a Microsoft cloud location.

Beyond that, SCEP diverges from leading endpoint protection products, such as those by Symantec, McAfee, Kaspersky and so on. For example, SCEP does not include data loss prevention, application or device control, full-disk encryption, or native support for mobile devices.

However, System Center Configuration Manager vNext manages some of these features (because they're built into Windows 10 clients), such as the antimalware scan interface, AppLocker, Device Guard and Enterprise Data Protection. Dashboard indicators and preconfigured reports are limited, as well.

Platform coverage

SCEP is part of Windows System Center and natively supports Windows client workstations and servers. Separate security applications are required for Mac and Linux platforms.


In tests conducted on Windows 10 by AV-Test in November and December 2016, SCEP scored 15 out of 18 when evaluated for protection, performance and usability, which was one of the lowest scores of 12 tested systems.

The "Gartner Magic Quadrant for Endpoint Protection Platforms" report, dated January 30, 2017, states that, "Third-party test results show an ongoing improvement in the effectiveness of SCEP, but remain low when compared with industry averages and as reported by Gartner clients."


As mentioned, SCEP depends on System Center Configuration Manager to deploy the SCEP agent to clients and to distribute updates. All administration is performed through the System Center Management Console.

Evidence shows that organizations not already using System Center will be disinclined to adopt SCEP.

Pricing and licensing

Many shops that already have System Center installed select SCEP as their enterprise security product because of its tight integration with System Center and its relatively low licensing costs. In fact, SCEP is included at no additional cost as part of the Microsoft Enterprise Client Access License and Core CAL programs.

To start from scratch, a typical license for the Standard Edition of System Center is about $1,323, and the Datacenter Edition is just over $3,600. Client Management licenses cost about $22 for Endpoint Protection and $62 for Configuration Manager. Visit the Microsoft Volume Licensing -- System Center 2016 webpage for more information.

A fully functioning, 180-day free trial of Microsoft System Center Configuration Manager and Endpoint Protection is available from the Microsoft website.


Standard support for System Center includes the Microsoft TechNet Library, System Center forums, wiki articles, an online trouble ticket system and 24/7 telephone support.

Microsoft Premier Support for enterprises is a paid service that provides priority response times, assessments, training and more.

Next Steps

Check out the other antimalware protection products featured in this series: Kaspersky Endpoint SecurityMcAfee Endpoint Protection SuiteSymantec Endpoint ProtectionTrend Micro OfficeScanTrend Micro Worry-Free Business SecuritySophos Enduser Protection.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing