Based on technet article (https://technet.microsoft.com/en-us/library/hh508770.aspx) ,you do not need SCEP client installed on Windows 10 machines in order to manager anti-malware policies. However, the behavior I have seen is quite different.
Windows 10 Client A:
SCEP is not installed.
Can confirm that policy applied from reg key HKLM\software\microsoft\ccm\epagent\generatedpolicy.
SCCM console under client summary -> Endpoint Protection Deployment information -> Deployment State: "To be Installed" instead of "managed"
On client under security -> windows defender , I have ability to add exclusion
Defender console doesn't have any policy name
Windows 10 Client B:
SCEP client is installed
all policy applied
Deployment state under client summary is "managed"
Defender GUI has policy names listed
Based on above testing, I believe that we do need SCEP clients on Windows 10 devices in order to managed Windows defender and SCEP client will work as a bridge between Defender and SCCM.
has anyone got this issue ? or I am missing something here? there is not much explanation from Microsoft regarding managing Windows 10 clients.
any help would be appreciated,