This blog is what you’re looking for if :
- You are using SEP 11 with PVS and XenDesktop 4 / 5 / 5.5
- If your VMs have a “Persona” drive (D: for ex)
- Windows XP VMs (it should work with Windows 7 as well)
- If you don’t want or you cannot use PVS Personality Strings
- The SEP11 administrator is becoming crazy because all the XenDesktop VMs are creating new entries at every reboot.
Using an antivirus software on a VDI plate form is a discussion often see here and there but this time the question wasn’t if I needed to install an antivirus or not, Symantec Endpoint Protection was already installed and running on my customer Citrix XenDesktop 4 / PVS 5.6 sp1 infrastructure. SEP11 (Short name for Symantec EndPoint Protection) was installed and was running well on the PVS distributed pool VMs. Yesterday the SEP administrator came to me and complained about the fact XenDesktop VMs were generating new entry in the SEP11 administration console every time they were rebooted and every morning he was forced to move all the object in the VDI node and delete all the past entries…
But everything was working… I guess this administrator might have fund that a bit boring, he just complained and continued to do this tack every day and when he wasn’t here, no one was taking care of that manual task. XenDesktop VMs needed to be in the VDI node because the exclusion in place were important for VMs performances :
- PVS cache file
- Event logs
- EdgeSight firebird database
- etc etc…
When no one was doing this task, the Vms were generating new object in the default node where no specific exclusion were done… It did bring some performance issue now and then.
First though was to use personality string (PVS feature) but I didn’t want to bring another feature in the game as people managing this infrastructure weren’t really aware of this PVS feature.
All the Symantec technotes (link) about their antivirus and PVS are based on personality string usage so I needed to figure out another way to personalize each VM with their own GUID.
After many tests and many solutions found over the Internet, nothing was working well, every time a very was rebooted, a new entry appear in the SEP11 administration console. So decided to go all by myself and try to find out an automatic solution that doesn’t require any maintenance and manipulation.
After having a look at Symantec Endpoint Protection Client Registration Flow ( link ) the idea was simple :
Generate an unique GUID for each VM, copy this GUID in the registry before SEP11 services start and that’s it.
First thing first, I needed to build a script to generate a GUID and store it in a file on the persona drive (d:) (So we can use it after every reboot and once it had been generated, this script will be skipped.
Option Explicit 'Set Dimension DIM fso, MyFile, WshShell, theString, strAlphaNumeric, i, strChar, cleanedString 'Set Object Set WshShell = WScript.CreateObject("WScript.Shell") Function CreateGUID Dim TypeLib Set TypeLib = CreateObject("Scriptlet.TypeLib") CreateGUID = Mid(TypeLib.Guid, 2, 36) End Function 'Remove all non numeric characters theString = CreateGUID 'msgbox "Before - " & theString & vbcr & "After - " & CleanTheString(theString) WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\EasyVista\GUID_VDI", CleanTheString(theString), "REG_SZ" Function CleanTheString(theString) 'msgbox thestring strAlphaNumeric = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"'Used to check for numeric characters. For i = 1 to len(theString) strChar = mid(theString,i,1) If instr(strAlphaNumeric,strChar) Then CleanedString = CleanedString & strChar End If Next ' msgbox cleanedstring CleanTheString = CleanedString End Function 'wscript.echo theString Set fso = CreateObject("Scripting.FileSystemObject") 'Create Condition If (fso.FileExists("D:\discovery.txt")) Then 'Alert User 'WScript.Echo("File exists!") WScript.Quit() Else 'Alert User 'WScript.Echo("File does not exist!") Set MyFile = fso.CreateTextFile("D:\discovery.txt", True) MyFile.WriteLine(cleanedstring) MyFile.Close End If Exit Script WScript.Quit()
This GUID generator will generate a file named discovery.txt on the root of the D: drive. Once this GUID is existing, I neede to import it to the registry at the following place : HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
Option Explicit Dim objFSO, strTextFile, strData, WshShell, objFile, strFile, intLength, strEnd CONST ForReading = 1 CONST ForWriting = 2 'Create a File System Object Set objFSO = CreateObject("Scripting.FileSystemObject") Set WshShell = WScript.CreateObject("WScript.Shell") Set objFile = objFSO.OpenTextFile("d:\discovery.txt", ForReading) strFile = objFile.ReadAll objFile.Close intLength = Len(strFile) strEnd = Right(strFile, 2) If strEnd = vbCrLf Then strFile = Left(strFile, intLength - 2) Set objFile = objFSO.OpenTextFile("d:\discovery.txt", ForWriting) objFile.Write strFile objFile.Close End If 'name of the text file strTextFile = "d:\discovery.txt" 'Open the text file - strData now contains the whole file strData = objFSO.OpenTextFile(strTextFile, 1).ReadAll 'Split the text file into lines 'arrLines = Split(strData,vbCrLf) 'Step through the lines 'For Each strLine in arrLines wscript.echo strData 'Next WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID", strData, "REG_SZ" 'Cleanup Set objFSO = Nothing
After, I made a batch file to launch the two vbs script, this batch will be the one launch as a service during VMs startup.
cscript.exe C:\localapp\Mgt\Pubtools\Sep11\GUID_Creation.vbs cscript.exe C:\localapp\Mgt\Pubtools\Sep11\GUID_Symantec_Registry.vbs
Using the start-up script to launch this batch didn’t work because SEP11 services were already started and a new GUID had already been generated. I chose then to create a user-define service to start a service using the previous batch file right after event log startup and before SEP11 services.
To do so, you can follow the step on Microsoft website : link
and download the Windows Resource kit here : link
I used the following command to create a service named SEP11VDI
“%Resource kits path%\tools\Instsrv.exe” Sep11VDI “%Resource kits path%\tools\srvany.exe”
Once the service is created, to be started right after event logs and before SEP11 services, you need to add the follonwing registry entries to the service section : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI] "Group"="Event Log" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI\Application] "Application"="c:\\path_to_the_batch_created_above\\sep11.cmd"
That’s almost it, to make sure everything is clean, I clear the registry key containing the GUID
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
and delete the file “%ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml”
Symantec Enpoint Protection : link
Symantec : Configuring Symantec Endpoint Protection for deployment as part of a drive image : link
Symantec : Symantec Endpoint Protection Client Registration Flow : link
Symantec : Configuring Symantec Endpoint Protection client for deployment as part of a drive image : link
Microsoft : How to create a user-define service : link
Microsoft Resource Kits download : link
GenV : Symantec Endpoint Protection on XENDesktop and PVS target devices Blog : link
Citrix PVS Personality String : link