Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD

Launching a Windows Defender Offline Scan with Configuration Manager 2012 OSD

  • Comments 18
  • Likes

** WIM links updated 10/2/2012

In the System Center 2012 Endpoint Protection Status monitoring dashboard, one possible malware- remediation status is Offline Scan Required.  What does this mean, and how can you address this status?  First, what this means is that a particular malware could not be fully cleaned, and the computer needs to be scanned and cleaned outside of the full operating system to complete remediation.  This requires a restart into the Windows Pre-installation Environment (WinPE), to run the Windows Defender Offline scan tool to clean the unwanted software, including rootkits.

The Windows Defender Offline scan tool is a free tool available for download here  as a bootable Windows Imaging Format (WIM) file, which can be put onto media (USB or DVD) and inserted into the infected computer.  However, since walking around to machines with media in your hand is so 1991, why not use Configuration Manager’s OSD feature to do this for you?  In this blog, I’m going to walk you through the steps of doing exactly that, as an example of yet another way that management and security in the same product is so awesome and convenient.

Building the Windows Defender Offline WIM

The first thing you need to do is download the boot WIM for both 32 bit and 64 bit operating systems from here (NOTE: System Center 2012 SP1 Configuration Manager Beta customers will need to use the new versions of the WIM, which are located at 32 bit and 64 bit).  Once downloaded, you’ll have an imagepackage32.exe and imagepackage64.exe, which when launched, will extract the content, and from there, you’ll want to grab the boot.wim out of the sources folder.  Also, you’ll need to download the latest full definition files, which can be found here for 32 Bit, and here for 64 Bit.  The file names for both architectures are the same, so save them to different folders.  Also, you can refer to my blog on deploying the Endpoint Protection client using an OSD task sequence for details/links to scripts to automate full definition downloadsYou can use the same definitions brought down by that process for the Windows Defender Offline definitions.  Once you have the requisite files, perform the following steps.

Note: I’m only going to walk through a 64 bit example—the 32 bit steps are the same other than there’s no need to rename the definition file in the 32 bit workflow.

  1. Put the 64 bit boot.wim file you downloaded for Windows Defender Offline into the source directory from which you’ll import and distribute the completed WIM (after we modify it) using Configuration Manager.
  2. Next, you’ll use the Deployment Image Servicing and Management (DISM) tool, to mount the WIM so that you have access to the file structure.  You need to do this so that you can put the latest definition file into the WIM before you un-mount it, and distribute it through Configuration Manager.  From the command prompt, run the following command against the source directory of your WIM, and mount it to a separate directory that you’ve pre-created:
    DISM /mount-wim /wimfile:%file%\boot.wim /mountdir:%file% /index:1

    For example, here’s the command on my test system, and the progress indicator you’ll see:

     

  3. After you’ve mounted the WIM, go to the folder you specified in the above step, which will look like the screenshot below.  If you navigate through Program Files\Microsoft Security Client, you’ll see the files used for scanning, using Windows Defender Offline in WinPE.

  4. Next, you want to place the definition file for 64 bit in the root of this directory.  Also, you will need to rename this file from mpam-fe.exe to mpam-fex64.exe.  If you don’t rename this file (only on 64-bit, leave the name as is on 32-bit, mpam-fe.exe), the Offline Scan will fail!

     

  5. After that, make sure that you close any folders that might be open for your source WIM or your mounted one, or the next step to unmount the WIM and commit changes will fail.  Go ahead and unmount the WIM and commit changes with the following command:
    DISM /unmount-wim /mountdir:%file% /commit

  6. You now have a reference, bootable WIM for Windows Defender Offline, which includes the latest definitions, so it’s ready to import into Configuration Manager.
  7. Note:  You should repeat this process at least weekly, and distribute the updated WIM files to distribution points to assure you have current definitions for offline scans when the process is needed.

Importing the WIM into Configuration Manager

In this next step, you will create the Boot Image for Windows Defender Offline, by importing it into Configuration Manager.

  1. Open your Configuration Manager console, and navigate to Software Library | Operating Systems | Boot Images, and choose “Add Boot Image.”
  2. From the wizard, browse to the path where you saved your boot.wim in the previous step.  In the dropdown you should see the single boot image for the right architecture (x64 in this case).
  3. On the next page, name the boot image something intuitive, like “Windows Defender Offline WIM 64 Bit”
  4. Finish the wizard (this could take several minutes as the WIM is imported).
  5. After that completes, go ahead and distribute the WIM to Distribution Points, by choosing Distribute Content, and walking through that simple wizard.

Building the Task Sequence

In our next step, we need to build the task sequence using this boot image.  In this task sequence, for which an importable example is provided in this blog, we will add steps in the following order, to disable Bitlocker (if you use Bitlocker in your environment), restart the computer into WinPE, run the Defender Offline Scan as a command line action, restart the computer into the existing operating system, and enable Bitlocker.  To create this task sequence, simply download the exported task sequence zip file I’ve provided at the bottom of this blog and import it.

  1. From Software Library | Operating System | Task Sequences, choose Import Task Sequence.
  2. Browse to the UNC path where you saved the downloaded task sequence, and then finish the wizard.
  3. In the created task sequence, choose Properties, and under the advanced tab, select Use a boot image, and browse to the WIM you created in a previous step.
  4. On this same tab, choose the appropriate operating systems that this will run on by architecture, so that the end-user only sees one option, as appropriate for their system/OS architecture, in Software Center.  Click OK.

  5. You can also choose to edit this imported task sequence if you want to enable/disable any of the steps, or add your own.

    Note:  You can also create your own task sequence from scratch, through the create task sequence wizard.  The command line you want to use to execute Defender Offline Scan from WinPE is "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe" /autoscan.

Building a dynamic collection for targeting the Offline Scan

Given that clients requiring offline-scans is not likely a frequent event on a large number of clients, you probably want this solution delivered to clients conditionally.  So next, we’ll create a dynamic collection for clients in this particular malware state to which we’ll target the task sequence dynamically.  This way, only users on clients that require an offline scan will be able to see the deployment in Software Center.  This allows you identify exactly what clients are in this state, and then work with the end-user to have them launch this remediation from Software Center, as only clients in this state will see the deployment as available.

  1. Under Assets and Compliance | Device Collections, choose Create a Device Collection.
  2. Name the collection something intuitive, like Offline scan required to remediate malware, and choose the limiting collection.
  3. Select Use incremental updates for this collection, and Schedule a full update of this collection to occur once a day, at whatever time you choose.
  4. Under membership rules, we need to choose the malware state logic we’ll use to build this collection against dynamically, so within ten minutes or so of a client reporting this state, it will dynamically join this collection and get the task sequence targeted at its next policy polling interval (60 minutes by default, or this can be forced to run ad-hoc on the client, by forcing machine policy refresh through the Configuration Manager control panel applet.)
  5. For the membership rule, choose Add Rule, and choose Query Rule.  Name the query Offline Scan Required, and choose Edit Query Statement.
  6. In the query statement properties, choose the Criteria tab.  From there, click the yellow star to add criteria.
  7. Keep the default of Simple Value, and choose Select.
  8. From the Attribute Class dropdown, choose Antimalware Infection Status, and for the attribute choose PendingOfflineScan.
  9. In Criterion properties, keep the default value of is equal to True, and click OK.
  10. Click OK on the Query Statement Properties, and Query Rule Properties.
  11. Complete the wizard.  Now you have a collection that will only ever be populated with clients requiring an offline scan.  They will be removed from this collection automatically after they complete the offline scan, and that cleaning state is reported back up to the Configuration Manager server.

Deploying the Task Sequence

Now that you have the boot image, task sequence, and target collection created, we are ready to deploy the task sequence.  After this step, any client that appears in the collection will have this task sequence deployment made available dynamically.  You can also add a direct member to this collection, or target another test collection (with members) with this task sequence if you just want to test the overall process, not dependent on the condition of getting malware that results in this state.

  1. From Software Library | Operating Systems | Task Sequences, select the Windows Defender Offline 64 bit task sequence, and choose Deploy.
  2. Specify the collection we created in the previous step.
  3. Next, choose to make it available or required.  If you make it required, then you can configure on the next page how long the user will have to run this before it becomes mandatory.  Also, you can specify the conditions that activate this assignment, like user logoff. We’re just going to set this as available, as the occurrence of this remediation type is infrequent enough that our process is to make this available to the user, and then communicate to them in email that they need to run this as soon as they can from Software Center to mitigate a malware risk.
  4. If you want to make this deployment available to PXE so that users can boot into an Offline Scan without having to launch it from the full operating system, select that option on this page.
  5. On the scheduling page, set when this will be available to the user, which should just be the current clock time, as any clients that get this in the future will then have it available as soon as policy is processed.
  6. On the User Experience page, keep the settings as default.  This helps users better understand how much time is left in the overall process.  If you choose to uncheck show task sequence progress, the user will not see specifics about the task sequence steps, but they will still see an overall progress bar, in the foreground of the Windows Defender Offline scan status UI.
  7. On the alerts page, these probably aren’t needed given the ad-hoc nature of these types of deployments.
  8. On the distribution points page, choose to download content locally when needed by running task sequence, and then choose your preferred behavior for clients to retrieve content remotely, and then complete the wizard.

Create Task Sequence Media (Optional Step)

An additional option you have in Configuration Manager, is to create bootable media from the task sequence, so that you can export the boot image and steps onto a share (for remote admins to grab and use), USB or DVD.  You can use this to either test the solution offline (independent of Configuration Manager), or you can create media ad-hoc for offline (road warrior) clients, or clients you don’t want to deploy this to using Configuration Manager.  From the task sequence list, simply choose the Defender Offline task sequence, and choose to Create Task Sequence Media.  Choose standalone, and then your preferred media type and finish the wizard.

Check your work

As you probably want to validate that this works end-to-end without waiting for an offline-scan required malware, go ahead and target this task sequence to a test client by adding the client to the dynamic collection you created (using direct membership) or by creating a new deployment of this task sequence to a test collection.  After the task sequence is deployed, go to the test client and refresh policy.

Wait a couple of minutes, and then open Software Center, where you’ll see the deployment for Windows Defender Offline Scan:

 

Go ahead and launch install (shows as reinstall in the screenshot, as I’ve already run through this).  You’ll get a warning pop-up that you are about to install a new operating system, which isn’t really the case, but that’s a standard pop-up for all deployments with a type of “Operating System.”  This is kind of a scary dialogue to end-users, and unfortunately there’s no way to control it.  This is why working with end-user directly, or educating them on this process is critical (i.e. avoid panic attacks).  After a download progress indicator completes, the system will provide a reboot countdown, and then reboot into WinPE, where the task sequence will kick off the Defender Offline Scan:

 

 

Once the scan completes, the system will restart into the main operating system, and you’re done.  Within a few minutes, the state of offline scan required should be cleared from the database and console, the client falls out of the collection, and the issue is remediated!  And you didn’t have to walk or send media all over the world to accomplish this.  It’s all available using System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection together.  Management and security.

--Jason Githens

This posting is provided "AS IS" with no warranties, and confers no rights.

Attachment: ConfigMgrWDO.zip
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Great post very useful, thanks.

    I'm facing an issue with the definition updates. The Defender doesn't recognize the files i think. I placed the mpam-fe.exe and renamed it to mpam-fex64.exe at the root of the boot.wim. No luck till now :-(

    Do you have any further advice?

    regards,

    Oliver

  • Sorry for the late response, as I was at MMS last week and not checking in on the blog responses.  Oliver, are you still having issues with th definition binary?

  • Great article, but the TS provided is not working because the following:

    blogs.technet.com/.../configmgr-2007-osd-task-sequence-fails-with-task-sequence-cannot-continue-after-reboot-because-ts-manager-is-not-configured-to-auto-start-or-gina-is-not-installed.aspx

    Should this work? :)

  • Thanks for the feedback, Flowman.  This may be an issue with Windows XP.  Our test team is going to try to reproduce this, and I'll update the blog comments after we've done that, and provide any adjustments that might be required to the TS.  Thanks again.

  • I'm unable to import the wim file into configmgr, it tells me the image needs to be finalized. Any suggestions on how to resolve this ? I'm using SCCM 2012 RTM and an extracted wim file from today.

  • Hello,

    I am getting the same results as Jon.

    Error: Errors

    You can not import this boot image. Only finalized boot images are supported. For more information press F1.

    Would be great to get this ability to work.

    Thank You

  • I think this is because the windows offline defender pxe image is now based on windows 8 which is not supported by sccm 2012 rtm (sccm2012 sp1 should resolve this).

    One would need an older defender image still using windows 7 pe. Plus you need to add WinPE-Scripting.cab and WinPE-WMI.cab to you boot.wim prior to importing it into sccm.

    technet.microsoft.com/.../bb680372.aspx

    I've performed these steps with the new cabs from the windows 8 adk but i fails giving me the finalized error, which leads me to the conclusion at the begining of my post. Can anyone clarify this ?

  • Hi Jim,

    Thank you for responding.  I hope someone can post a link to the Windows 7 based WIM file so I can import into SCCM 2012.  Any article I come across references the Windows 8 based iso image.

    Thank You

  • Thanks for the feedback.  Unfortunately, the link is now pointing to the WIM supported only in CM12 SP1, and we're working on adding a link to the CM12 RTM WIM.  We hope to have this resolved in the next couple of days.

    Thanks,

    Jason Githens

    Microsoft - Configuration Manager

  • The links have been updated to provide WIMs for both ConfigMgr 2012 RTM, and ConfigMgr 2012 SP1 Beta.  Please post if you have any further issues.

    Thanks,

    Jason Githens - Microsoft - Configuration Manager

  • Hello Jason, thanks again for your effort. I was able to import the wim file. However, when running the task sequence Offline defender starts but exits with exit code 2152730626. I've copied the latest definition files to the root directory of the wim file and verified it's renamed to mpam-fex64.exe.

    When i try launching the offlinescannershell.exe from the command line it tells me my definition files are not up to date, when i hit update it seems like defender is downloading new definitions and starts the scan.

    I was unable to find out if and where a new definition file could have been written. I've also tried applying the update with mpam-fex64.exe -q but i'm getting "The subsystem needed to support the image type is not present." error message.

    I've double checked, prior to posting, i've followed all your steps. Im going to try a 32-bit version of the wim file to see if the above problem applys there as well.

  • Hello, i was not able to perform a successfull scan with the old wim files. I set up a lab environment for cm 2012 sp1 and ran successfull scans for both x86 and x64. However the instruction renaming the file for x64 seems to be wrong. The scan did not start with the filename changed to mpam-fex64.exe, i renamed it to mpam-fe.exe and it worked like a charm.

  • This is just what we need, Thanks for providing it.

    I have everything set up like you posted but I am having some trouble.

    If I use the command line like this:

    "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe" /autoscan

    It gets stuck on on the screen above your last picture…it looks like it is searching for something.

    If I move the Quote to the other side of the  /autoscan switch like this…

    "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe /autoscan”

    Then the quick scan runs but never closes, and when I manually close it I get a Task Sequence error.

    Also I have looked and not been able to find any switches that would let me run a Full Scan instead of a Quick Scan.

    I have tried “MpCmdRun.exe –Scan –Scan Type 2” but that fails too

    Thanks for your help,

    James

  • Jason

    Now that Configmgr 2012 SP1 has been released are the links for SP1 still valid or is there newer content I should be searching for? I had this solution in place for RTM and now want to update it.

    Thanks for the great post!

  • @Ryan: i have finally upgraded to sccm 2012 sp1 and can confirm the links posted here work like a charm.

    @Jason: are there any command line parameters for the offlinescannershell.exe ?

    I would love to update the definitions in the task sequence.