SEP 12.1.2 Best Practices on Citrix Virtual Desktops ( Provisioning Services) -Part 2-
Continue with the Best Practices Series for Citrix ...
XEN Virtual Desktop Infrastructure desktop clients register multiple times in the Symantec Endpoint Protection Manager
- Choose one of the following :
- Instead of Standard Image Mode (read only)
- Use the third vDisk mode ("Difference Disk Image") on the provisioned clients. SEPM registration, definition updates and such are saved in between reboots. The base vDisk is still not changed—changes that are made by a client computer are saved in a linked cache. Any undesired changes will be purged the next time you update the underlying vDisk
- Use a startup script to set a fixed HardwareID at boot
- Instead of Standard Image Mode (read only)
It is possible in these cases to use a script to set the HardwareID to a fixed unique value during system startup. This must be done during the startup process before the Symantec service starts, otherwise the old ID is used if present or a random one is generated. Note that this startup script helps only with problems caused by random or duplicate HardwareIDs; virus definition updates must be addressed separately.
The following instructions are provided as an example of using a startup script to set a HardwareID based on the machine's MAC address. Please note that the script provided here is intended as an example only for the customer's convenience. The customer is responsible for its implementation and Symantec can offer only limited support in the event that the script does not work as expected.
Disable Tamper Protection on the SEP client; this must be done to allow the file and registry changes in steps below.
Close any open SEP Client GUIs, go to the command line, navigate to the Symantec Endpoint Protection program files directory and stop the SEP Smc service
Set SEP service to start manually.
In SEP 12.1, set HKLM\SYSTEM\CurrentControlSet\services\SepMasterService\Start=3
In SEP 11.x, set HKLM\SYSTEM\CurrentControlSet\services\SmcService\Start=3
On the base disk image for the provisioned clients, create startup batch file "c:\sephwid.bat". This startup script will clear any existing SEP hardware identifiers, set a fixed Hardware ID based on the first available MAC address on the machine, and start the SEP service. Note that this must be a machine startup script, not a login script, so that it runs before any logon. Use the following example, edit/comment/uncomment as appropriate, and be aware of line wrapping:
rem ### Check If Computer Is Running A 32 Bit or 64 Bit Operating System:
rem ### registry commands must use "/reg:64" switch on 64-bit OS
rem ### this switch is supported in Server 2008 & Win7,
rem ### but a hotfix is necessary for older 64-bit systems:
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" | find "x86"
if errorlevel 1 set reg64switch=/reg:64
rem ### registry location for SEP HardwareID--this is the same on 32- or 64-bit systems
set hwidkey="HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink"
rem ### delete any current SEP hardware identifiers, various possible locations
rem ### ref: How to prepare SEP 12.1 client for cloning: www.symantec.com/docs/HOWTO54706
for /d %%d in (
"C:\Program Files\Common Files\Symantec Shared\HWID"
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData"
"C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData"
) do del /f "%%~d\sephwid.xml"
for /d %%d in (
"C:\Documents and Settings\*"
) do (
del /f "%%~d\Local Settings\Temp\sephwid.xml"
del /f "%%~d\Local Settings\Temp\communicator.dat"
reg delete %hwidkey% /v ForceHardwareKey /f %reg64switch%
reg delete %hwidkey% /v HardwareID /f %reg64switch%
reg delete %hwidkey% /v HostGUID /f %reg64switch%
rem ### set HardwareID prefix
rem ### this can be any 20-digit hexadecimal string (using digits 0-9,A-F) in all CAPS
rem ### get first MAC address from "getmac" command
for /f "tokens=1" %%a in ('"getmac /nh"') do (
rem ### if "getmac" fails, try exchanging the line below into the for loop above
rem ### for /f "tokens=12" %%a in ('"ipconfig /all | find "Physical""') do (
rem ### remove hyphens from MAC addr
rem ### for HardwareID, concatenate MAC addr to end of custom prefix
rem ### hwid must be a 32-digit hexadecimal string (using digits 0-9,A-F)
rem ### Set SEP HardwareID in registry
reg add %hwidkey% /v HardwareID /d %hwid% /f %reg64switch%
rem ### start SEP services
sc start SepMasterService
sc start SmcService
sephwid.bat can be debugged by calling it from a second script which simply calls the first and redirects stderr/stdout to a log file. For example--
c:\sephwid.bat >c:\sephwid.log 2>&1
It is not necessary to prepare the base image for cloning, since sephwid.bat will automatically remove any previous SEP hardware identifiers every time the machine starts. The SEP client on the base image should be assigned to a SEP Manager group that has a short heartbeat and/or "push" communication so that provisioned clients can quickly re-establish a connection with the SEP Manager. When the provisioned client shuts down, the SyLink LastServer and RegCSN values will revert to those of the base image. This may cause a delay of up to two heartbeats when the provisioned client starts up again and the SEP Manager reconciles its saved CSN value with those of the client. After the provisioned client checks in it can receive new policy (including a longer heartbeat) according to its hardware ID and group membership or location awareness.
- Configure the purge time of Citrix
- With the SEPM Domain that you created in Part 1 go to Admin> Domains><Your Citrix Domain>
- Edit Domain Properties
- Delete non-persistent VDI clients that have not connected for specified time> 1 day
- Delete clients that have not connected for specified time Configurarlo a 1 day
Information Sources :
- Virtual Image Exception :
Virtualization Best Practices