Sunday, February 12, 2012

2.0 Configure and Install SCEP Client Agent

To be performed by SCCM Administrators and security team

This section provides details on the steps necessary to install the SCEP Client Agent on an end user computing device. There are 2 options to install the SCEP Agent:
  1. As part of the Task Sequence / Image Install
  2. Automated fashion using SCCM Client Agent Settings
Deploy SCEP using Task Sequence
SCEP can be deployed using a Task Sequence for all end user computing devices using a command to install the SCEP agent.
The application should have a deployment type with the following command:
Scepinstall.exe /s /q
Refer to the following link for more details on how to deploy SCEP using command line:
 Deploy SCEP using SCCM Client Agent
SCEP can also be deployed automatically using SCCM Client Agent policies.
Open Administration -> Client Settings in SCCM 2012 and create a new policy for End Point Protection.
It is a good practice to create a new policy for end point protection and not integrate with the default client settings since you can deploy the customized policies on a handful of computers to ensure it works as desired before making a production rollout.

Set the Manage EndPoint Protection client on Client Computers to TRUE. Setting this value to true will
push the SCEP client on any client that has a healthy SCCM Client agent working. You can manage the scope of the SCEP installation by deploying the policy to a collection with a restricted set of computers.


The best practice settings are as follows:

Client SettingsValues
Manage Endpoint Protection client on client computersTrue
Install Endpoint Protection client on client computersTrue
Automatically remove previously installed antimalware software before Endpoint Protection is installedFalse
Suppress any required computer restarts after the Endpoint Protection client is installedFalse
Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)24 hours (default)
Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computersTrue

Refer to the following link on description for each setting:

With the following settings in place:
  • SCEP will be installed on an end user computing device that has SCCM Installed
  • The command that SCCM uses for the SCEP client installation is "C:\Windows\ccmsetup\SCEPInstall.exe" /s /q /noreplace /NoSigsUpdateAtInitialExp /policy "C:\Windows\CCM\EPAMPolicy.xml"
  • Here EPAMPolicy.xml refers to the SCCM policy being pushed to the client. SCCM Policy will be covered in the subsequent section
  • The EndpointProtectionAgentLog file on shows the following entries:
    • End point is triggered by WMI notification
    • It installs the command line "SCEPINstall.exe"
Other guides:
  1. Setup End Point Protection Server
  2. Configure and Install Antivirus Definition
  3. Validate SCEP Settings on Client
  4. Configure Alerts in SCEP
  5. Configure and Install SCEP Client AgentConfigure and Install SCEP Antimalware Policies


  1. how can i uninstall SCEP in a similar way its installed? i do not want to use WINDOWS GPO for this uninstall.

    Please help

  2. Hi Eri,

    You will have to create an uninstall package and deploy on collecton of computers that do not need SCEP agent.

    Else, if you know the clients upfront where SCEP should not be installed, then simply exclude those clients in the collection where you enable the above mentioned client agent settings. Or you can do a hybrid of both these solutions i.e.

    1) Create a collection called NOSCEP
    2) Add all clients that should not have SCEp to this collection
    3) Deploy the SCEPUninstall package to this collection
    4) Exclude the NOSCEP collection from the client agent setting that deploys SCEP agent as mentioned above :)

  3. Hi,
    after reading your blog and setup up this in a testlab I found a problem with the Scep Definition Update function inside SCCM 2012. If I use the Microsoft Web Site for the definition updates everything works fine. Whenever I use the default SCEP Policy (Update Order like, SCCM 2012, WSUS the MS Website) the client can't see update from SCEP. the normal Update for Windows OS and so on works fine.

    please help me.

  4. It showing this error while scep installation automatically
    Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed. EndpointProtectionAgent 17-07-2014 15:31:14 3688 (0x0E68)

  5. I have same error too [Unable to query registry key (SOFTWARE\Microsoft\Microsoft Security Client), return (0x80070002) means EP client is NOT installed.

    Everything was working fine, just stopped a few days ago automatic instillation of EP. Please help me with that isseu.