Troubleshooting System Center Endpoint Protection (SCEP) Client

Microsoft System Center Endpoint Protection provides an antimalware and security solution for the Microsoft platform. This can be integrated with System Center Configuration Manager. I have consolidated the information which are useful for SCEP client side troubleshooting.

Managing Endpoint Protection client with Command Line Interface – MpCmdRun.exe

The MpCmdRun.exe (Microsoft Antimalware service command line utility) is very useful tool to manage local Endpoint protection client with command line.  The MpCmdRun.exe is located in C:\Program Files\Microsoft Security Client folder. On Windows 10 machines, the MpCmdRun.exe is available in C:\Program Files\Windows Defender folder.

When executed, this command automatically creates a log file named as MpCmdRun.log in C:\Users\ username\AppData\Local\Temp folder. This log file records the commands that are executed using MpCmdRun.exe.

Few of most commonly used command lines are listed below. For a complete l list of available switches please see MpCmdRun help using MpCmdRun.exe /? Command line.


Default Scan:   MpCmdRun.exe –scan

Quick Scan:     MpCmdRun.exe –ScanType 1

Full System Scan:         MpCmdRun.exe –ScanType 2

File and Directory Custom Scan:   MpCmdRun.exe –ScanType 3 –File

Managing Definitions:

Signature Update:        MpCmdRun.exe –SignatureUpdate

Remove Bad Definitions: Sometime you may be in a situation when a new definition caused a server, workstation or application to act abnormaly. An application issue after latest update is quite common in large and complex environment with thousands of applications. The following commands can help you in this kind of situation. You can remove all defintions or roll back to previous version to validate if you application or OS is working fine after removing SCEP definition.  Remove Definitions (Rollback to previous version, SCEP stores up to 3 previous version of definition files):            

MpCmdRun.exe –RemoveDefinitions

Remove All Definitions: MpCmdRun.exe –RemoveDefinitions – All

Collecting SCEP support logs:

SCEP client missing latest definitions is one of the common issue. To troubleshoot the issue you have to look into few log files available at different location. However, you can use MpCmdRun command to gather all support logs at one location. – Go to “C:\Program Files\Microsoft Security Client\Antimalware” or “C:\Program Files\Windows Defender” depends on Operating System – Run following command

MpCmdRun.exe -getfiles

You can find all logs files in “C:\ProgramData\Microsoft\Antimalware\Support” or “C:\ProgramData\Windows Defender\Support” folder

Endpoint Protection Log Files

EndpointProtectionAgent.log:  This log records the details about the installation of EP client.

C:\ProgramData\Microsoft\Microsoft Antimalware\Support: This folder contain bunch of log files which provide more information about SCEP definition updates and SCEP functionality. The name of these log files are following.

· MpCacheStats.log

· MpDetection.log

· MpLog.log

Troubleshooting Windows Defender or Endpoint Protection client

The below Microsoft article should be useful in troubleshooting Windows Defender / Endpoint Protection clients.

· Troubleshooting Endpoint Protection Client

· How to Troubleshoot Definition update issue for Windows Defender

SCEP basic Troubleshooting’s WMI Namespace and Classes for System Center Endpoint Protection

Before we move with troubleshooting tips & tricks, let’s have the information about WMI namespace   and classes for SCEP. The WMI namespace for SCEP is root\Microsoft\SecurityClient. You can find following Classes in this namespace. The Configuration Manager client agent monitor these classes for any changes and a state message is sent when a change detected.


As name suggest, this WMI class represent Microsoft Antimalware service status. You can use below Powershell command to list all properties of this class.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntimalwareHealthStatus

__GENUS : 2
__CLASS : AntimalwareHealthStatus
__SUPERCLASS : ProtectionTechnologyStatus
__DYNASTY : SerializableToXml
__RELPATH : AntimalwareHealthStatus=@
__DERIVATION : {ProtectionTechnologyStatus, SerializableToXml}
__NAMESPACE : root\Microsoft\SecurityClient
__PATH : \DESKTOP01\root\Microsoft\SecurityClient:AntimalwareHealthStatus=@
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntispywareSignatureVersion :
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureUpdateDateTime : 2018-12-09T14:58:32.000Z
AntivirusSignatureVersion :
BehaviorMonitorEnabled : True
Enabled : True
EngineVersion : 1.1.15500.2
IoavProtectionEnabled : True
LastFullScanAge : 4294967295
LastFullScanDateTimeEnd :
LastFullScanDateTimeStart :
LastFullScanSource : 0
LastQuickScanAge : 4294967295
LastQuickScanDateTimeEnd :
LastQuickScanDateTimeStart :
LastQuickScanSource : 0
Name : Antimalware
NisEnabled : True
NisEngineVersion : 1.1.15500.2
NisSignatureVersion :
OnAccessProtectionEnabled : True
ProductStatus : 524288
RealTimeScanDirection : 0
RtpEnabled : True
SchemaVersion :
Version : 4.18.1810.5
PSComputerName : DESKTOP01


This is a class that represent a single detection. You can use below Powershell command to list all properties of this class.

Get-WmiObject -Namespace root\Microsoft\SecurityClient -class AntiMalwareDetectionStatus


This class represent Microsoft Antimalware service infection status.  You can use below Powershell command to get the list of all properties with in this class.

__GENUS : 2
__CLASS : AntimalwareInfectionStatus
__SUPERCLASS : SerializableToXml
__DYNASTY : SerializableToXml
__RELPATH : AntimalwareInfectionStatus=@
__DERIVATION : {SerializableToXml}
__NAMESPACE : root\Microsoft\SecurityClient
__PATH : \DESKTOP01\root\Microsoft\SecurityClient:AntimalwareInfectionStatus=@
ComputerStatus : 1
CriticallyFailedDetections : {}
PendingActionDetections : {}
PendingFullScan : False
PendingManualSteps : False
PendingOfflineScan : False
PendingReboot : False
RecentlyCleanedDetections : {}
SchemaVersion :

PSComputerName : DESKTOP01

Check SCEP Definitions version on client

Get-WmiObject  -ComputerName Desktop01 -Query “select * from AntiMalwareHealthStatus” -Namespace “root\Microsoft\SecurityClient” | Select-object PSComputerName,Version,AntivirusSignatureVersion,AntiVirusSignatureUpdateDateTime,AntivirusEnabled | Format-List

Force State Message for SCEP on SCCM Client

You may have a scenario when everything looks good at client end for SCEP & SCCM. However, latest definition status is not being reported to SCCM. You can try the below Powershell script to force sending status message. Warning: The below script remove CCM_StateMsg WMI class and restart WMI service. This will force re-creation of WMI class which will refresh state message. You should try this script on individual machines or test environment. you should never try this script for mass fix of the issues on multiple machines as that may create another issues. Please test this in your test environment before executing the same into production.

$Computer = “MyTestPC” Get-WMIobject -ComputerName $Computer -Namespace root\ccm\StateMsg -Class CCM_StateMsg -Filter “TopicType=’1901′” |Remove-WmiObject Get-Service -ComputerName $computer -Name winmgmt |Restart-Service -Force

Related Posts

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Scroll to Top