Ever wanted to have ConfigMgr 2012 R2 (SCCM) scan for virus in a machine that is offline? Look no further, Windows Defender Offline will help you.
Step-by-step guide
To add Windows Defender Offline you do the following:
- Download Windows Defender Offline
- Download the latest definition updates
- Create a ConfigMgr package that contains Defender Offline
- Create a task sequence that runs the virus scan
Step 1 – Download Windows Defender Offline
Download the x64 version of the offline defender package and save it to a temporary location. I used C:\Tmp.
Step 2 – Download the latest definition updates
Download the latest definition updates, save them to C:\Tmp, and then rename mpam-fe.exe to mpam-fex64.exe.
Offline defender package and latest definitions downloaded.
Step 3 – Create a ConfigMgr package that contains offline defender
Get the needed files
- Create a source folder for your Offline Defender package, I used \\CM01\Sources\OSD\OfflineDefender in this example.
- Download the Run-WDO.wsf sample vbscript wrapper to CM01SourcesOSDOfflineDefender.
- Copy the ZTIUtility.vbs script from your MDT 2013 files package to \\CM01\Sources\OSD\OfflineDefender.
- Copy the mpam-fex64.exe file to \\CM01\Sources\OSD\OfflineDefender.
- Create a Sources subfolder in \\CM01\Sources\OSD\OfflineDefender.
- Using 7-Zip, extract the downloaded imagepackage64.exe to C:\Tmp.
- Using ImageX or DISM, mount the C:\Tmp\imagepackage64\sources\boot.wim file to a folder. I used C:\Tmp\Mount.
- Copy the contents of the C:\Tmp\mount\Program Files\Microsoft Security Client folder to CM01SourcesOSDOfflineDefenderSources, and then unmount the boot.wim file.
Create a standard ConfigMgr package named Offline Defender, with no program, distribute the content.
Package source for my Offline Defender package, including the latest definitions.
Step 4 – Create a task sequence that runs the virus scan
The final step, create a new ConfigMgr task sequence using the MDT custom template. I named my task sequence Run Offline Defender.
Keep the Gather and Use Toolkit action (not required, but in general useful to have), and remove the other actions.
Add a Run Command Line that use the Offline Defender package, and has the following command line:
cscript.exe Run-WDO.wsf
Deploy the new task sequence to a collection where your machines you want to scan exist.
PXE boot any of the machines, and select the Run Offline Defender task sequence.

Happy Deployment, Johan
Send me an email, and I can help you offline.
/ Johan
I downloaded the x64 version from the link provided in the article. I downloaded the x86 version as well but I failed to get it to load the definition file.
Hi CypherBit,
I have only tried this on a MDT custom task sequence with both Gather and Use Toolkit Package.
/ Johan
Hi deucehearts,
Did you download the x64 version of offline defender?
/ Johan
Great post. I keep getting an error though. It keeps telling me that I am attempting to run a 64-bit process on a 32-bit device and then tells me to restart. I am using Windows 8.1×64 as my boot disk. Should it matter version the OS is on the Hard Disk if it is running an offline scan in Windows PE? Thank you.
Haven't seen a switch, or option to do the full scan
/ Johan
Sometimes it takes a while … :). Clearly it should stay there so you can view the results.
But the question remains whether it is possible to change to full scanning?
Virusscan is completed, but "Running action: Run Offline Defender" seams to be stuck.
What did I miss?
This is how my Task Sequences looks like
Use Toolkit Package
Gather
Run Command Line (Run Offline Defender)
And a second question, is it possible to change the scan-type from quick to full?
Is it possible to do this if there's no MDM integration (I have the ZTIUtility.vbs script)? Which TS should one use? I used a custom that just runs the command, but smsts.log fails with User profile cannot be loaded Error: 000001F4.
No need for the mssstool64.exe, only if you want to generate an ISO etc.
/ Johan
Ok fixed for now.. Needs improvement, will only work in a scenario with 1 encrypted drive right now.
Hope someone finds it useful
Having some issues with my added code for detection logic, will update when fixed.
Sorry to keep updating. I added bitlocker drive detection and hide TS progress (seemed like a good candidate)
Where's the edit button!
Thanks Johan!
We have scripts that download definitions to a share from a mapped drive. I modified the script to get the latest from R: mapping – Add a connect to network share step.
Also I added bitlocker detection which then prompts the user for the bitlocker recovery password (assumes drive is D:) before running the scan.
dl.dropboxusercontent.com/u/4831681/blog/Run-WDO.wsf.txt
^^ Could use some error checking on the recovery password though.
Hi gemi,
Indeed its the content of Microsoft Security Client that should be copied. I have updated the article to reflect that.
/ Johan
Forgot to add that if i add the folder "Microsoft Security Client" to the "Source" folder the target is X:Program FilesMicrosoft Security ClientMicrosoft Security Client so i guess the content of "Microsoft Security Client" should be placed in the "Source" folder.
Where do i put mssstool64.exe? Im not getting this to work and i can't find the msswrapper.log
If you only have 512 MB of RAM on your computers, you need to adjust the WinPE 5.0 scratch space. The definition files, that are copied to X: are at least 128 MB. WinPE 5.0 automatically sets the scratch space to 512 MB when having 1 GB or more of memory. Or you have to modify the script to copy the defintion files to the root of your Windows volume, and then delete the file. The reason I copy to X: is because I always have 1 GB or more of memory on the machines, and anything put in X:… Read more »
Following on from that, it appears to be trying to copy the contents to X: which is only ~21mb in size.
Running it from the local package source in WinPE produces this:
Run-WDO: Copying WDO files
Run-WDO:X:Program FilesMicrosoft Security Client folder already exist, continue.
Run-WDO: Copying D:_SMSTaskSequencePackagesPP10013ESource folder to the local machine
ZTI ERROR – Unhandled error returned by Run-WDO: (-2147024784 0x80070070)
And you do have enough free space on the C: (or D:) drive? ConfigMgr stages the packages locally… What if you run the script from the local package source while in WinPE?
/ Johan
Thanks for giving me some ideas to keep the definitions up-to-date.
Yes there is a Windows installation on the disk and that log file doesn't seem to exist.
Daniel.
You do have a local Windows intallation on the disk, right?
For troubleshooting, check the X:WindowsTempmsssWrapper.log file.
As for updating the definitions, you can schedule a PowerShell script that downloads the definitions daily, copy them to the offline defender package, and then trigger updates of your DP's.
/ Johan
Johan,
When the TS gets to the stage where it tries to run WDO I'm getting Error 0x80070070 which according to smsts.log means there is not enough space on the disk. Any thoughts?
Also, would you have any suggestions for keeping the definitions up-to-date?
Daniel.