none
configuration manager ans SC Endpoint protection inside captured WIM RRS feed

  • Question

  • Hi Team,

    Is it recommended to have configuration manager client and SC endpoint protection included in reference machine image (before capturing)?Going through https://technet.microsoft.com/en-us/library/bb694095.aspx which has some details about sccm 2007 client, does it applies to config manager 2012 client as well if we keep config manager client inside the image? what should be the command line switch for SITECode and MP,FSP if config manager need to be included? Is there any article that could guide on the potential risks if config manager is inside the image? Is it some GUID issue ?

    Is it suggested to keep SCEP inside image or there any potential risk? customer seems needs system to be protected the moment they are deployed. Any suggestions will be appreciated since these 2 items are pending for me and could not able to decide what should be the best way to deal with these (inside image or outside image)?

    Any suggestions will be appreciated. Thanks

    Regards,

    Regards,

    Thursday, July 23, 2015 3:59 AM

All replies

  • I have ALWAYS done this as a post install application with zero issues. Here is the command line..

    ccmsetup.exe /noservice /MP:<insert MP> SMSSITECODE=<insert site code> smscachesize=10000 

    Please go here for more

    https://technet.microsoft.com/en-us/library/Bb680980.aspx

    Thursday, July 23, 2015 12:52 PM
  • As a best practice don't add anti-virus programs to the reference image. You can easily install them during deployment to your target machine. I'd make it one of the last things you install. I'll give you a script I wrote for install SCEP. It works fine with Windows 8.1 and SCEP 4.3 and up.

    If the registry keys or values ever change you only need to edit the variables I created. The script will install SCEP and will set the following default actions.

    <job id="Install-SCEP">
    <script language="VBScript" src="..\..\scripts\ZTIUtility.vbs"/>
    <script language="VBScript">
     
    ' //***************************************************************************
    ' // Purpose: Install System Center Endpoint Protection client
    ' //
    ' // Usage: cscript Install-SCEP.wsf [/debug:true]
    ' //
    ' // Creator: Daniel Vega
    ' // Version: 1.0 - 1/16/2015
    ' // Version: 1.1 - 1/20/2015: Fixed setup file name
    ' //
    ' //***************************************************************************
     
    '//----------------------------------------------------------------------------
    '//
    '// Global constant and variable declarations
    '//
    '//----------------------------------------------------------------------------
     
    Option Explicit
     
    Dim iRetVal
     
    '//----------------------------------------------------------------------------
    '// End declarations
    '//----------------------------------------------------------------------------
     
    '//----------------------------------------------------------------------------
    '// Main routine
    '//----------------------------------------------------------------------------
     
    On Error Resume Next
    iRetVal = ZTIProcess
    ProcessResults iRetVal
    On Error Goto 0
     
    '//---------------------------------------------------------------------------
    '//
    '// Function: ZTIProcess()
    '//
    '// Input: None
    '//
    '// Return: Success - 0
    '// Failure - non-zero
    '//
    '// Purpose: Perform main ZTI processing
    '//
    '//---------------------------------------------------------------------------
    Function ZTIProcess()
    
    	Dim sSetupFile
    	Dim sArguments
    	Dim sRegValue, sRegKey1, sRegKey2, sRegKey4, sRegKey5, sNewRegValue2, sNewRegValue3
    	
    	sSetupFile = oUtility.ScriptDir & "\Source\scepinstall.exe"
    	sArguments = "/s /sqmoptin"
    	sRegKey1 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1"
    	sRegKey2 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\2"
    	sRegKey4 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4"
    	sRegKey5 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5"
    	sNewRegValue2 = "2"
    	sNewRegValue3 = "3"
     	
    	oLogging.CreateEntry oUtility.ScriptName & ": Starting installation", LogTypeInfo
    
    	If not oFSO.FileExists(sSetupFile) then
    		oLogging.CreateEntry oUtility.ScriptName & ": " & sSetupFile & " was not found, unable to install", LogTypeError
    		ZTIProcess = Failure
    		Exit Function
    	End if
    
    	iRetVal = oUtility.RunWithHeartbeat(sSetupFile & " " & sArguments)
    	
    	if (iRetVal = 0) or (iRetVal = 3010) then
    		ZTIProcess = Success 
    	Else 
    		ZTIProcess = Failure
    	End If
    	
    	' Configure Default Actions
    	sRegValue=oUtility.regWrite(sregkey1, sNewRegValue2)
    	sRegValue=oUtility.regWrite(sregkey2, sNewRegValue3)
    	sRegValue=oUtility.regWrite(sregkey4, sNewRegValue3)
    	sRegValue=oUtility.regWrite(sregkey5, sNewRegValue3)
    	
    	oLogging.CreateEntry oUtility.ScriptName & ": Return code from command = " & iRetVal, LogTypeInfo
    	oLogging.CreateEntry oUtility.ScriptName & ": Finished installation", LogTypeInfo
     
    End Function
     
    </script>
    </job>


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, July 23, 2015 1:38 PM
  • /noservice can create a lot of issues in machine discovery.  The recommended method of deploying configmgr client is GPO or client push to newly discovered machines, and shouldn't be managed by MDT.

    Ryan

    Friday, July 24, 2015 11:48 AM
  • As Dan says, install it post apply, there is a UID associated with each client and installing it in the WIM will replicate that info to all machines.  I -believe- you can generalize your SEP install for housing in the image, if you do that you can house it inside the WIM, but with the constant updates to SEP it seems more ideal outside the image where you can change it out as needed.

    As for the CM client, that should be handled by GPO, otherwise CM can actually push to newly discovered machines.  There is an offline installation option but that was not working very well for the last company I was at.  It's best to just install it with best practices in mind here.  Hope this helps.

    Ryan

    Friday, July 24, 2015 11:52 AM