One of the biggest challenges for AV administrators is ensuring that every Windows PC or server on your network has anti-malware solution installed and running. For whatever reason, it's inevitable that someone will stick an unprotected PC on your network. Finding those PCs and remediating the issue quickly is vital.
The built-in SCEP reports will do a good job of maintaining awareness for the collections to which SCEP has been deployed; but unless you've elected to deploy SCEP to the All Systems collection, maintaining awareness for your SCCM environment as a whole is another matter. This recipe will first show you how to create a collection with a query that lists all of the PCs that have SCEP installed, and then show you how to build a second collection that shows you the PCs that are not in the first collection. This will tell you which systems do not have SCEP installed; this is sometimes referred to as creating a "does not" collection...