Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • How to Perform a Manual SCEP Client Installation

How to Perform a Manual SCEP Client Installation

The following is an excerpt from my book Microsoft System Center 2012 Endpoint Protection Cookbook, https://www.packtpub.com/virtualization-and-cloud/microsoft-system-center-2012-endpoint-protection-cookbook 

It’s a fact of life when working in a large corporate network environment that there will always be the oddball PC that, for whatever reason, cannot be joined to the domain or won’t have the SCCM client installed. These could be lab machines, special purpose kiosk PCs or controllers for manufacturing equipment.

Regardless of why these PCs needed to be orphaned, if they are running Windows, they still need an Antivirus client. This recipe will walk you through the process of putting together the installation media for this task and installing the SCEP client manually on a single PC.

Getting ready

For this recipe you will need to be utilizing an account that has at least the SCEP administrator role assignment attached to it. You will also need an account that has local administrator privileges for the PC on which you’ll be installing the client.

How to do it...

  1. Log into your SCCM CAS server and launch your SCCM 2012 management console.
  2. Navigate to \Software Library\Overview\Application Management\Packages and right click on the object called Configuration Manager Client Package and select Properties.
  3. The Configuration Manager Client Package Properties window should pop up, select that tab titled Data Source and locate the Source Folder field.

4. Make note of the path listed in the Source Folder field then enter this same path into Windows Explorer. Once you’ve done this, you can click Cancel to close the Configuration Manager Client Package Properties window.

5. The contents of the folder should be identical to the screen shot below.

6. The only two files in this directory that we need right now are ep_defaultpolicy.xml and scepinstall.exe. Copy these to files to a thumb drive or a CD-R.

7. Now login to the PC we’re targeting for a manual SCEP installation and insert the media format you chose in step 6.

8. Open a command prompt with admin privileges and enter the following syntax

SCEPInstall.exe /policy C:\scep\ep_defaultpolicy.xml

In your case, the path for ep_defaultpolicy will be the installation media you’ve selected. Press Enter and the SCEP installer should pop up.

9. Proceed through the wizard, making your selections as you go. Once the wizard has completed, make sure that the SCEP client is able to download its initial set of definitions.

How it works...

The hardest part of this recipe is locating your SCEP client installation media, because the only copy you’ll have is the one that’s been bundled with the SCCM client installation package.

By copying both the SCEP install exe and the policy xml file and then running them manually on a target client, you’ll end up with a SCEP client that starts off with a similar configuration to your normal SCCM-deployed SCEP clients.

Keep in mind that any future changes to this PC’s SCEP policy will need to be done manually. Also, in order to get definition updates, this PC’s SCEP client will either need to be able to reach Microsoft Updates on the internet or a WSUS server in your environment that is enabled to push SCEP definitions.

It goes without saying that any Antivirus related events on this PC will not be reported to the SCCM server. So it will be up to the user of this PC to keep an eye on what’s going on with the system – much like you would manage an AV client on your home computer.