Citrix Provisioning Services

SEP 12 not working with PVS 6.1 and Microsoft Windows 7 XenDesktop VMs

We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.

Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.

We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.

After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.

UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

4 Comments

  1. WillFulmer

    August 2, 2012 at 11:37 AM

    Is this article relevant to what you are experiencing?
    http://support.citrix.com/article/CTX134231

    At one of my clients, we are experiencing the same behavior
    SEP 12 + PVS 5.6 = good
    SEP 12 + PVS 6.1 = intermittent connection issues, machines becoming unregistered, etc.

    Thoughts? Any more information on this?

  2. Jason Samuel

    August 2, 2012 at 12:58 PM

    @WillFulmer
    Hi Will, thanks for posting that CTX link. Yes I had put our Citrix TRM in touch with Symantec on this. It’s good that they’ve made the issue public now. I’m sure a lot of people were scratching their heads on this one.

    We are still waiting on a fix from Symantec. For now, just make sure Sonar, IPS, and ADP are not installed and it will work fine. I’ll post here if I get any updates from Symantec.

  3. Ken Sheppard

    August 4, 2012 at 9:23 AM

    Thanks for your guide on how to make SEP 12.1 run properly with a Citrix VDI setup. I have installed SEP 12.1 as an unmanaged client on my Win7 VDIs and I would also like to use the new VIE tool, which seems very simple to use. However, the unmanaged SEP 12.1 client doesn’t have the controls to enable VIE for auto-protect and scheduled scans. The features are only available from the SEPM but I’m not running a 12.1 SEPM. Do you know of the SEP 12.1 registry keys that would allow me to enable VIE to run on an unmanaged SEP 12.1 client?

    Thanks for any suggestion. The SEP forum has been useless.

  4. Jason Samuel

    September 28, 2012 at 2:16 PM

    A quick update, Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Apache

In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version