Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.

Downloading the latest System Center Endpoint Protection (SCEP) Definitions using PowerShell


Configuration Manager 2012 – Installing Endpoint Protection During A Task Sequence


This post is based off a post by Jason Githens over on Technet. You can find his original post here to read. I have gone through his post and created the instructions below to help you implement his solution. The purpose of this solution is to install the Endpoint Protection client as part of the Task Sequence. Also this will install the latest definitions so the EP agent is up to date instead of having to wait for the definitions to come down through the normal process.

Client Agent Settings

The Default Client Agent Settings must be enabled to manage the Endpoint Protection client. The settings for installing the Endpoint Protection client can be enabled or disabled. If the client gets a policy to install the EP client, and the client is already installed, then it will simply start managing the existing EP client.


Optional Settings:


Definitions Update Source

The definition updates for Endpoint Protection can be installed using Package/Program in the Task Sequence. This allows the Endpoint Protection client to have the latest definitions at installation time instead of waiting for the definition updates to be delivered through Software Updates or by downloading from an alternate source location.

Endpoint Protection Definition Script

Create your package source folders on the ConfigMgr server.





Place the EP_Definitions.vbs (download here) in the root of the EP_Definitions folder.


Modify the EP_Definitions.vbs to match the location of your package source.

strMSEx86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\mpam-fe.exe"

strNISX86Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x86\nis_full.exe"

strMSEx64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\mpam-fe.exe"  

strNISX64Location = "D:\Packages\Apps\Microsoft\EP_Definitions\Updates\x64\nis_full.exe"

Run the script to verify functionality. You should end up with the latest definitions in each x86/x64 folder.



Definitions Update Scheduled Task

In order to automate the download of the latest definitions for our package source, we need to use a scheduled task on the ConfigMgr server to download the latest definitions. Later you will create a package and schedule the content to be updated automatically to pick up the latest definitions downloaded by this script. It is not recommended to schedule this script to run more than once a day, since that would require you also schedule the package to update the Distribution Points more than once a day. This is unnecessary because your Endpoint Protection clients will pick up definitions automatically through the standard definition update process.

Open up the Task Scheduler, expand to Microsoft – Configuration Manager.

Select Create Basic Task.

Name: Download Endpoint Protection Definitions

Description: This task downloads the latest Endpoint Protection definitions for use with OSD.

Trigger: Daily

Action: Start a Program

Program/Script: D:\Packages\Apps\Microsoft\EP_Definitions\ep_definitions.vbs

After creation of the task, open up the properties of the task and change the Security Options to allow the task to run whether or not a user is logged in.


Definition Packages

We need to create a ConfigMgr Package for the definitions, the programs associated with this Package will be used in the Task Sequence to install the definitions to the Endpoint Protection client.

Create a new Package under Software Library – Application Manager – Packages.


Then you will need to create a Standard Program.


Create 3 additional programs for the other definition updates, be sure to select Whether or not a user is logged on for the Program can run. When completed, you should have 4 programs.


On the properties of the Endpoint Protection Definitions package you created, set the package to update the Distribution Points on a schedule. This schedule should coincide with your Scheduled Task.


Endpoint Protection Client Package

Create a folder to contain the Endpoint Protection client installation files. This folder will also contain the EPAMPolicy2.xml that you downloaded from here.. Copy the SCEPInstall.exe from the ConfigMgr client source files (\\server\sms_xxx\client).

You will need to create a SCEPInstall.bat file with the following commands:

scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy %~dp0EPAMPolicy2.xml

Your source folder should now look like this.


Create a Package and Standard Program.


Task Sequence Configuration

In order for the Endpoint Protection client to install during the Task Sequence, the packages previously created need to be added to the Task Sequence. These steps need to be after the Setup Windows and ConfigMgr step, so that it takes place in the full Operating System instead of WinPE.

For all the packages to be used by the Task Sequence, ensure the Allow this program to be installed from the Install Packages Task Sequence without being deployed box is checked.


In your Task Sequence, create a group called Install Endpoint Protection.


A good place for this in a MDT integrated Task Sequence is in the beginning of the State Restore phase. You can place it anywhere in the State Restore phase, however, as soon as the machine is in the full OS instead of WinPE would provide the best security.


Add the Endpoint Protection client package and select the installation program. Next add each of the definition programs and select the appropriate architecture for your Task Sequence. If you are deploying a 64-bit Operating System then use the 64-bit definition programs. If you are deploying a 32-bit Operating System, then use the 32-bit definition programs.


IMPORTANT: The order for the installation packages should be Endpoint Protection Client, Definitions (mpam-fe), then NIS definition (nis_full).


AV Exclusions for ConfigMgr 2012

Peter Daalmans has compiled a really great post for AV exclusions for Endpoint Protection/ConfigMgr 2012.

Read the full post here.