How to install System Center 2012 Endpoint Protection on a standalone client

Suppose you have a need to deploy System Center 2012 Endpoint Protection to a number of clients that later run in standalone mode, meaning that they are not joined to a domain, can’t be managed by SCCM and operate in a network that is not connected to your corporate network.

The installation source scepinstall.exe for the System Center Endpoint Protection agent is stored within the SCCM 2012 client installation folder on the SCCM 2012 SP1 server under C:\Program Files\Microsoft Configuration Manager\Client. Within that same directory we also find the endpoint protection default policy settings stored as ep_defaultpolicy.xml, but we won’t use this , as we are going to prepare our own policy that meets our requirements for a standalone unmanaged client.

To create a standalone policy open the Configuration Manager 2012 Console and under Assets and Compliance select Endpoint Protection / Antimalware Policies. Then select Create Antimalware policy.

Configure the various settings as per your requirements.

2013-03-24_14h58_38

One very important setting is the Definition Updates Source configuration which by default points to the Configuration Manager. For our standalone scenario we will enable Microsoft Update and Microsoft Malware Protection Center only. If your clients do not have direct connectivity to the internet the use of a UNC share could also be an alternative, but then requires that you periodically update the share with latest definition updates packages. 

2013-03-24_14h59_12

Finally we export the settings and save them as standalone.xml

image

To install the System Center Endpoint Protection client run the following command (both the installer and policy file are stored in C:\Sources).

scepinstall.exe /s /q //policy C:\Sources\standalone.xml

Should you not wish to have the installer searching and installing definition updates, just add the /NoSigsUpdateAtInitialExp option.

If at some point you would need to change/update settings, simply create/update a new policy, export it within the Configuration Manager 2012 console and then run the following command on the client.

C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe c:\Sources\standalone2.xml

2013-03-24_15h44_12

One thought on “How to install System Center 2012 Endpoint Protection on a standalone client

  1. Hi Alex,

    Great article! I want to install SECP in our master image. We use the same image for Domain and Non-Domain machines. I want, when we configure this image for non-domain computers, SECP client should look Microsoft for updates but if join the same machine, it should pull the configuration from SCCM server which is in same domain.

    How can I achieve this?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Spam Protection by WP-SpamFree