In order to get this working I enabled automatic approval of the FEP updates within WSUS.

Using the FEP policy you’re able to tell FEP to go to WSUS for updates if the definitions are older than x days.

Credentials: Windows Administrator on the target server.

Antimalware Health and Firewall Status This monitor returns the antimalware health and firewall status of FEP client.0 - Service is disabled.1 - Service is enabled.255 - Script cannot check the service status from WMI.

These two posts provide information on how to create the script: In the SCCM task sequence add a reboot task after FEP has been installed.

Configure the reboot step to reboot into the currently installed operating system Next, add a Command Line step.

We do this by integration with the software updates component of Config Mgr.

The Create Automatic Deployment Rule Wizard starts.

This component returns the status of the following services: Antivirus Enabled - This component returns the status of Antivirus component.

Antispyware Enabled - This component returns the status of Antispyware component.

when deploying as part of an SCCM operating system task sequence, you can force a definition from a file share.