Automating Tasks on Client Computers
Applies To: Forefront Endpoint Protection
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate FEP tasks on client computers.
FEP tasks run from a software package named Microsoft Corporation FEP – Operations 1.0. In the Configuration Manager console, you can right-click a computer or group of computers, point to FEP Operations, and then select one of three actions:
Full Scan—Runs a full antimalware scan on the selected computers.
Quick Scan—Runs a quick antimalware scan on the selected computers.
Run Definition Update—Runs a definition update cycle on the selected computers.
When you run a task on a client computer or set of computers, FEP performs the following steps:
Creates a dynamic collection
Adds the selected computers to the collection
Creates a mandatory assigned advertisement of the requested task from the FEP Operations software package
Prerequisites
In order to create a script similar to the example in this topic, you must have the following prerequisite software:
Windows PowerShell (either version 1.0 or 2.0).
Before you run operational tasks from a script, you should first verify that the FEP operations package (named Microsoft Corporation FEP – Operations 1.0) is distributed to your Configuration Manager distribution points.
Note
Cleanup of old operations components (the dynamic collections and advertisements used to distribute the tasks) is done only when performing tasks from the Configuration Manager console.
The following example script demonstrates how to run a full scan task on a computer.
function RunFullScan(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$Computers) # A computer or list of computer NetBios names on which the scan should be run. For example: (“ComputerA”, “ComputerB”)
{
$Operation = "Full Scan" # Change the scan type by changing the phrase in the quotes to either Quick Scan or Update Definitions.
$UtcNow =[System.DateTime]::UtcNow
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Create a collection for the task
$newCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")).CreateInstance()
$newCollection.Name = "$Operation at $UtcNow (UTC)"
$newCollection.RefreshType = 1 # Manual
$newCollection.OwnedByThisSite = $true
$newCollection.Put()
$newCollection.Get() # refresh the object
# Add the collection as a subcollection to FEP Operations
$OperationCollection = Get-WmiObject -class "SMS_Collection" -filter "Name='Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$CollectionToSubCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_CollectToSubCollect")).CreateInstance()
$CollectionToSubCollection.parentCollectionID = $OperationCollection.CollectionID
$CollectionToSubCollection.subCollectionID = $newCollection.CollectionID
$CollectionToSubCollection.Put()
# Add computers to collection (Direct Rule)
foreach ($Computer in $Computers)
{
# For more information about the SMS_R_SYSTEM Server WMI class, see https://go.microsoft.com/fwlink/?LinkId=208534 on MSDN.
$Client = Get-WmiObject -class "SMS_R_System" -filter ("NetbiosName = '{0}'" -f $Computer) -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$SmsCollectionRuleDirect = ([WmiClass]($ConfigMgrProviderPath + ":SMS_CollectionRuleDirect")).CreateInstance()
$SmsCollectionRuleDirect.ResourceID = $Client.ResourceID
$SmsCollectionRuleDirect.ResourceClassName = "SMS_R_System"
$newCollection.AddMembershipRules($SmsCollectionRuleDirect)
}
# Create Quick Scan advertisement
$now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
# Get the FEP operations package
$package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new advertisement for the FEP operation package.
# For more information about the SMS_Advertisement Server WMI class, see https://go.microsoft.com/fwlink/?LinkId=208535 on MSDN.
$newAdvertisement = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Advertisement")).CreateInstance()
$newAdvertisement.CollectionID = $CollectionID
$newAdvertisement.PackageID = $package.PackageID
$newAdvertisement.ProgramName = $Operation
$newAdvertisement.AdvertisementName = "Run $Operation at $UtcNow (UTC)"
$newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY | OVERRIDE_SERVICE_WINDOWS
$newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 # RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT | DOWNLOAD_FROM_REMOTE_DISPPOINT
$newAdvertisement.PresentTime = $now
$newAdvertisement.Priority = 1 # High
# Create a mandatory assignment schedule
$AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ST_NonRecurring")).CreateInstance()
$AssignedSchedule.StartTime = $now
$newAdvertisement.AssignedScheduleEnabled = $true
$newAdvertisement.AssignedSchedule = $AssignedSchedule
$newAdvertisement.Put()
$newAdvertisement.Get()
# Add the advertisement to the FEP operations advertisement folder
# Get the container node (notice to use localized name)
$AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a container item for the advertisement
$newContainerItem = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ObjectContainerItem")).CreateInstance()
$newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId
$newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
$newContainerItem.Put()
Write-Output "$Operation scheduled to computers: $Computers"
}