A recent forum question was raised about whether or not System Center Endpoint Protection (SCEP) CALs were needed to manage Windows Defender in Windows 10 using System Center Configuration Manager (ConfigMgr). I wasn’t sure so posed the question to the product group.
First, a bit of foundational information is in order. As you may know, The Endpoint Protection component of ConfigMgr does not install SCEP onto Windows 10 systems. Instead, it simply installs a management layer on Windows 10 systems so that it can manage the built-in Windows Defender agent. It can do this because the Defender agent is nearly identical to the SCEP agent (which in turn is nearly identical to the free Security Essentials agent). Also note that to manage Windows Defender on Windows 10 systems, you must still deploy a client agent settings package to these systems that enables Manage Endpoint Protection client on client computers and Install Endpoint Protection client on client computers. Additionally, you need to deploy Defender definitions using Software Updates as described at Quick Tip: Windows Defender clients on Windows 10 fail to get software updates from Configuration Manager.
So, ultimately the answer is that yes, you still need a SCEP CAL (in addition to the ConfigMgr CAL) to manage Windows Defender on Windows 10 systems. This isn’t because you paying for Windows Defender again (which is already included in Windows 10 and has essentially always been a free product) but instead are paying for the management layer of Windows Defender in ConfigMgr that I mentioned earlier.
Most Microsoft licensing models including the Core CAL and Enterprise CAL include both CAL types so this should hopefully be a moot point for most organizations.