Endpoint Protection in SCCM allows you to manage anti-malware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. SCCM Endpoint Protection also helps protect your PC from malware, viruses, spyware, and other potentially harmful software. In this post I will cover the SCCM Endpoint Protection Log files and it’s locations.
In one of my post, I covered the steps to install Endpoint protection role along with prerequisites. And in another blog post I covered on Configuration Manager 1602 Endpoint Protection Improvements. SCCM 1602 adds some new settings in Endpoint Protection anti-malware policy for Windows Defender.
When you enable endpoint protection role, you might want to find out what are the endpoint protection log files. Most of all knowing the location of SCCM EPP log files are also crucial and will help you a lot in troubleshooting endpoint protection related issues.
SCCM Endpoint Protection Log Files and Locations
Here is table that lists SCCM endpoint protection log files and location of each log file. Compared to SCCM 2012 R2, some log files have got a new location.
| Endpoint Protection Log File | Description | Log File Location |
| EPCtrlMgr.log | Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database. | Site system server hosting the role.
C:\Program Files\Microsoft Configuration Manager\Logs |
| EPMgr.log | Records the status of Endpoint Protection site |
Site system server hosting the role.
C:\Program Files\Microsoft Configuration Manager\Logs |
| EPSetup.log | Provides information about the installation of the Endpoint Protection site system role. |
Site system server hosting the role.
C:\Program Files\Microsoft Configuration Manager\Logs |
| EndpointProtectionAgent.log | Records details about the installation of the Endpoint Protection client and the application of anti-malware policy to that client. |
Located on client machine. C:\Windows\CCM\Logs |
| MPLog-XX.log | Records Endpoint Protection activity on the client side. | Located on client machine.
C:\ProgramData\Microsoft\Windows Defender\Support |
| MPDetection-XX.log | Records details about each case of malware detected on the system. | Located on client machine.
C:\ProgramData\Microsoft\Windows Defender\Support |
| NisLog.txt | Records details about the Network Inspection System. | Located on client machine.
C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support |
Additionally, I would add WUAHandler.log as this is where the definition updates installations are being logged.
Is it possible if logs of the client to SCCM? I want the hash value of threat to be sent to SCCM. IS it customizable?
Is the given log files list remains same in SCCM 1906 (Version:5.00.8853.1000)?