Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.

Configuration Manager 2012 – Installing Endpoint Protection During A Task Sequence


This post is based off a post by Jason Githens over on Technet. You can find his original post here to read. I have gone through his post and created the instructions below to help you implement his solution. The purpose of this solution is to install the Endpoint Protection client as part of the Task Sequence. Also this will install the latest definitions so the EP agent is up to date instead of having to wait for the definitions to come down through the normal process.

Client Agent Settings

The Default Client Agent Settings must be enabled to manage the Endpoint Protection client. The settings for installing the Endpoint Protection client can be enabled or disabled. If the client gets a policy to install the EP client, and the client is already installed, then it will simply start managing the existing EP client.


Optional Settings:


Definitions Update Source

The definition updates for Endpoint Protection can be installed using Package/Program in the Task Sequence. This allows the Endpoint Protection client to have the latest definitions at installation time instead of waiting for the definition updates to be delivered through Software Updates or by downloading from an alternate source location.

Endpoint Protection Definition Script

Create your package source folders on the ConfigMgr server.





Place the EP_Definitions.vbs (download here) in the root of the EP_Definitions folder.


Modify the EP_Definitions.vbs to match the location of your package source.

strMSEx86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\mpam-fe.exe"

strNISX86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\nis_full.exe"

strMSEx64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\mpam-fe.exe"  

strNISX64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\nis_full.exe"

Run the script to verify functionality. You should end up with the latest definitions in each x86/x64 folder.



Definitions Update Scheduled Task

In order to automate the download of the latest definitions for our package source, we need to use a scheduled task on the ConfigMgr server to download the latest definitions. Later you will create a package and schedule the content to be updated automatically to pick up the latest definitions downloaded by this script. It is not recommended to schedule this script to run more than once a day, since that would require you also schedule the package to update the Distribution Points more than once a day. This is unnecessary because your Endpoint Protection clients will pick up definitions automatically through the standard definition update process.

Open up the Task Scheduler, expand to Microsoft – Configuration Manager.

Select Create Basic Task.

Name: Download Endpoint Protection Definitions

Description: This task downloads the latest Endpoint Protection definitions for use with OSD.

Trigger: Daily

Action: Start a Program

Program/Script: D:\Packages\Apps\Microsoft\EP_Definitions\ep_definitions.vbs

After creation of the task, open up the properties of the task and change the Security Options to allow the task to run whether or not a user is logged in.


Definition Packages

We need to create a ConfigMgr Package for the definitions, the programs associated with this Package will be used in the Task Sequence to install the definitions to the Endpoint Protection client.

Create a new Package under Software Library – Application Manager – Packages.


Then you will need to create a Standard Program.


Create 3 additional programs for the other definition updates, be sure to select Whether or not a user is logged on for the Program can run. When completed, you should have 4 programs.


On the properties of the Endpoint Protection Definitions package you created, set the package to update the Distribution Points on a schedule. This schedule should coincide with your Scheduled Task.


Endpoint Protection Client Package

Create a folder to contain the Endpoint Protection client installation files. This folder will also contain the EPAMPolicy2.xml that you downloaded from here.. Copy the SCEPInstall.exe from the ConfigMgr client source files (\\server\sms_xxx\client).

You will need to create a SCEPInstall.bat file with the following commands:

scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy %~dp0EPAMPolicy2.xml

Your source folder should now look like this.


Create a Package and Standard Program.


Task Sequence Configuration

In order for the Endpoint Protection client to install during the Task Sequence, the packages previously created need to be added to the Task Sequence. These steps need to be after the Setup Windows and ConfigMgr step, so that it takes place in the full Operating System instead of WinPE.

For all the packages to be used by the Task Sequence, ensure the Allow this program to be installed from the Install Packages Task Sequence without being deployed box is checked.


In your Task Sequence, create a group called Install Endpoint Protection.


A good place for this in a MDT integrated Task Sequence is in the beginning of the State Restore phase. You can place it anywhere in the State Restore phase, however, as soon as the machine is in the full OS instead of WinPE would provide the best security.


Add the Endpoint Protection client package and select the installation program. Next add each of the definition programs and select the appropriate architecture for your Task Sequence. If you are deploying a 64-bit Operating System then use the 64-bit definition programs. If you are deploying a 32-bit Operating System, then use the 32-bit definition programs.


IMPORTANT: The order for the installation packages should be Endpoint Protection Client, Definitions (mpam-fe), then NIS definition (nis_full).

  • Hi Chris. Given you run a wsync job each day to automatically update the FEP definitions anyway couldn’t we use the donwloaded files rather than needing to run a scheduled task ?. Question is how to identify where the definition files are located in the Content library and then copy over to the package

    Ian Burnell

    October 22, 2012

  • It’s much easier to directly down the definitions, plus this gives you a dedicated package source. Otherwise, technically yes, the definitions are part of the SUP sync, but you would still have to go out and download the files (unless you have an ADR), then attempt to find them in the Deployment Package, then copy them to another folder. The point of doing the definitions this way is that we can directly install them without having to do a full update scan on the client during OSD. The scheduled task, just goes out and directly downloads the files, much simpler.

    Hope that helps.


    October 22, 2012

  • […] colleague Chris Nackers posted an example for how to install Endpoint Protection during OS Deployment, which included a […]

  • So If I download the updates directly with the provided script, should I disable them on my WSUS server? That way they are not being double downloaded and using up space and bandwidth? Thanks


    January 30, 2013

  • No, the idea behind this is so it’s immediately up to date as part of the OSD process, instead of waiting several hours for the definitions to comes down. You still want them coming down through COnfigMgr to update them on a regular basis. Unless you have configured Endpoint to communicate directly with Microsoft for definition updates.


    January 30, 2013

  • Thanks. I appreciate the time.


    January 30, 2013

  • can you post the text to the script? i can download it behind my firewall.


    July 25, 2013

  • There is an XML in the download you need as well.


    July 25, 2013

  • This is not working. Setup, task scheduler, downloading, updating distribution, configuring task steps, installing client, installing malware (mpam-fe.exe) are all working. The NIS Definitions step is failing for me. 0x80004005. It even gives an error in Windows when running the nis_full.exe manually after manually installing from within Windows following the task step, but not using task sequence. Event log has 2 errors in it even doing it manually like that.

    I have a thread on TechNet Forums, trying to get it resolved:

    Chase Roth

    May 30, 2014

  • Not sure what isn’t working for you. I’ve had many people use the instructions here without issues. According to your TechNet post you made a few modifications, so not sure I can be of help, the instructions provided here were proven to work. I haven’t set this up in a quite some time myself.


    June 19, 2014

  • I had some problems with the client install with 2012 R2, it was really touchy as to how it referenced the xml file. This little wrapper script helped us. Thanks!

    pushd %~dp0
    copy EPAMPolicy2.xml c:\EPAMPolicy2.xml
    scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy c:\EPAMPolicy2.xml
    del c:\EPAMPolicy2.xml

    Fred Bainbridge

    August 15, 2014

  • I left this same question on the coretech blog, but it’s been even longer since someone posted there.
    If this thread is still alive.
    When my update steps run in the sequence they fail with multiple reasons, which I get for both 32bit and 64bit sequences for multiple OSs 7 and 8 mostly. I have had the error of mpam-fe.exe / nis_full.exe is not a valid Win32 application. I’ve also gotten “catastrophic failure” and “unspecified error”. The only thing I haven’t gotten is a successful update. My package and program are setup step by step from this page, obviously I changed all the appropriate information to my environment.
    Also, there is also the mpam-d.exe, which I don’t have in the sequence. Should I be attempting to deploy that one as well, if so what order?

    Derrik T Jones

    August 28, 2015

  • Hey Derrik,

    I haven’t used this method in awhile, it’s quite possible some things have changed with SP1 and various CU’s and it might not work anymore.


    December 15, 2015

Leave a comment  




Submit comment