Configuring Symantec Endpoint Protection 14.0 for Citrix PVS environments: Demystified
Updated: Aug 11, 2019
Configuring Symantec Endpoint Protection with a Provisioning Services based Citrix XenDesktop/XenApp environment can be puzzling if you do not have all the correct pieces in place. We found this to be the case with a number of our customers and after a lot of trial and error, wanted to share our findings of the correct steps. Let's face it. Even for non-persistent Citrix XenDesktop/XenApp environments, Anti-Virus is a must to keep our network virus free and the bad guys out!
The reason that a SEP installation for a Citrix XenDesktop/XenApp environment with Provisioning Services differs is because the actual SEP client is only installed once on a master/golden image AKA the Provisioning Services "vDisk". That vDisk which contains the XenDesktop/XenApp OS is then streamed to multiple VMs on the Hypervisor. These multiple XenDesktop/XenApp VMs will obviously have different hostnames and MAC addresses. The SEP client has a HardwareID and sephwid.xml file associated with it which needs to be unique to each XenDesktop or XenApp VM on the Hypervisor. If the environment is not generalized correctly, you will likely experience one of the issues below.
Loss of communication between provisioned Symantec Endpoint Protection clients and manager.
Duplicate client entries appearing in the Symantec Endpoint Protection Manager (SEPM) every time a provisioned client is rebooted.
Provisioned Endpoint Protection clients switching between SEPM client groups, receiving wrong policies, not maintaining current definitions, etc.
For a successful SEP client installation in a Citrix Provisioning Services environment, we can use a machine startup script to set a fixed HardwareID at boot.
The SEP Management & Client Version used in the steps below are based on version 14.0.3897
Install SEP Client with Basic server package (No Sonar & No Firewall - Symantec calls it Basic Protection for Servers)
Disable/Un-check Auto-Protect via the SEP Management console for the Group that contains the VDA machines
3. Next, under SEPM console Auto-Protect -->Advanced, check the radio button that says "Wait until the computer is restarted" for the Group that contains the VDA machines.
4. Next, via the SEPM console under Advanced Options-->Miscellaneous, check "Enable Virtual Image Exception for Auto-Protect" for the Group that contains the VDA machines.
Next, via the SEP "Client Console" on the golden image, Disable Tamper-Protection
5. Next, run the command on the golden image from the path shown below (via a CMD prompt). This will stop the SEP service.
6. Then, Modify the registry key below and change the "Start"reg key value from 2 to 3
7. Next, run the command on the golden image from the path shown below (via a CMD prompt). This will start the SEP service.
8. Create script for sephwid.bat (SEP Hardware ID) and place it in a folder called C:\Temp on the golden image. The script is available in the Symantec KB here
9. Optional but recommended: For troubleshooting purposes, create a debug batch file ( mentioned in article above) to review output of the results when running sephwid.bat
10. Next, use the Group Policy Management Console to edit the GPO that you will be using for your Citrix Computer Settings. Here we'll define a Machine startup script for C:\Temp\sephwid.bat
11. Next, via the SEP "Client Console" on the golden image, Enable Tamper-Protection
12. Next, under the SEPM console, re-enable Auto Protect and change option back to "Stop & Reload Auto Protect"
13. Finally, verify via the SEPM console that session host VMs are showing up as Unique after version has been promoted to production and all session host VMs have been rebooted.