Offline Virus Scanning in a ConfigMgr 2012 R2 Task Sequence

Ever wanted to have ConfigMgr 2012 R2 (SCCM) scan for virus in a machine that is offline? Look no further, Windows Defender Offline will help you.

Step-by-step guide

To add Windows Defender Offline you do the following:

  • Download Windows Defender Offline
  • Download the latest definition updates
  • Create a ConfigMgr package that contains Defender Offline
  • Create a task sequence that runs the virus scan

Step 1  – Download Windows Defender Offline

Download the x64 version of the offline defender package and save it to a temporary location. I used C:\Tmp.

Step 2 – Download the latest definition updates

Download the latest definition updates, save them to C:\Tmp, and then rename mpam-fe.exe to mpam-fex64.exe.

image
Offline defender package and latest definitions downloaded.

 

Step 3 – Create a ConfigMgr package that contains offline defender

Get the needed files

  1. Create a source folder for your Offline Defender package, I used \\CM01\Sources\OSD\OfflineDefender in this example.
  2. Download the Run-WDO.wsf sample vbscript wrapper to CM01SourcesOSDOfflineDefender.
  3. Copy the ZTIUtility.vbs script from your MDT 2013 files package to \\CM01\Sources\OSD\OfflineDefender.
  4. Copy the mpam-fex64.exe file to \\CM01\Sources\OSD\OfflineDefender.
  5. Create a Sources subfolder in \\CM01\Sources\OSD\OfflineDefender.
  6. Using 7-Zip, extract the downloaded imagepackage64.exe to C:\Tmp.
  7. Using ImageX or DISM, mount the C:\Tmp\imagepackage64\sources\boot.wim file to a folder. I used C:\Tmp\Mount.
  8. Copy the contents of the C:\Tmp\mount\Program Files\Microsoft Security Client folder to CM01SourcesOSDOfflineDefenderSources, and then unmount the boot.wim file.

Create a standard ConfigMgr package named Offline Defender, with no program, distribute the content.

image
Package source for my Offline Defender package, including the latest definitions.

Step 4 – Create a task sequence that runs the virus scan

The final step, create a new ConfigMgr task sequence using the MDT custom template. I named my task sequence Run Offline Defender.

Keep the Gather and Use Toolkit action (not required, but in general useful to have), and remove the other actions.

Add a Run Command Line that use the Offline Defender package, and has the following command line:

cscript.exe Run-WDO.wsf

Deploy the new task sequence to a collection where your machines you want to scan exist.

PXE boot any of the machines, and select the Run Offline Defender task sequence.

image

Happy Deployment, Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
25 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Admin
Admin
7 years ago

Send me an email, and I can help you offline.

/ Johan

deucehearts
deucehearts
7 years ago

I downloaded the x64 version from the link provided in the article. I downloaded the x86 version as well but I failed to get it to load the definition file.

Admin
Admin
7 years ago

Hi CypherBit,

I have only tried this on a MDT custom task sequence with both Gather and Use Toolkit Package.

/ Johan

Admin
Admin
7 years ago

Hi deucehearts,

Did you download the x64 version of offline defender?

/ Johan

deucehearts
deucehearts
7 years ago

Great post. I keep getting an error though. It keeps telling me that I am attempting to run a 64-bit process on a 32-bit device and then tells me to restart. I am using Windows 8.1×64 as my boot disk. Should it matter version the OS is on the Hard Disk if it is running an offline scan in Windows PE? Thank you.

Admin
Admin
7 years ago

Haven't seen a switch, or option to do the full scan

/ Johan

mbs
mbs
7 years ago

Sometimes it takes a while … :). Clearly it should stay there so you can view the results.

But the question remains whether it is possible to change to full scanning?

mbs
mbs
7 years ago

Virusscan is completed, but "Running action: Run Offline Defender" seams to be stuck.
What did I miss?

This is how my Task Sequences looks like

Use Toolkit Package
Gather
Run Command Line (Run Offline Defender)

And a second question, is it possible to change the scan-type from quick to full?

CypherBit
CypherBit
7 years ago

Is it possible to do this if there's no MDM integration (I have the ZTIUtility.vbs script)? Which TS should one use? I used a custom that just runs the command, but smsts.log fails with User profile cannot be loaded Error: 000001F4.

Admin
Admin
7 years ago

No need for the mssstool64.exe, only if you want to generate an ISO etc.

/ Johan

JayConnor
JayConnor
7 years ago

Ok fixed for now.. Needs improvement, will only work in a scenario with 1 encrypted drive right now.
Hope someone finds it useful

JayConnor
JayConnor
7 years ago

Having some issues with my added code for detection logic, will update when fixed.

JayConnor
JayConnor
7 years ago

Sorry to keep updating. I added bitlocker drive detection and hide TS progress (seemed like a good candidate)

JayConnor
JayConnor
7 years ago

Where's the edit button!

JayConnor
JayConnor
7 years ago

Thanks Johan!

We have scripts that download definitions to a share from a mapped drive. I modified the script to get the latest from R: mapping – Add a connect to network share step.
Also I added bitlocker detection which then prompts the user for the bitlocker recovery password (assumes drive is D:) before running the scan.
dl.dropboxusercontent.com/u/4831681/blog/Run-WDO.wsf.txt

^^ Could use some error checking on the recovery password though.

Admin
Admin
7 years ago

Hi gemi,

Indeed its the content of Microsoft Security Client that should be copied. I have updated the article to reflect that.

/ Johan

gemi
gemi
7 years ago

Forgot to add that if i add the folder "Microsoft Security Client" to the "Source" folder the target is X:Program FilesMicrosoft Security ClientMicrosoft Security Client so i guess the content of "Microsoft Security Client" should be placed in the "Source" folder.

gemi
gemi
7 years ago

Where do i put mssstool64.exe? Im not getting this to work and i can't find the msswrapper.log

Admin
Admin
7 years ago

If you only have 512 MB of RAM on your computers, you need to adjust the WinPE 5.0 scratch space. The definition files, that are copied to X: are at least 128 MB. WinPE 5.0 automatically sets the scratch space to 512 MB when having 1 GB or more of memory. Or you have to modify the script to copy the defintion files to the root of your Windows volume, and then delete the file. The reason I copy to X: is because I always have 1 GB or more of memory on the machines, and anything put in X:… Read more »

djc8928
djc8928
7 years ago

Following on from that, it appears to be trying to copy the contents to X: which is only ~21mb in size.

djc8928
djc8928
7 years ago

Running it from the local package source in WinPE produces this:

Run-WDO: Copying WDO files
Run-WDO:X:Program FilesMicrosoft Security Client folder already exist, continue.
Run-WDO: Copying D:_SMSTaskSequencePackagesPP10013ESource folder to the local machine
ZTI ERROR – Unhandled error returned by Run-WDO: (-2147024784 0x80070070)

Admin
Admin
7 years ago

And you do have enough free space on the C: (or D:) drive? ConfigMgr stages the packages locally… What if you run the script from the local package source while in WinPE?

/ Johan

djc8928
djc8928
7 years ago

Thanks for giving me some ideas to keep the definitions up-to-date.

Yes there is a Windows installation on the disk and that log file doesn't seem to exist.

Daniel.

Admin
Admin
7 years ago

You do have a local Windows intallation on the disk, right?

For troubleshooting, check the X:WindowsTempmsssWrapper.log file.

As for updating the definitions, you can schedule a PowerShell script that downloads the definitions daily, copy them to the offline defender package, and then trigger updates of your DP's.

/ Johan

djc8928
djc8928
7 years ago

Johan,

When the TS gets to the stage where it tries to run WDO I'm getting Error 0x80070070 which according to smsts.log means there is not enough space on the disk. Any thoughts?

Also, would you have any suggestions for keeping the definitions up-to-date?

Daniel.


>