We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.
Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.
We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.
After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.
UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
WillFulmer
August 2, 2012 at 11:37 AM
Is this article relevant to what you are experiencing?
http://support.citrix.com/article/CTX134231
At one of my clients, we are experiencing the same behavior
SEP 12 + PVS 5.6 = good
SEP 12 + PVS 6.1 = intermittent connection issues, machines becoming unregistered, etc.
Thoughts? Any more information on this?
Jason Samuel
August 2, 2012 at 12:58 PM
@WillFulmer
Hi Will, thanks for posting that CTX link. Yes I had put our Citrix TRM in touch with Symantec on this. It’s good that they’ve made the issue public now. I’m sure a lot of people were scratching their heads on this one.
We are still waiting on a fix from Symantec. For now, just make sure Sonar, IPS, and ADP are not installed and it will work fine. I’ll post here if I get any updates from Symantec.
Ken Sheppard
August 4, 2012 at 9:23 AM
Thanks for your guide on how to make SEP 12.1 run properly with a Citrix VDI setup. I have installed SEP 12.1 as an unmanaged client on my Win7 VDIs and I would also like to use the new VIE tool, which seems very simple to use. However, the unmanaged SEP 12.1 client doesn’t have the controls to enable VIE for auto-protect and scheduled scans. The features are only available from the SEPM but I’m not running a 12.1 SEPM. Do you know of the SEP 12.1 registry keys that would allow me to enable VIE to run on an unmanaged SEP 12.1 client?
Thanks for any suggestion. The SEP forum has been useless.
Jason Samuel
September 28, 2012 at 2:16 PM
A quick update, Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.