** WIM links updated 10/2/2012
In the System Center 2012 Endpoint Protection Status monitoring dashboard, one possible malware- remediation status is Offline Scan Required. What does this mean, and how can you address this status? First, what this means is that a particular malware could not be fully cleaned, and the computer needs to be scanned and cleaned outside of the full operating system to complete remediation. This requires a restart into the Windows Pre-installation Environment (WinPE), to run the Windows Defender Offline scan tool to clean the unwanted software, including rootkits.
The Windows Defender Offline scan tool is a free tool available for download here as a bootable Windows Imaging Format (WIM) file, which can be put onto media (USB or DVD) and inserted into the infected computer. However, since walking around to machines with media in your hand is so 1991, why not use Configuration Manager’s OSD feature to do this for you? In this blog, I’m going to walk you through the steps of doing exactly that, as an example of yet another way that management and security in the same product is so awesome and convenient.
The first thing you need to do is download the boot WIM for both 32 bit and 64 bit operating systems from here (NOTE: System Center 2012 SP1 Configuration Manager Beta customers will need to use the new versions of the WIM, which are located at 32 bit and 64 bit). Once downloaded, you’ll have an imagepackage32.exe and imagepackage64.exe, which when launched, will extract the content, and from there, you’ll want to grab the boot.wim out of the sources folder. Also, you’ll need to download the latest full definition files, which can be found here for 32 Bit, and here for 64 Bit. The file names for both architectures are the same, so save them to different folders. Also, you can refer to my blog on deploying the Endpoint Protection client using an OSD task sequence for details/links to scripts to automate full definition downloads. You can use the same definitions brought down by that process for the Windows Defender Offline definitions. Once you have the requisite files, perform the following steps.
Note: I’m only going to walk through a 64 bit example—the 32 bit steps are the same other than there’s no need to rename the definition file in the 32 bit workflow.
DISM /mount-wim /wimfile:%file%\boot.wim /mountdir:%file% /index:1
For example, here’s the command on my test system, and the progress indicator you’ll see:
DISM /unmount-wim /mountdir:%file% /commit
In this next step, you will create the Boot Image for Windows Defender Offline, by importing it into Configuration Manager.
In our next step, we need to build the task sequence using this boot image. In this task sequence, for which an importable example is provided in this blog, we will add steps in the following order, to disable Bitlocker (if you use Bitlocker in your environment), restart the computer into WinPE, run the Defender Offline Scan as a command line action, restart the computer into the existing operating system, and enable Bitlocker. To create this task sequence, simply download the exported task sequence zip file I’ve provided at the bottom of this blog and import it.
Note: You can also create your own task sequence from scratch, through the create task sequence wizard. The command line you want to use to execute Defender Offline Scan from WinPE is "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe" /autoscan.
Given that clients requiring offline-scans is not likely a frequent event on a large number of clients, you probably want this solution delivered to clients conditionally. So next, we’ll create a dynamic collection for clients in this particular malware state to which we’ll target the task sequence dynamically. This way, only users on clients that require an offline scan will be able to see the deployment in Software Center. This allows you identify exactly what clients are in this state, and then work with the end-user to have them launch this remediation from Software Center, as only clients in this state will see the deployment as available.
Now that you have the boot image, task sequence, and target collection created, we are ready to deploy the task sequence. After this step, any client that appears in the collection will have this task sequence deployment made available dynamically. You can also add a direct member to this collection, or target another test collection (with members) with this task sequence if you just want to test the overall process, not dependent on the condition of getting malware that results in this state.
An additional option you have in Configuration Manager, is to create bootable media from the task sequence, so that you can export the boot image and steps onto a share (for remote admins to grab and use), USB or DVD. You can use this to either test the solution offline (independent of Configuration Manager), or you can create media ad-hoc for offline (road warrior) clients, or clients you don’t want to deploy this to using Configuration Manager. From the task sequence list, simply choose the Defender Offline task sequence, and choose to Create Task Sequence Media. Choose standalone, and then your preferred media type and finish the wizard.
As you probably want to validate that this works end-to-end without waiting for an offline-scan required malware, go ahead and target this task sequence to a test client by adding the client to the dynamic collection you created (using direct membership) or by creating a new deployment of this task sequence to a test collection. After the task sequence is deployed, go to the test client and refresh policy.
Wait a couple of minutes, and then open Software Center, where you’ll see the deployment for Windows Defender Offline Scan:
Go ahead and launch install (shows as reinstall in the screenshot, as I’ve already run through this). You’ll get a warning pop-up that you are about to install a new operating system, which isn’t really the case, but that’s a standard pop-up for all deployments with a type of “Operating System.” This is kind of a scary dialogue to end-users, and unfortunately there’s no way to control it. This is why working with end-user directly, or educating them on this process is critical (i.e. avoid panic attacks). After a download progress indicator completes, the system will provide a reboot countdown, and then reboot into WinPE, where the task sequence will kick off the Defender Offline Scan:
Once the scan completes, the system will restart into the main operating system, and you’re done. Within a few minutes, the state of offline scan required should be cleared from the database and console, the client falls out of the collection, and the issue is remediated! And you didn’t have to walk or send media all over the world to accomplish this. It’s all available using System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection together. Management and security.
This posting is provided "AS IS" with no warranties, and confers no rights.
Great post very useful, thanks.
I'm facing an issue with the definition updates. The Defender doesn't recognize the files i think. I placed the mpam-fe.exe and renamed it to mpam-fex64.exe at the root of the boot.wim. No luck till now :-(
Do you have any further advice?
Sorry for the late response, as I was at MMS last week and not checking in on the blog responses. Oliver, are you still having issues with th definition binary?
Great article, but the TS provided is not working because the following:
Should this work? :)
Thanks for the feedback, Flowman. This may be an issue with Windows XP. Our test team is going to try to reproduce this, and I'll update the blog comments after we've done that, and provide any adjustments that might be required to the TS. Thanks again.
I'm unable to import the wim file into configmgr, it tells me the image needs to be finalized. Any suggestions on how to resolve this ? I'm using SCCM 2012 RTM and an extracted wim file from today.
I am getting the same results as Jon.
You can not import this boot image. Only finalized boot images are supported. For more information press F1.
Would be great to get this ability to work.
I think this is because the windows offline defender pxe image is now based on windows 8 which is not supported by sccm 2012 rtm (sccm2012 sp1 should resolve this).
One would need an older defender image still using windows 7 pe. Plus you need to add WinPE-Scripting.cab and WinPE-WMI.cab to you boot.wim prior to importing it into sccm.
I've performed these steps with the new cabs from the windows 8 adk but i fails giving me the finalized error, which leads me to the conclusion at the begining of my post. Can anyone clarify this ?
Thank you for responding. I hope someone can post a link to the Windows 7 based WIM file so I can import into SCCM 2012. Any article I come across references the Windows 8 based iso image.
Thanks for the feedback. Unfortunately, the link is now pointing to the WIM supported only in CM12 SP1, and we're working on adding a link to the CM12 RTM WIM. We hope to have this resolved in the next couple of days.
Microsoft - Configuration Manager
The links have been updated to provide WIMs for both ConfigMgr 2012 RTM, and ConfigMgr 2012 SP1 Beta. Please post if you have any further issues.
Jason Githens - Microsoft - Configuration Manager
Hello Jason, thanks again for your effort. I was able to import the wim file. However, when running the task sequence Offline defender starts but exits with exit code 2152730626. I've copied the latest definition files to the root directory of the wim file and verified it's renamed to mpam-fex64.exe.
When i try launching the offlinescannershell.exe from the command line it tells me my definition files are not up to date, when i hit update it seems like defender is downloading new definitions and starts the scan.
I was unable to find out if and where a new definition file could have been written. I've also tried applying the update with mpam-fex64.exe -q but i'm getting "The subsystem needed to support the image type is not present." error message.
I've double checked, prior to posting, i've followed all your steps. Im going to try a 32-bit version of the wim file to see if the above problem applys there as well.
Hello, i was not able to perform a successfull scan with the old wim files. I set up a lab environment for cm 2012 sp1 and ran successfull scans for both x86 and x64. However the instruction renaming the file for x64 seems to be wrong. The scan did not start with the filename changed to mpam-fex64.exe, i renamed it to mpam-fe.exe and it worked like a charm.
This is just what we need, Thanks for providing it.
I have everything set up like you posted but I am having some trouble.
If I use the command line like this:
"%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe" /autoscan
It gets stuck on on the screen above your last picture…it looks like it is searching for something.
If I move the Quote to the other side of the /autoscan switch like this…
"%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe /autoscan”
Then the quick scan runs but never closes, and when I manually close it I get a Task Sequence error.
Also I have looked and not been able to find any switches that would let me run a Full Scan instead of a Quick Scan.
I have tried “MpCmdRun.exe –Scan –Scan Type 2” but that fails too
Thanks for your help,
Now that Configmgr 2012 SP1 has been released are the links for SP1 still valid or is there newer content I should be searching for? I had this solution in place for RTM and now want to update it.
Thanks for the great post!
@Ryan: i have finally upgraded to sccm 2012 sp1 and can confirm the links posted here work like a charm.
@Jason: are there any command line parameters for the offlinescannershell.exe ?
I would love to update the definitions in the task sequence.