** WIM links updated 10/2/2012
In the System Center 2012 Endpoint Protection Status monitoring dashboard, one possible malware- remediation status is Offline Scan Required . What does this mean, and how can you address this status? First, what this means is that a particular malware could not be fully cleaned, and the computer needs to be scanned and cleaned outside of the full operating system to complete remediation. This requires a restart into the Windows Pre-installation Environment (WinPE), to run the Windows Defender Offline scan tool to clean the unwanted software, including rootkits.
The Windows Defender Offline scan tool is a free tool available for download here as a bootable Windows Imaging Format (WIM) file, which can be put onto media (USB or DVD) and inserted into the infected computer. However, since walking around to machines with media in your hand is so 1991, why not use Configuration Manager’s OSD feature to do this for you? In this blog, I’m going to walk you through the steps of doing exactly that, as an example of yet another way that management and security in the same product is so awesome and convenient.
The first thing you need to do is download the boot WIM for both 32 bit and 64 bit operating systems from here (NOTE: System Center 2012 SP1 Configuration Manager Beta customers will need to use the new versions of the WIM, which are located at 32 bit and 64 bit ). Once downloaded, you’ll have an imagepackage32.exe and imagepackage64.exe, which when launched, will extract the content, and from there, you’ll want to grab the boot.wim out of the sources folder. Also, you’ll need to download the latest full definition files, which can be found here for 32 Bit , and here for 64 Bit . The file names for both architectures are the same, so save them to different folders. Also, you can refer to my blog on deploying the Endpoint Protection client using an OSD task sequence for details/links to scripts to automate full definition downloads . You can use the same definitions brought down by that process for the Windows Defender Offline definitions. Once you have the requisite files, perform the following steps.
Note: I’m only going to walk through a 64 bit example—the 32 bit steps are the same other than there’s no need to rename the definition file in the 32 bit workflow.
For example, here’s the command on my test system, and the progress indicator you’ll see:
In this next step, you will create the Boot Image for Windows Defender Offline, by importing it into Configuration Manager.
In our next step, we need to build the task sequence using this boot image. In this task sequence, for which an importable example is provided in this blog, we will add steps in the following order, to disable Bitlocker (if you use Bitlocker in your environment), restart the computer into WinPE, run the Defender Offline Scan as a command line action, restart the computer into the existing operating system, and enable Bitlocker. To create this task sequence, simply download the exported task sequence zip file I’ve provided at the bottom of this blog and import it.
Note: You can also create your own task sequence from scratch, through the create task sequence wizard. The command line you want to use to execute Defender Offline Scan from WinPE is "%ProgramFiles%Microsoft Security ClientOfflineScannerShell.exe" /autoscan.
Given that clients requiring offline-scans is not likely a frequent event on a large number of clients, you probably want this solution delivered to clients conditionally. So next, we’ll create a dynamic collection for clients in this particular malware state to which we’ll target the task sequence dynamically. This way, only users on clients that require an offline scan will be able to see the deployment in Software Center. This allows you identify exactly what clients are in this state, and then work with the end-user to have them launch this remediation from Software Center, as only clients in this state will see the deployment as available.
Now that you have the boot image, task sequence, and target collection created, we are ready to deploy the task sequence. After this step, any client that appears in the collection will have this task sequence deployment made available dynamically. You can also add a direct member to this collection, or target another test collection (with members) with this task sequence if you just want to test the overall process, not dependent on the condition of getting malware that results in this state.
An additional option you have in Configuration Manager, is to create bootable media from the task sequence, so that you can export the boot image and steps onto a share (for remote admins to grab and use), USB or DVD. You can use this to either test the solution offline (independent of Configuration Manager), or you can create media ad-hoc for offline (road warrior) clients, or clients you don’t want to deploy this to using Configuration Manager. From the task sequence list, simply choose the Defender Offline task sequence, and choose to Create Task Sequence Media. Choose standalone, and then your preferred media type and finish the wizard.
As you probably want to validate that this works end-to-end without waiting for an offline-scan required malware, go ahead and target this task sequence to a test client by adding the client to the dynamic collection you created (using direct membership) or by creating a new deployment of this task sequence to a test collection. After the task sequence is deployed, go to the test client and refresh policy.
Wait a couple of minutes, and then open Software Center, where you’ll see the deployment for Windows Defender Offline Scan:
Go ahead and launch install (shows as reinstall in the screenshot, as I’ve already run through this). You’ll get a warning pop-up that you are about to install a new operating system, which isn’t really the case, but that’s a standard pop-up for all deployments with a type of “Operating System.” This is kind of a scary dialogue to end-users, and unfortunately there’s no way to control it. This is why working with end-user directly, or educating them on this process is critical (i.e. avoid panic attacks). After a download progress indicator completes, the system will provide a reboot countdown, and then reboot into WinPE, where the task sequence will kick off the Defender Offline Scan:
Once the scan completes, the system will restart into the main operating system, and you’re done. Within a few minutes, the state of offline scan required should be cleared from the database and console, the client falls out of the collection, and the issue is remediated! And you didn’t have to walk or send media all over the world to accomplish this. It’s all available using System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection together. Management and security.
This posting is provided "AS IS" with no warranties, and confers no rights.