Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

SEP 12.1.2 Best Practices on Citrix Virtual Desktops ( Provisioning Services) -Part 2-

Created: 25 Jun 2013 • Updated: 02 Jun 2014 | 12 comments
Language Translations
Rodrigo Calvo's picture
+16 16 Votes
Login to vote

Continue with the Best Practices Series for Citrix ...


XEN Virtual Desktop Infrastructure desktop clients register multiple times in the Symantec Endpoint Protection Manager

Best Practices

  • Choose one of the following :
    • Instead of  Standard Image Mode (read only)
      • Use the third vDisk mode ("Difference Disk Image") on the provisioned clients. SEPM registration, definition updates and such are saved in between reboots. The base vDisk is still not changed—changes that are made by a client computer are saved in a linked cache. Any undesired changes will be purged the next time you update the underlying vDisk
    • Use a startup script to set a fixed HardwareID at boot 

It is possible in these cases to use a script to set the HardwareID to a fixed unique value during system startup. This must be done during the startup process before the Symantec service starts, otherwise the old ID is used if present or a random one is generated. Note that this startup script helps only with problems caused by random or duplicate HardwareIDs; virus definition updates must be addressed separately.

 The following instructions are provided as an example of using a startup script to set a HardwareID based on the machine's MAC address.  Please note that the script provided here is intended as an example only for the customer's convenience.  The customer is responsible for its implementation and Symantec can offer only limited support in the event that the script does not work as expected.

 Disable Tamper Protection on the SEP client; this must be done to allow the file and registry changes in steps below.

 Close any open SEP Client GUIs, go to the command line, navigate to the Symantec Endpoint Protection program files directory and stop the SEP Smc service

 smc -stop

 Set SEP service to start manually.

 In SEP 12.1, set HKLM\SYSTEM\CurrentControlSet\services\SepMasterService\Start=3

 In SEP 11.x, set HKLM\SYSTEM\CurrentControlSet\services\SmcService\Start=3

 On the base disk image for the provisioned clients, create startup batch file "c:\sephwid.bat". This startup script will clear any existing SEP hardware identifiers, set a fixed Hardware ID based on the first available MAC address on the machine, and start the SEP service. Note that this must be a machine startup script, not a login script, so that it runs before any logon. Use the following example, edit/comment/uncomment as appropriate, and be aware of line wrapping:

 rem ### Check If Computer Is Running A 32 Bit or 64 Bit Operating System:

rem ###

rem ###

rem ### registry commands must use "/reg:64" switch on 64-bit OS

rem ### this switch is supported in Server 2008 & Win7,

rem ### but a hotfix is necessary for older 64-bit systems:

rem ###

 set reg64switch=

reg query "HKLM\Hardware\Description\System\CentralProcessor\0" | find "x86"

if errorlevel 1 set reg64switch=/reg:64

 rem ### registry location for SEP HardwareID--this is the same on 32- or 64-bit systems

set hwidkey="HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink"

rem ### delete any current SEP hardware identifiers, various possible locations

rem ### ref: How to prepare SEP 12.1 client for cloning:

for /d %%d in (

"C:\Program Files\Common Files\Symantec Shared\HWID"

"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData"

"C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData"


) do del /f "%%~d\sephwid.xml"

for /d %%d in (

"C:\Documents and Settings\*"


) do (

del /f "%%~d\Local Settings\Temp\sephwid.xml"

del /f "%%~d\Local Settings\Temp\communicator.dat"


reg delete %hwidkey% /v ForceHardwareKey /f %reg64switch%

reg delete %hwidkey% /v HardwareID /f %reg64switch%

reg delete %hwidkey% /v HostGUID /f %reg64switch%

rem ### set HardwareID prefix

rem ### this can be any 20-digit hexadecimal string (using digits 0-9,A-F) in all CAPS

set myprefix=00000000000000000000

rem ### get first MAC address from "getmac" command

for /f "tokens=1" %%a in ('"getmac /nh"') do (

set addr=%%a

goto :endfor



rem ### if "getmac" fails, try exchanging the line below into the for loop above

rem ### for /f "tokens=12" %%a in ('"ipconfig /all | find "Physical""') do (

rem ### remove hyphens from MAC addr

set addr=%addr:-=%  

rem ### for HardwareID, concatenate MAC addr to end of custom prefix

rem ### hwid must be a 32-digit hexadecimal string (using digits 0-9,A-F)

set hwid=%myprefix%%addr%

rem ### Set SEP HardwareID in registry

reg add %hwidkey% /v HardwareID /d %hwid% /f %reg64switch%

rem ### start SEP services

sc start SepMasterService

sc start SmcService

sephwid.bat can be debugged by calling it from a second script which simply calls the first and redirects stderr/stdout to a log file. For example--


c:\sephwid.bat >c:\sephwid.log 2>&1

It is not necessary to prepare the base image for cloning, since sephwid.bat will automatically remove any previous SEP hardware identifiers every time the machine starts. The SEP client on the base image should be assigned to a SEP Manager group that has a short heartbeat and/or "push" communication so that provisioned clients can quickly re-establish a connection with the SEP Manager. When the provisioned client shuts down, the SyLink LastServer and RegCSN values will revert to those of the base image. This may cause a delay of up to two heartbeats when the provisioned client starts up again and the SEP Manager reconciles its saved CSN value with those of the client. After the provisioned client checks in it can receive new policy (including a longer heartbeat) according to its hardware ID and group membership or location awareness.

    • Configure the purge time of Citrix
    • With the SEPM Domain that you created in Part 1 go to Admin> Domains><Your Citrix Domain>
      • Edit Domain Properties
      • Delete non-persistent VDI clients that have not connected for specified time> 1 day
      • Delete clients that have not connected for specified time  Configurarlo a  1 day

Information Sources :

 Virtualization Best Practices

Comments 12 CommentsJump to latest comment

ℬrίαη's picture

Very solid, thanks for posting.


Login to vote
Ambesh_444's picture

Wow Calvo,

Thanks a lot for sharing. Thums up!!!!!!!!!!!!!!!

Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as   solved."

Login to vote
Mithun Sanghavi's picture


This is such a wonderful and much needed series of Best Practice..!! 

Thank you.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Login to vote
Rodrigo Calvo's picture

Thanks for your comments!

I forgot to mention something very importat for this Scenario:

The image base must be prepared previosly:

- Install SEP Client

- Disable Tamper Protection for that client

- Create a Registry Key

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\.

  2. Create a new key named Virtualization.

  3. Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1

-Enable Tamper Protection and follow the rest of the solution proposed


Creating a registry key to mark the base image Guest Virtual Machines (GVMs) as non-persistent clients

Login to vote
RicheeDiaz's picture

Thank you.Wonderful and to the point.



Login to vote
Rao's picture

1 up for being precise and informative.

Thanks and Regards,


Login to vote
Chetan Savade's picture

Good Work !!!

Chetan Savade
Social Media Support Lead
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Login to vote
nwranich's picture

As with the previous one, Awesome article.  Thumbs up

Login to vote
Amit Tarafdar's picture

Superb, informative and useful artical...

Login to vote
John Santana's picture

Yes it is indeed !

Kind regards,

John Santana
IT Professional


The author cannot accept liability for any loss or damage sustained as a result of the content of this post.

Login to vote
ImperialGuard's picture

Pura Vida Keep on Rocking !!! Gracias Rolo !!!

Login to vote