Recently I had to create a VMware deployment template for Windows Server 2016. I started with a vanilla installation but I also had to include a SCCM client.
Using the installation guidelines from a collegue for Windows Server 2012 R2 I installed the SCCM client with ccmsetup.exe and then waited for the SCEP client to install. Nothing happened…

The reason for this is that Windows Server 2016 comes with Windows Defender. To create the connection between SCEP and Windows Defender I had to install the SCEP client manually in the template.

When I deployed a new VM from this template I could see that the SCEP policies were downloaded from the SCCM server (via Help, About). But then I saw another issue; definition updates were not applied.

The reason was the same; Windows Server 2016 comes with Windows Defender. So I had to include this product in the Software Update Point…

So the guidelines for Windows Server 2016 are simple:
– run ccmsetup.exe (see this article)
– run scepinstall.exe (see this article)

And don’t forget to include Windows Defender in the product list…

Done!