Saturday, April 24, 2010

Symantec Endpoint Protection on XENDesktop and PVS target devices

By:Rick Rohne
I’ve recently come across a couple of companies trying to install Symantec Endpoint Protection on their XENDesktop PC’s, and finding a very annoying outcome. First of all, the SEP client does not update completely or not at all, the SEP client blue screens during the installation, and/or the SEP manager display multiple entries in the database for the same host. There are a few root problems when installing the SEP client to a PXE booted shared image, and I was determined to find the answers…


After installing Symantec on a base image in XENDesktop, the client computers appear more than once in the Symantec console. This continues to happen after every boot. Alternatively, if you try to install Symantec SEP while booted to the network, you may receive a blue screen after the first reboot.
Boot your VM using Microsoft Hyper-V or perform a reverse image when performing Symantec Endpoint Protection Installation.  This is required because SEP modifies the NIC drivers during installation.  Next, Clean up the registry after the first boot as to allow the image to re-register with a unique Hardware ID for each Virtual Desktop.

Step by Step

1. Import your XENDesktop OU
To ensure that your Virtual Desktops get the policies that are assigned, I recommend using the Symantec Endpoint Protection Manager Active Directory Import tool to import the OU for your XENDesktop computers. This will allow the OU to have custom policies and that will tailor to the XENDesktop farm.
Once you have the XENDesktop OU imported, you will see existing clients, and you can have the option to scan for new clients as they are added. The main reason for creating this OU is to ensure that the clients get a specific policy.

2. Configure your policies
I found that the High performance policy Template gives you the best policy for your Virtual Desktops. After duplicating the policy, you can modify the new policy with a few additional settings.

  • In the File System Auto Protect, change the default settings of “Load Auto-Protect” to Symantec Endpoint Protection Start.

  • Exclude the .vdiskcache file if you are performing the write cache on the computer’s hard disk.
  • Since these Virtual desktops will always come up with the default image, you can exclude any scheduled scans. This will ensure that your virtual desktops have the best performance possible.

3. Next, assign the policy to the new XENDesktop Group:

Using the SEP Manager Tool, you can right click on the policy and assign it to your XENDesktop group.

4. Prepare your image
NOW you are ready to boot the client and install the SEP client software.

First, boot the client using Microsoft Hyper-V. (For information on how to use Hyper-V to update offline vDisks, see

5. Deploy the client to your Virtual PC
Perform the client deployment manually, ensure that the client deployment is visible to the end user as to ensure that you do not shut down before the client is finished installing.

Once installed, perform a reboot and allow the client to come back online. Then you must manually delete the unique registry keys and xml files that associate this computer name to Symantec SEP Manager.

6. Perform Registry and file system cleanup
  • Install the Symantec Endpoint Protection Client after all of the other installations are complete.
  • Before you save the image, start the "Registry Editor."
  • Locate and delete the following registry key:
          HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID

  • Exit the "Registry Editor."
  • Delete the C:\program Files\Common Files\Symantec Shared\HWID\sephwid.xml file
  • Shut down the VM and publish the vDisk as a standard image.
  • Create a batch file for your XENDesktop PC’s that will delete these entries. You can publish this batch file as a shut down script to ensure that the PC removes these entries every time the machine is shut down. Alternatively, you can just run these scripts when you are running in private mode before transitioning to standard mode.
  • You will most likely see new entries show up for the Virtual Desktops in the Endpoint Protection Manager. This is because the hardware is virtual and will continue to change after every reboot. Therefore, it is important for you to perform a Desktop Group Sync when you are running reports. If this is completely un-manageable for your organization, you can also setup personalities for each of your virtual desktops that include the same hardware ID. This process will require you to run a script to import the Hardware ID into the registry on each boot.


7. Verify Functionality
After you perform these procedures, you should see that all updates take place and that the correct policies are assigned to the desktops


SEP Registration Process

More information on Provisioning Server

blog comments powered by Disqus
Microsoft Virtualization, Citrix, XENServer, Storage, iscsi, Exchange, Virtual Desktops, XENDesktop, APPSense, Netscaler, Virtual Storage, VM, Unified Comminications, Cisco, Server Virtualization, Thin client, Server Based Computing, SBC, Application Delivery controllers, System Center, SCCM, SCVMM, SCOM, VMware, VSphere, Virtual Storage, Cloud Computing, Provisioning Server, Hypervisor, Client Hypervisor.