Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X
Aside

Configuration Manager 2012 – Installing Endpoint Protection During A Task Sequence

 

This post is based off a post by Jason Githens over on Technet. You can find his original post here to read. I have gone through his post and created the instructions below to help you implement his solution. The purpose of this solution is to install the Endpoint Protection client as part of the Task Sequence. Also this will install the latest definitions so the EP agent is up to date instead of having to wait for the definitions to come down through the normal process.

Client Agent Settings

The Default Client Agent Settings must be enabled to manage the Endpoint Protection client. The settings for installing the Endpoint Protection client can be enabled or disabled. If the client gets a policy to install the EP client, and the client is already installed, then it will simply start managing the existing EP client.

image

Optional Settings:

image

Definitions Update Source

The definition updates for Endpoint Protection can be installed using Package/Program in the Task Sequence. This allows the Endpoint Protection client to have the latest definitions at installation time instead of waiting for the definition updates to be delivered through Software Updates or by downloading from an alternate source location.

Endpoint Protection Definition Script

Create your package source folders on the ConfigMgr server.

Example:

D:\Packages\Apps\Microsoft\EP_Definitions

D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86

D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64

Place the EP_Definitions.vbs (download here) in the root of the EP_Definitions folder.

image

Modify the EP_Definitions.vbs to match the location of your package source.

strMSEx86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\mpam-fe.exe"

strNISX86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\nis_full.exe"

strMSEx64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\mpam-fe.exe"  

strNISX64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\nis_full.exe"

Run the script to verify functionality. You should end up with the latest definitions in each x86/x64 folder.

image

image

Definitions Update Scheduled Task

In order to automate the download of the latest definitions for our package source, we need to use a scheduled task on the ConfigMgr server to download the latest definitions. Later you will create a package and schedule the content to be updated automatically to pick up the latest definitions downloaded by this script. It is not recommended to schedule this script to run more than once a day, since that would require you also schedule the package to update the Distribution Points more than once a day. This is unnecessary because your Endpoint Protection clients will pick up definitions automatically through the standard definition update process.

Open up the Task Scheduler, expand to Microsoft – Configuration Manager.

Select Create Basic Task.

Name: Download Endpoint Protection Definitions

Description: This task downloads the latest Endpoint Protection definitions for use with OSD.

Trigger: Daily

Action: Start a Program

Program/Script: D:\Packages\Apps\Microsoft\EP_Definitions\ep_definitions.vbs

After creation of the task, open up the properties of the task and change the Security Options to allow the task to run whether or not a user is logged in.

image

Definition Packages

We need to create a ConfigMgr Package for the definitions, the programs associated with this Package will be used in the Task Sequence to install the definitions to the Endpoint Protection client.

Create a new Package under Software Library – Application Manager – Packages.

image

Then you will need to create a Standard Program.

image

Create 3 additional programs for the other definition updates, be sure to select Whether or not a user is logged on for the Program can run. When completed, you should have 4 programs.

image

On the properties of the Endpoint Protection Definitions package you created, set the package to update the Distribution Points on a schedule. This schedule should coincide with your Scheduled Task.

image

Endpoint Protection Client Package

Create a folder to contain the Endpoint Protection client installation files. This folder will also contain the EPAMPolicy2.xml that you downloaded from here.. Copy the SCEPInstall.exe from the ConfigMgr client source files (\\server\sms_xxx\client).

You will need to create a SCEPInstall.bat file with the following commands:

scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy %~dp0EPAMPolicy2.xml

Your source folder should now look like this.

image

Create a Package and Standard Program.

image

Task Sequence Configuration

In order for the Endpoint Protection client to install during the Task Sequence, the packages previously created need to be added to the Task Sequence. These steps need to be after the Setup Windows and ConfigMgr step, so that it takes place in the full Operating System instead of WinPE.

For all the packages to be used by the Task Sequence, ensure the Allow this program to be installed from the Install Packages Task Sequence without being deployed box is checked.

image

In your Task Sequence, create a group called Install Endpoint Protection.

image

A good place for this in a MDT integrated Task Sequence is in the beginning of the State Restore phase. You can place it anywhere in the State Restore phase, however, as soon as the machine is in the full OS instead of WinPE would provide the best security.

image

Add the Endpoint Protection client package and select the installation program. Next add each of the definition programs and select the appropriate architecture for your Task Sequence. If you are deploying a 64-bit Operating System then use the 64-bit definition programs. If you are deploying a 32-bit Operating System, then use the 32-bit definition programs.

image

IMPORTANT: The order for the installation packages should be Endpoint Protection Client, Definitions (mpam-fe), then NIS definition (nis_full).

  • Hi Chris. Given you run a wsync job each day to automatically update the FEP definitions anyway couldn’t we use the donwloaded files rather than needing to run a scheduled task ?. Question is how to identify where the definition files are located in the Content library and then copy over to the package

    Ian Burnell

    October 22, 2012

  • It’s much easier to directly down the definitions, plus this gives you a dedicated package source. Otherwise, technically yes, the definitions are part of the SUP sync, but you would still have to go out and download the files (unless you have an ADR), then attempt to find them in the Deployment Package, then copy them to another folder. The point of doing the definitions this way is that we can directly install them without having to do a full update scan on the client during OSD. The scheduled task, just goes out and directly downloads the files, much simpler.

    Hope that helps.

    admin

    October 22, 2012

  • […] colleague Chris Nackers posted an example for how to install Endpoint Protection during OS Deployment, which included a […]

  • So If I download the updates directly with the provided script, should I disable them on my WSUS server? That way they are not being double downloaded and using up space and bandwidth? Thanks

    Jbudd

    January 30, 2013

  • No, the idea behind this is so it’s immediately up to date as part of the OSD process, instead of waiting several hours for the definitions to comes down. You still want them coming down through COnfigMgr to update them on a regular basis. Unless you have configured Endpoint to communicate directly with Microsoft for definition updates.

    admin

    January 30, 2013

  • Thanks. I appreciate the time.

    Jbudd

    January 30, 2013

  • can you post the text to the script? i can download it behind my firewall.

    jason

    July 25, 2013

  • There is an XML in the download you need as well.

    admin

    July 25, 2013

  • This is not working. Setup, task scheduler, downloading, updating distribution, configuring task steps, installing client, installing malware (mpam-fe.exe) are all working. The NIS Definitions step is failing for me. 0x80004005. It even gives an error in Windows when running the nis_full.exe manually after manually installing from within Windows following the task step, but not using task sequence. Event log has 2 errors in it even doing it manually like that.

    I have a thread on TechNet Forums, trying to get it resolved: http://social.technet.microsoft.com/Forums/en-US/d0f5c31d-c41c-4f85-b081-2b2a80b37f87/scep-2012-manual-definitions-update-for-use-in-osd

    Chase Roth

    May 30, 2014

  • Not sure what isn’t working for you. I’ve had many people use the instructions here without issues. According to your TechNet post you made a few modifications, so not sure I can be of help, the instructions provided here were proven to work. I haven’t set this up in a quite some time myself.

    admin

    June 19, 2014

  • I had some problems with the client install with 2012 R2, it was really touchy as to how it referenced the xml file. This little wrapper script helped us. Thanks!

    pushd %~dp0
    IF EXIST C:\EPAMPolicy2.xml GOTO POLICYPRESENT
    copy EPAMPolicy2.xml c:\EPAMPolicy2.xml
    :POLICYPRESENT
    scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy c:\EPAMPolicy2.xml
    IF NOT EXIST c:\EPAMPolicy2.xml GOTO DONE
    del c:\EPAMPolicy2.xml
    :DONE

    Fred Bainbridge

    August 15, 2014

  • I left this same question on the coretech blog, but it’s been even longer since someone posted there.
    If this thread is still alive.
    When my update steps run in the sequence they fail with multiple reasons, which I get for both 32bit and 64bit sequences for multiple OSs 7 and 8 mostly. I have had the error of mpam-fe.exe / nis_full.exe is not a valid Win32 application. I’ve also gotten “catastrophic failure” and “unspecified error”. The only thing I haven’t gotten is a successful update. My package and program are setup step by step from this page, obviously I changed all the appropriate information to my environment.
    Also, there is also the mpam-d.exe, which I don’t have in the sequence. Should I be attempting to deploy that one as well, if so what order?

    Derrik T Jones

    August 28, 2015

  • Hey Derrik,

    I haven’t used this method in awhile, it’s quite possible some things have changed with SP1 and various CU’s and it might not work anymore.

    admin

    December 15, 2015

Leave a comment  

name*

email*

website

Submit comment