I know that SCCM 2012 can install the Endpoint Protection if defined in policy, but sometimes it is better to be in full control, and have protection up and running with the latest definitions as soon as your OS has been deployed.

The process

To deploy the Endpoint Protection Client as part of our OSD Task Sequence, the following steps needs to be performed:

  1. Configure SCCM Client settings so EP clients are managed once installed
  2. Create and export a default EP policy
  3. Create package to install EP client with a default policy in Task Sequence
  4. Create source location for EP definitions to install during Task Sequence
  5. Create package with latest EP definitions
  6. Modify Task Sequence to install Endpoint Protection
  7. Sit back and relax, knowing your newly deployed computers are fully protected

Configuring SCCM Client Settings

To be able to manage your EP clients from SCCM once they are deployed, you need to configure SCCM Client Settings for Endpoint Protection and deploy them to collections containing your computers.

You can define the EP settings as either just manage existing clients, or to install the EP client. If install EP client is selected the client installed by the Task Sequence will not be reinstalled, just managed.

2014-05-14 12_08_40-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Create and Export EP Policy

During installation we will supply a default Endpoint Protection policy so EP knows how to behave when first installed.

From your ConfigMgr console, expand Asset and Compliance, Overview, Endpoint Protection, Antimalware Policies and click import on the ribbon. Browse to the following location:

<ConfigMgr installation path>\AdminConsole\XmlStorage\EPTemplates and locate and import the SCEP12_High_Security.xml template (or use any other template that you prefer).

Now we can modify the policy to our hearts content, giving it a more saying name, setting default scan schedules, adding exclusions etc. Click OK when done.

2014-05-20 11_42_53-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Now export the new policy by selecting it and clicking export on the ribbon. Save the file as ep_defaultpolicy.xml (or use any name that you prefer, I just replace the default file in the installation source to make it easier).

Create EP Client Package

To install the Endpoint Protection client in the task sequence, we need to create a package with the installer and the default policy we just exported.

Create a source folder for the package content in you usual location, and copy the following files from <ConfigMgr install dir>\Client folder and the path of your newly saved policy to your new content folder.

  • scepinstall.exe
  • ep_defaultpolicy.xml

Create a new textfile named Install.cmd and edit it.

Enter the following line to install the EP client and make it use the supplied policy. Save and close the file. (make sure file extension is .cmd not .txt).

scepinstall.exe /s /q /NoSigsUpdateAtInitialExp /policy %~dp0ep_defaultpolicy.xml 

2014-05-14 10_34_04-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

If you are wondering what the parameters is for, here is a short description:

  • /s – Install silently (guess you already guessed that)
  • /q – Extract the setup files silently
  • /NoSigsUpdateAtInitialExp – Suppresses the initial download of definition files from external sources. We will supply the most recent definitions in the task sequence just after installing. so no need to download.
  • /policy – Specifies which policy xml file to use. This parameter requires a fully defined path to the xml file, so we use a CMD file and the %~dp0 argument to locate the current path relative to our package at deployment time.

Edit the ep_defaultpolicy.xml with a text editor of your choice.

Insert the following line in the “Antimalware\Signature Updates” policy and save the file. (please note that xml is case-sensitive).

<AddValue Name="DisableUpdateOnStartupWithoutEngine" Type="REG_DWORD">1</AddValue>

2014-05-14 11_52_56-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection 

Your package source should now look like this:

2014-05-14 13_20_28-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Now create a package for the installation.

Name the package and specify the source folder just created

2014-05-14 10_30_16-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Select Standard program

2014-05-14 10_30_51-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Name the program and select Install.cmd for the command line. Make sure the program is set to run Whether or not a user is logged on.

2014-05-14 10_34_57-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Finish the wizard and distribute the package to your deployment points.

Downloading EP definitions

Next we need to download the latest EP definitions to install in our task sequence.

First lets define a location for the downloaded files. In our package source folder next to the folder for the EP client package, we create a folder named “Endpoint Protection Definitions”. In this folder we create the following subdirs:

\Updates
      \x86
      \x64

To ensure newly installed computers have the latest files available, we need to download the definitions on a regular basis. Lucky for us someone has already created a script that can be scheduled to download the files to our new location. Source: TechNet Forum Article

The script can be downloaded here:

We need to edit the script to tell it to download the files to our new folder.
Edit the script file and change the “str_______location” variables (4 lines needs to be changed):

2014-05-14 10_42_58-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Place the script in the root of your new “Endpoint Protection Definitions” folder.
Execute the script (double-click) to download the newest definitions.

Your x86 and x64 folders should now contain the following files:2014-05-14 11_24_58-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

You can now schedule the script through Windows Task Scheduler to be executed at an interval of your choice. Once a day is what I use.

Create EP Definitions Package

Now we need to create a new package to install our downloaded definitions.

Name the package and specify the source folder we just created, Use the Updates subfolder as the source.

2014-05-14 11_26_30-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Select standard program for the first of 4 definition installers.

2014-05-14 11_26_54-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Name the Program and select the first definition update, in this case the mpam-fe.exe from the x64 sub-folder. Make sure the program is set to run Whether or not a user is logged on.

2014-05-14 11_27_31-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Finish the wizard and add programs for the remaining 3 files as shown here.

2014-05-14 11_30_46-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Distribute the package to your distribution points, and change the properties of the package to distribute the content on a schedule set accordingly to your script schedule.

2014-05-14 11_30_11-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection 

Modify Task Sequence

Now lets look at the Task Sequence

Just after the Setup Windows and Configuration Manager step add a new group named Endpoint Protection. In this group add an Install Package step as shown below

2014-05-14 11_36_24-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Next add two install package steps to install the definition files that matches the platform of the OS being deployed.

2014-05-14 11_36_35-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

2014-05-14 11_36_47-CM2012R2-CM01 on CTHRA-W530 - Virtual Machine Connection

Time for Coffee!

Now sit down and relax, have a cup of java and rest assured that newly deployed computers are protected by Endpoint Protection as soon as they are deployed.