CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

An update for Endpoint Protection Clients were released on November 28 2013, it updates the client to version: “4.4.304.0″.

The update applies to the following Endpoint Protection / Configuration Manager versions:

  • Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection clients
  • Microsoft System Center 2012 Configuration Manager Endpoint Protection Service Pack 1 (SP1) clients
  • Microsoft Forefront Endpoint Protection 2010 clients.

Important to note is that the update for Configuration Manager 2012 SP1 requires that you are on SP1 Cumulative Update 3 to be able to install the update!

More information and to download the update:

In some scenarios that I have written about before I end up building my master image using the ZTIWindowsUpdate.wsf script from MDT to install the updates needed during the build from Microsoft Update,

Now that IE11 is released in Microsoft Update in some scenarios you wan’t to exclude it as well, the KB article number is 2841134 so the exclusion should look something like this.

BuildImages IE 11

For Configuration Manager 2012 R2 there are now two hotfixes available, remember to only install them if you are experiencing the issues described in the KB article.

“An update is available for the “Operating System Deployment” feature of System Center 2012 R2 Configuration Manager”

This update solves two issues:

1. After you enable the PXE Service Point role on an instance of a specific distribution point, or you select the Deploy this boot image from the PXE-enabled distribution point property of a boot image, the Windows Deployment Service (WDS) stops running.

2. It solves a performance related issue when the image is downloaded during OS Deployment, this is only applicable if the task sequence is deployed as “Download content locally when needed by running Task Sequence”

“Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager”

It solves an issue where computer variables are not read by the task sequence during OS Deployment for imported computers.

Additionally here is a list of all KB articles related to Configuration Manager 2012 which can be really useful to have a look at when troubleshooting:

Updating device drivers in a task that will have to be done from time to time to solve problems with drivers or software related to the device used. There are two kinds of device drivers, the ones that you need to run setup.exe and run a complete installation as there are supporting software needed as well. For these drivers running the setup silently will work as an upgrade as well.

Then we have the kind that is only delivered as an .inf, .cat and .sys files like for instance network drivers. In this example I will demonstrate how to update a wireless nic driver using an application, it is a really simple task. I prefer to use PNPutil as it is already present on modern operating systems.

Here is a step-by-step guide on how to update a driver, I will update an Atheros driver.

  1. Start by downloading the updated driver and extract it to a folder that can be used as a content source for the application. This folder actually includes the 64 bit driver as well.
    Upgrade driver1
  2. In that same folder create an update.cmd file that contains the following syntax:
    pnputil.exe -i -a %~dp0netathr.inf
  3. Create a new application using the manual option as the screenshots below describes.
    Upgrade driver2
  4. The Driver version can be found in the .inf file.
    Upgrade driver3
  5. We will not use the application catalog for this application.
  6. Upgrade driver4Select the Script installer type
  7. Upgrade driver6We name the deployment type x86 as we perhaps want do deploy a x64 driver as well.Upgrade driver7
  8. Select the folder created earlier as the package source and enter Update.cmd as the installation command.
  9. Upgrade driver8 Under Detection method select Add ClauseUpgrade driver9
  10. Select File System and Type: File and browse to a computer with the driver already installed by selecting Browse
    Upgrade driver10
  11. Browse to C:\Windows\System32\Drivers and select the. sys file that will be upgraded

Upgrade driver11

12. Select that the file must match Version and then the version of the old driver is already filled in, just change it to the version of the new driver which you can find by selecting properties on the new .sys file.

Upgrade driver12

14. In our case we change it to version

Upgrade driver13

15. Then select Next
Upgrade driver14

16. Select that it should Install for System as displayed below. Upgrade driver15

17. As a requirement add the Operating System the driver is for, in this case All Windows 7 32-bit
Upgrade driver16

18. Then select Next until the wizard is finished

Then it is time to deploy the updated driver, note that a NIC driver update will disconnect the computer for a couple of seconds. I normally prefer to deploy driver update as hidden so the user doesn’t actually see anything but with a driver update that could be tricky. If we look at the client the driver version is as shown below.

upgrade client1

Then we let the installation run and the driver will be updated.

upgrade client2

And if we check the driver version after that it is updated.

upgrade client3It is a really simple way of updating a driver the detection method is really easy to configure as well and is correct the first time, so it takes 5 minutes perhaps to do. It probably take longer time to find the updated driver on the vendors website.

Happy Upgrading!

    All the System Center 2012R2 components are now available for download! The links and to the products that ship Evaluation VHDs can be found at the following below:

When doing implementations of Endpoint Protection both 2007 and 2012 one question that comes up many times is that the customer wants to run a weekly quick scan and a monthly full scan or a daily quick scan and a weekly full scan. In the Policy settings it is only possible to configure one schedule scan so you would have to choose which one you want to schedule.


What really happens on the client is that a Scheduled Task is created on the client with the settings configured in the policy.

Endpoint protection has a command-line interface as well as the nice Graphical Interface called MPCmdrun.exe. MPCmdrun can be used to script actions on the clients like quick scan, full scan, remove a definition, scan a file and much more. MPCmdrun.exe is actually the command used by the scheduled task created by the Endpoint Protection client as well.


Creating an additional scan which in many cases is a wanted feature, can be done either with a Group Policy using Group Policy Preferences or using a Package/Program in Configuration Manager that executes the MPCMRun.exe command.

Creating a Schedule task using Group Policy Preference



Creating a Package/program which triggers a Full Scan on the client once every month.

Start by creating a Package without any source files as we will use the locally installed MPCMDrun.exe file from C:\Program Files\Microsoft Security Client. Using the following command line: “c:\program files\Microsoft Security Client\MpCmdRun.exe” -scan -scantype 2

Then create a program with the settings shown below.

SCEP schedule

Deploy the program using a deployment that runs every firs thursday in a month for instance and be sure to set it to “always rerun”

SCEP schedule2

Today Microsoft released a new KB targeting problems with the Install Software Updates hanging when you use the Install Software Updates step in a Task Sequence. This issue has been around since Configuration Manager 2007 and is still an issue in Configuration Manager 2012 with some updates.

Software Updates That Require Multiple Reboots may Cause Task Sequence Failure within Configuration Manager“

The KB article is applicable both to Configuration Manager 2007 and 2012. Keep an eye on the KB above as it will be updated with more updates as they are reported, that will save a lot of troubleshooting time!

From the knowledge base article:


“If a Configuration Manager Task Sequence that leverages the Install Software Updates step installs a software update that triggers multiple reboots, the task sequence can fail to complete successfully.”


The first reboot initiated by the software update is properly controlled by the Task Sequence. However the second reboot request is initiated by a Windows component (typically Component-Based Servicing) and therefore not controlled by the Task Sequence.


“To resolve this issue, it is recommended that any updates that require dual reboots be applied using the normal Software Updates feature of Configuration Manager instead of Task Sequences. The following software updates have been reported as requiring multiple reboots. This KB will be updated as more updates are reported.

2862330 : MS13-081: Description of the security update for 2862330: October 8, 2013

2771431 :A servicing stack update is available for Windows 8 and Windows Server 2012

2871777 :A servicing stack update is available for Windows RT, Windows 8, and Windows Server 2012: September 2013

2821895 A servicing stack update is available for Windows RT and Windows 8: June 2013

2545698 :Text in some core fonts appears blurred in Internet Explorer 9 on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2

2529073 :Binary files in some USB drivers are not updated after you install Windows 7 SP1 or Windows Server 2008 R2 SP1

2871690 : Microsoft security advisory: Update to revoke noncompliant UEFI boot loader modules

Another workaround would be to either include these updates in your master image or deploy these updates in the Task Sequence using a Package/program.

After pressing F9 a lot today in Outlook I finally got the mail I was waiting for! I have the great honor of being rewarded with the 2013 Microsoft® MVP Award – Enterprise Client Management!

“Dear Jorgen Nilsson,

Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Enterprise Client Management technical communities during the past year.”

Thank you Microsoft it is a true honor! And thanks to all out there!