SCCM Endpoint Protection Log Files and Locations

ByPrajwal Desai Hours

In this article, I will list all the SCCM Endpoint Protection log files and their locations. SCCM allows you to manage anti-malware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy.

SCCM Endpoint Protection also helps protect your PC from malware, viruses, spyware, and other potentially harmful software. In this post, I will cover the SCCM EPP log files and their locations.

I covered the procedures for installing the Endpoint Protection role and the necessary prerequisites in one of my posts. In another blog post, I covered Configuration Manager 1602 Endpoint Protection Improvements. SCCM 1602 adds some new settings in the Endpoint Protection anti-malware policy for Windows Defender.

It might be a good idea to learn what the endpoint protection log files are before enabling the endpoint protection role. Most importantly, knowing where the SCCM EPP log files are located is essential and will be very helpful to you when troubleshooting endpoint protection-related problems.

SCCM Endpoint Protection Log Files and Locations

The below table lists all the SCCM endpoint protection log files and the location of each log file. For a list of all other log files, refer to SCCM log files.

SCCM Endpoint Protection Log FileDescriptionEndpoint Protection Log File Location
EPCtrlMgr.logRecords details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.Site system server hosting the role.

 

C:\Program Files\Microsoft Configuration Manager\Logs

EPMgr.logRecords the status of
Endpoint Protection site		Site system server hosting the role.

 

C:\Program Files\Microsoft Configuration Manager\Logs

EPSetup.logProvides information about
the installation of the
Endpoint Protection site
system role.		Site system server hosting the role.

 

C:\Program Files\Microsoft Configuration Manager\Logs

EndpointProtectionAgent.logRecords details about the
installation of the Endpoint
Protection client and the
application of anti-malware
policy to that client.		Located on client machine. C:\Windows\CCM\Logs
MPLog-XX.logRecords Endpoint Protection activity on the client side.Located on client machine.

 

C:\ProgramData\Microsoft\Windows Defender\Support

MPDetection-XX.logRecords details about each case of malware detected on the system.Located on client machine.

 

C:\ProgramData\Microsoft\Windows Defender\Support

NisLog.txtRecords details about the Network Inspection System.Located on client machine.

 

C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support

Avatar photo

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

4 Comments

  1. Is it possible to limit how much of these logs get saved on client workstations?

    Reply
  2. Avatar photo Stephane Bossmann says:

    Additionally, I would add WUAHandler.log as this is where the definition updates installations are being logged.

    Reply
  3. Avatar photo Khirthana Dinakaran says:

    Is it possible if logs of the client to SCCM? I want the hash value of threat to be sent to SCCM. IS it customizable?

    Reply
  4. Avatar photo Kedar Raval says:

    Is the given log files list remains same in SCCM 1906 (Version:5.00.8853.1000)?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *