To be performed by SCCM Administrators and security team
This section provides details on the steps necessary to install the SCEP Client Agent on an end user computing device. There are 2 options to install the SCEP Agent:
- As part of the Task Sequence / Image Install
- Automated fashion using SCCM Client Agent Settings
SCEP can be deployed using a Task Sequence for all end user computing devices using a command to install the SCEP agent.
The application should have a deployment type with the following command:
Scepinstall.exe /s /q
Refer to the following link for more details on how to deploy SCEP using command line:
SCEP can also be deployed automatically using SCCM Client Agent policies.
Open Administration -> Client Settings in SCCM 2012 and create a new policy for End Point Protection.
It is a good practice to create a new policy for end point protection and not integrate with the default client settings since you can deploy the customized policies on a handful of computers to ensure it works as desired before making a production rollout.
Set the Manage EndPoint Protection client on Client Computers to TRUE. Setting this value to true will
push the SCEP client on any client that has a healthy SCCM Client agent working. You can manage the scope of the SCEP installation by deploying the policy to a collection with a restricted set of computers.
The best practice settings are as follows:
|Manage Endpoint Protection client on client computers||True|
|Install Endpoint Protection client on client computers||True|
|Automatically remove previously installed antimalware software before Endpoint Protection is installed||False|
|Suppress any required computer restarts after the Endpoint Protection client is installed||False|
|Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)||24 hours (default)|
|Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers||True|
Refer to the following link on description for each setting:
With the following settings in place:
- SCEP will be installed on an end user computing device that has SCCM Installed
- The command that SCCM uses for the SCEP client installation is "C:\Windows\ccmsetup\SCEPInstall.exe" /s /q /noreplace /NoSigsUpdateAtInitialExp /policy "C:\Windows\CCM\EPAMPolicy.xml"
- Here EPAMPolicy.xml refers to the SCCM policy being pushed to the client. SCCM Policy will be covered in the subsequent section
- The EndpointProtectionAgentLog file on http://www.blogger.com/ shows the following entries:
- End point is triggered by WMI notification
- It installs the command line "SCEPINstall.exe"