Citrix Provisioning Services

SEP 12 not working with PVS 6.1 and Microsoft Windows 7 XenDesktop VMs

on

We came across an issue getting Symantec Endpoint Protection 12 working with Provisioning Services 6.1. When you install SEP 12 on the Windows 7 VM, it causes the VM to freeze during the install. Sometimes it actually finished installing but then immediately after the VM freezes. In both cases you have to force a reboot. Once the VM is back up, you are not able to login using domain credentials. It will give you a “The trust relationship between this workstation and primary domain failed” error message. So you have to use local admin credentials. Once you are in, some of your apps might be broken. Symantec is sometimes in a half installed state. Running LiveUpdate fails. Your OS is pretty much hosed at this point and you have to start all over.

Through extensive testing, we discovered that SEP 12 was somehow impacting the network stack causing the vDisk to disconnect. SEP and the PVS Target software were vying for control.

We escalated this through Symantec and were finally told there is a compatibility issue between SEP 12 and PVS 6.1 but it is not public knowledge yet. There is an internal ETrack on the issue. SEP 12 has been used with PVS 5.x and provisioned desktops successfully. When Citrix released PVS 6.x, a driver was changed from the previous version and issues have been seen on provisioned desktops if any of the following 3 SEP modules are installed: Advanced Download Protection, SONAR Protection, and IPS. Symantec is working on a code change, but meanwhile you can leave out these modules.

After performing more tests without these 3 modules installed, SEP 12 is installing and running normally without impacting the PVS infrastructure. This is version 12.1.1101 shown below we have tested on. Hopefully a newer version of SEP will be fully compatible with PVS. After the install is done, run a full scan, run the VIE tool (Virtual Image Exception tool), reset your hardware IDs, and you’re ready to spin up VMs in standard/read only vDisk mode.

UPDATE: September 28, 2012
Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

4 Comments

  1. WillFulmer

    August 2, 2012 at 11:37 AM

    Is this article relevant to what you are experiencing?
    http://support.citrix.com/article/CTX134231

    At one of my clients, we are experiencing the same behavior
    SEP 12 + PVS 5.6 = good
    SEP 12 + PVS 6.1 = intermittent connection issues, machines becoming unregistered, etc.

    Thoughts? Any more information on this?

  2. Jason Samuel

    August 2, 2012 at 12:58 PM

    @WillFulmer
    Hi Will, thanks for posting that CTX link. Yes I had put our Citrix TRM in touch with Symantec on this. It’s good that they’ve made the issue public now. I’m sure a lot of people were scratching their heads on this one.

    We are still waiting on a fix from Symantec. For now, just make sure Sonar, IPS, and ADP are not installed and it will work fine. I’ll post here if I get any updates from Symantec.

  3. Ken Sheppard

    August 4, 2012 at 9:23 AM

    Thanks for your guide on how to make SEP 12.1 run properly with a Citrix VDI setup. I have installed SEP 12.1 as an unmanaged client on my Win7 VDIs and I would also like to use the new VIE tool, which seems very simple to use. However, the unmanaged SEP 12.1 client doesn’t have the controls to enable VIE for auto-protect and scheduled scans. The features are only available from the SEPM but I’m not running a 12.1 SEPM. Do you know of the SEP 12.1 registry keys that would allow me to enable VIE to run on an unmanaged SEP 12.1 client?

    Thanks for any suggestion. The SEP forum has been useless.

  4. Jason Samuel

    September 28, 2012 at 2:16 PM

    A quick update, Symantec released an update to fix this as part of their definitions from September 4th onward. It comes to the SEPM automatically as part of the daily update process so everyone should have it at this point. No manual patch or fix is needed. It changes the timing of Symantec. Symantec and the PVS Target will no longer vie for control of the network stack as I understand it. Symantec will start delayed after the PVS Target has fully started. I don’t have any further technical details but I am hoping Symantec will have a KB up soon covering this. We have been testing and everything seems to be working well.

Leave a Reply

Your email address will not be published.