Deploying SCEP during Task Sequence

[vitalstatistix]

Hi All,

I am attempting to integrate SCEP installation during a deployment task sequence using RTM.

Unlike the old FEP there is no deployment client package created at install, so at present the SCEP Client is installed after the task sequence has completed, and so leaves a vulnerable gap between deployment and SCEP installation upon policy retrieval.

 

Does anyone have information on the best way of installing and updating the SCEP client during the task sequence?

 

Thanks!

 

Jake

[HaroldG]

SCEP?

If you are looking at Endpoint Protection check out lab 5:

http://www.windows-noob.com/forums/index.php?/topic/4466-using-sccm-2012-rc-in-a-lab-part-5-enable-the-endpoint-protection-role-and-configure-endpoint-protection-settings/

[vitalstatistix]

Hi, many thanks for your reply. I have got my server configured as above, however that process requires the machine to be built and picking up a machine policy before the Endpoint client is installed.

 

SCEP = System Centre Endpoint Protection

 

Ideally I would like to have the Endpoint client installed as part of the deployment so that the machines are protected immediately. there must be an easy way to have the client install and update definitions before it completes the task sequence and allows users to begin using the machine?

[HaroldG]

Follow these directions:

http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/operating-system-deployment-and-endpoint-protection-client-installation.aspx

 

Essentialy you create a package and then add it to your OS install sequence.

[spgsitsupport]

Anybody knows if update 4.8.204.0 has any silent switches for installation? So it could be installed in TS just after SCEP?

 

Seb

[Rocket Man]

I do this when deploying workgroup machines. The CCM bits are located in the CCMSETUP folder which includes the SCEP installer. If you create a run command line task in your sequence any where after the agent gets installed with these parameters: C:\Windows\ccmsetup\SCEPInstall.exe /S

This will install the SCEP client and when the TS finishes the client will pull the endpoint policies deployed to it, but as for getting definition updates immediately maybe you can force an update scan also after the SCEP installation but TBH in any environment I have seen, the SCEP client updates fairly swiftly 5-10 mins max, which is compliant enough for me in relation to a user using the system immediately.

[spgsitsupport]

I am talking about update 4.8.204.0, NOT SCEP client itself!

 

SCEP client & definitions updates are not an issue during TS

[Rocket Man]

Apologies spgsitsupport my post was not aimed for you but actually for vitalstatistix with the post heading "Deploying SCEP during Task Sequence".

 

I should have looked at the dates of the post :/

[spgsitsupport]

It DOES accept the same switches as a full FEPInstall/SCEPInstall.exe

 

/q for silent extraction and /s for silent install

 

https://technet.microsoft.com/en-us/library/gg398035.aspx

 

So I can now have fully updated SCEP during TS without WU

[g-fx]

I use this method from chris nackers to ensure endpoint is installed with latest definitions at build time

 

http://www.chrisnackers.com/2012/10/18/configuration-manager-2012-installing-endpoint-protection-during-a-task-sequence/