After installing Symantec on a base image in XENDesktop, the client computers appear more than once in the Symantec console. This continues to happen after every boot. Alternatively, if you try to install Symantec SEP while booted to the network, you may receive a blue screen after the first reboot.
Boot your VM using Microsoft Hyper-V or perform a reverse image when performing Symantec Endpoint Protection Installation. This is required because SEP modifies the NIC drivers during installation. Next, Clean up the registry after the first boot as to allow the image to re-register with a unique Hardware ID for each Virtual Desktop.
Step by Step
1. Import your XENDesktop OU
To ensure that your Virtual Desktops get the policies that are assigned, I recommend using the Symantec Endpoint Protection Manager Active Directory Import tool to import the OU for your XENDesktop computers. This will allow the OU to have custom policies and that will tailor to the XENDesktop farm.
2. Configure your policies
I found that the High performance policy Template gives you the best policy for your Virtual Desktops. After duplicating the policy, you can modify the new policy with a few additional settings.
- In the File System Auto Protect, change the default settings of “Load Auto-Protect” to Symantec Endpoint Protection Start.
- Exclude the .vdiskcache file if you are performing the write cache on the computer’s hard disk.
- Since these Virtual desktops will always come up with the default image, you can exclude any scheduled scans. This will ensure that your virtual desktops have the best performance possible.
3. Next, assign the policy to the new XENDesktop Group:
Using the SEP Manager Tool, you can right click on the policy and assign it to your XENDesktop group.
NOW you are ready to boot the client and install the SEP client software.
First, boot the client using Microsoft Hyper-V. (For information on how to use Hyper-V to update offline vDisks, see http://www.thegenerationv.com/2010/02/using-hyper-v-for-pvs-vdisk-offline.html
5. Deploy the client to your Virtual PC
Perform the client deployment manually, ensure that the client deployment is visible to the end user as to ensure that you do not shut down before the client is finished installing.
Once installed, perform a reboot and allow the client to come back online. Then you must manually delete the unique registry keys and xml files that associate this computer name to Symantec SEP Manager.
6. Perform Registry and file system cleanup
- Install the Symantec Endpoint Protection Client after all of the other installations are complete.
- Before you save the image, start the "Registry Editor."
- Locate and delete the following registry key:
- Exit the "Registry Editor."
- Delete the C:\program Files\Common Files\Symantec Shared\HWID\sephwid.xml file
- Shut down the VM and publish the vDisk as a standard image.
- Create a batch file for your XENDesktop PC’s that will delete these entries. You can publish this batch file as a shut down script to ensure that the PC removes these entries every time the machine is shut down. Alternatively, you can just run these scripts when you are running in private mode before transitioning to standard mode.
- You will most likely see new entries show up for the Virtual Desktops in the Endpoint Protection Manager. This is because the hardware is virtual and will continue to change after every reboot. Therefore, it is important for you to perform a Desktop Group Sync when you are running reports. If this is completely un-manageable for your organization, you can also setup personalities for each of your virtual desktops that include the same hardware ID. This process will require you to run a script to import the Hardware ID into the registry on each boot.
7. Verify Functionality
After you perform these procedures, you should see that all updates take place and that the correct policies are assigned to the desktops
SEP Registration Process
More information on Provisioning Server