Symantec Endpoint Protection Manager Create Client Install Package
To import a Symantec Endpoint Protection (SEP) client package into the manager: • Log into the SEPM Console • Select the Admin tab. • Select Install Packages. • Click Add Client Install Package from the Tasks menu. • On the Add Client Install Package dialog: • Provide a descriptive name for the installation package in the Specify a name for this package text box (i.e. Symantec Endpoint Protection 12.1 RU5 Mac Client) • Click Browse.
• Navigate to the installation package folder (i.e. SEPM Packages from the Part 1 installation media) • Select the.info file associated with the installation package (i.e. SAV32.info, SAV64.info, SEP_MAC.info) • Click Select.
To manage clients with Symantec Endpoint Protection Manager, you must export a managed client installation package, and then install the package files onto client computers. You can deploy the client with either Symantec Endpoint Protection Manager or a third-party deployment tool. Symantec occasionally provides. Symantec’s IT Management Suite (ITMS) is a highly functional endpoint management product. It possesses numerous infrastructure scaling features to assist.
• Optionally, provide a description of the package in the Description field. • Click OK to start the import process. • After a successful import, a status window will be displayed. • Click Close to exit the Creating Package dialog. After a successful import, a 'Package is created' event will be logged into the System/Administrative logs.
Details will describe this new package with text similar to 'Successfully imported the SEP 12.1 RU5 32-bit package via Symantec Endpoint Protection Manager. This package is now available for deployment.' Notes: • This process will not work with the SEPM web console. It can only import packages that were exported in the.ZIP file format. It will not import a.INFO file format package, it's not supported for web console. The web console can only import or export a single file.
• It is possible to import an executable package (i.e..EXE or.ZIP file packages) directly, but this is not recommended. The.INFO file contains extra information that describes the package and ensures proper migration to future builds of the SEP client via delta updates.
Navigation • • • • • • • 💡 • Receivers: • • • • • • • • – allow non-administrators to RDP to the VDA • • –,,,, • • • • HTML5 Receiver – • • • • • Troubleshooting – • 💡 = Recently Updated Hardware • If vSphere 6, don’t use hardware version 11 unless you have NVIDIA GRID. VMware 2109650 – • For virtual desktops, give the virtual machine: 2+ vCPU and 2+ GB of RAM • For Windows 2008 R2 RDSH, give the virtual machine 4 vCPU and 12-24 GB of RAM • For Windows 2012 R2 RDSH, give the virtual machine 8 vCPU, and 24-48 GB of RAM • Remove the floppy drive • Remove any serial or LPT ports • If vSphere: • To reduce disk space, reserve memory. Memory reservations reduce or eliminate the virtual machine.vswp file. • The NIC should be VMXNET3. • If this VDA will boot from: • Give the VDA for caching. • Do not enable Memory Hot Plug • For vSphere, the NIC must be VMXNET3. • For vSphere, configure the CD-ROM to boot from IDE instead of SATA.
SATA comes with VM hardware version 10. SATA won’t work with PvS. • Install the latest version of drivers (e.g.
VMware Tools). • If Windows 7 on vSphere, don’t install the VMware SVGA driver. For more details, see CTX201804.
If vSphere, disable NIC Hotplug • Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad. • To disable this functionality, power off the virtual machine.
• Once powered off, right-click the virtual machine and click Edit Settings. • On the VM Options tab, expand Advanced and then click Edit Configuration. • Click Add Row. • On the left, enter devices.
On the right, enter false. • Then click OK a couple times to close the windows. • The VM can then be powered on.
Windows Preparation • If RDSH, disable IE Enhanced Security Config • Optionally, go to Action Center (Windows 8.1 or 2012 R2) or Security and Maintenance (Windows 10) to disable User Account Control and enable SmartScreen. • Run Windows Update. • If Windows Firewall is enabled: • Enable File Sharing so you can access the VDA remotely using SMB • Enable COM+ Network Access and the three Remote Event Log rules so you can remotely manage the VDA.
• Add your Citrix Administrators group to the local Administrators group on the VDA. • The Remote Desktop Services “ Prompt for Password” policy prevents Single Sign-on to the Virtual Delivery Agent.
Check registry key HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows NT Terminal Services. If fPromptForPassword = 1 then you need to fix group policy. The following GPO setting will prevent Single Sign-on from working. HKEY_LOCAL_MACHINE System CurrentControlset Services ProfSvc Parameters • On the Edit menu, point to New, and then tap or click DWORD Value. • Type UseProfilePathExtensionVersion. • Press and hold or right-click UseProfilePathExtensionVersion, and then tap or click Modify.
• In the Value data box, type 1, and then tap or click OK. • Exit Registry Editor. Then, Windows 8.1 creates a user profile and appends the suffix “.v4” to the profile folder name to differentiate it from version 2 of the profile in Windows 7 and version 3 of the profile in Windows 8. Registry HDX Flash From Citrix Knowledgebase article CTX139939 –: The registry key value IEBrowserMaximumMajorVersion is queried by the HDX Flash service to check for maximum Internet Explorer version that HDX Flash supports. For Flash Redirection to work with Internet Explorer 11 set the registry key value IEBrowserMaximumMajorVersion to 11 on the machine where HDX flash service is running. In case of XenDesktop it would be the machine where VDA is installed.
• Key = HKLM SOFTWARE Wow6432Node Citrix HdxMediaStreamForFlash Server PseudoServer • Value = IEBrowserMaximumMajorVersion (DWORD) = 00000011 (Decimal) From: Add the DWORD ‘ FlashPlayerVersionComparisonMask=0′ on the VDA under HKLM Software Wow6432Node Citrix HdxMediaStreamForFlash Server PseudoServer. This disables the Flash major version checking between the VDA and Client Device. Published Explorer This section applies if you intend to publish apps from this VDA. From Citrix Knoweldgebase article CTX128009 –: When publishing the seamless explorer.exe application, the session initially begins to connect as expected.
After the loading, the dialog box disappears and the explorer application fails to appear. On the VDA, use the following registry change to set the length of time a client session waits before disconnecting the session: • Key = HKLM SYSTEM CurrentControlSet Control Citrix wfshell TWI • Value = LogoffCheckerStartupDelayInSeconds (DWORD) = 10 (Hexadecimal) Mfaphook – 8.3 File Names • Open a command prompt. • Switch to C: by running cd /d C: • Run dir /x program* • If you don’t see PROGRA~1 then 8.3 is disabled. This will break Citrix. • If 8.3 is disabled, open regedit and go to HKLM Software Microsoft Windows NT CurrentVersion Windows. • On the right is AppInit_DLLs. Edit it and remove the path in front of MFAPHOOK64.DLL.
Logon Disclaimer Window Size From at Citrix Discussions: If your logon disclaimer window has scroll bars, set the following registry values: HKLM Software Wow6432node Citrix CtxHook AppInit_DLLS Multiple Monitor Hook LogonUIWidth = DWORD:300 HKLM Software Wow6432node Citrix CtxHook AppInit_DLLS Multiple Monitor Hook LogonUIHeight = DWORD:200 Login Timeout Citrix CTX203760: XenDesktop, by default, only allows 180 seconds to complete a logon operation. The timeout can be increased by setting the following: HKLM SOFTWARE Citrix PortICA Add a new DWORD AutoLogonTimeout and set the value to decimal 240 or higher (up to 3600). Also see Citrix Discussions. Receiver for HTML5 Enhanced Clipboard From at docs.citrix.com: To enable enhanced clipboard support, set registry value HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Citrix wfshell Virtual Clipboard Additional Formats HTML Format Name=”HTML Format”. Create any missing registry keys. This applies to both virtual desktops and Remote Desktop Session Hosts.
4K Monitors Citrix CTX201696 –: Up to eight 4K monitors are supported with the Std-VDA and RDS VDA irrespective of underlying GPU support, provided the required policies and/or registry keys are correctly configured. Currently the Std-VDA for XenDesktop and RDS-VDA for XenApp does not support resolutions higher than 4094 in any dimension.
Framehawk currently does not support 4K monitors. At the time of writing, the number of monitors supported is 1, the use of more monitors will cause the graphics mode to change from Framehawk to Thinwire to support multi-monitor. The maximum resolution supported by Framehawk is currently 2048×2048. From CTX200257 –: Symptom: A blank or corrupt screen is displayed when connecting to Windows 7 or 8.1 Standard XenDesktop Virtual Delivery Agents on a client which has one or more 4K resolution monitors. • Calculate the video memory that is required for 4K monitor using the following formula.
Suppose a Windows 7 VDA is connecting to a client that has dual 4K monitors (3840×2160), then video buffer should be: (3840 x 2160 x 4 x 2) + (3840 x 2160 x 4 x 2) = ~132MB • Open the registry (regedit) and navigate to: HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet services vd3v • Increase the value of “ MaxVideoMemoryBytes” REG_DWORD value to the above calculated memory. • Reboot the VDA. When using Thinwire, Compatibility, Thinwire Plus or Legacy modes, the policy needs to be configured appropriately for Std-VDA, as per at docs.citrix.com. The Default value for is 65536KB and this is sufficient up to 2x4K monitors (2x32400KB).
You can find more information on Graphics modes. Legacy Client Drive Mapping Citrix Knowledgebase article: Citrix Client Drive Mapping no longer uses drive letters and instead they appear as local disks.
Installing Fonts Windows 7 Script there. This is similar to RDP drive mapping. The old drive letter method can be enabled by setting the registry value: • Key = HKEY_LOCAL_MACHINE SOFTWARE Citrix UncLinks (create the key) • Value = UNCEnabled (DWORD) = 0 When you reconnect, the client drives will be mapped as drive letters (starts with V: and goes backwards). COM/LPT Port Redirection To signal Citrix’ intention to deprecate COM and LPT support in a future major release, policy settings for COM Port and LPT Port Redirection have moved from Studio to the registry, and are now located under HKLM Software Citrix GroupPolicy Defaults Deprecated on either your Master VDA image or your physical VDA machines. The are detailed at docs.citrix.com. Print Driver for Non-Windows Clients This section applies to Windows 2012 R2, Windows 8.1, and Windows 10 VDAs.
By default, Non-Windows clients cannot map printers due to a missing print driver on the VDA machine. • Requirements: • Internet Access • Windows Update service enabled • Click Start and run Devices and Printers.
• In the Printers section, highlight a local printer (e.g. Bole Mera Kangna Mp3 Song Free Download. Microsoft XPS Document Writer). Then in the toolbar click Print server properties. • Switch to the Drivers tab. Click Change Driver Settings.
• Then click Add. • In the Welcome to the Add Printer Driver Wizard page, click Next. • In the Processor Selection page, click Next. • In the Printer Driver Selection page, click Windows Update. The driver we need won’t be in the list until you click this button.
Internet access is required. • Once Windows Update is complete, highlight HP on the left and then select HP Color LaserJet 2800 Series PS (Microsoft) on the right.
• In the Completing the Add Printer Driver Wizard page, click Finish. • Repeat these instructions to install the following additional drivers: • HP LaserJet Series II • HP Color LaserJet 4500 PCL 5 SSL for VDA If you intend to use HTML5 Receiver internally, install certificates on the VDAs so the WebSockets (and ICA) connection will be encrypted. Internal HTML5 Receivers will not accept clear text WebSockets. External users don’t have this problem since they are SSL-proxied through NetScaler Gateway. Notes: • Each Virtual Delivery Agent needs a machine certificate that matches the machine name. This is feasible for a small number of persistent VDAs. For non-persistent VDAs, you’ll need some automatic means for creating machine certificates every time they reboot.
• As detailed in the following procedure, use PowerShell on the Controller to enable SSL for the Delivery Group. This forces SSL for every VDA in the Delivery Group, which means every VDA in the Delivery Group must have SSL certificates installed. The Citrix blog post has a method for automatically provisioning certificates for pooled virtual desktops by enabling certificate auto-enrollment and setting up a task that runs after the certificate has been enrolled. Unfortunately this does not work for Remote Desktop Session Host. The following instructions can be found at at docs.citrix.com. • On the VDA machine, run mmc.exe.
• Add the Certificates snap-in. • Point it to Local Computer. • Request a certificate from your internal Certificate Authority. You can use either the Computer template or the Web Server template. You can also use group policy to enable Certificate Auto-Enrollment for the VDA computers. • Browse to the XenApp/XenDesktop 7.8 ISO. In the Support Tools SslSupport folder, shift+right-click the Enable-VdaSSL.ps1 script and click Copy as path.
• Run PowerShell as administrator (elevated). • Run the command Set-ExecutionPolicy unrestricted. Enter Y to approve.
• In the PowerShell prompt, type in an ampersand ( &), and a space. • Right-click the PowerShell prompt to paste in the path copied earlier.
• At the end of the path, type in -Enable • If there’s only one certificate on this machine, press Enter. • If there are multiple certificates, you’ll need to specify the thumprint of the certificate you want to use. Open the Certificates snap-in, open the properties of the machine certificate you want to use, and copy the Thumbprint from the Details tab. Type quotes ( ') at the end of the thumbprint. Then remove all spaces from the thumbprint. The thumbprint needs to be wrapped in quotes. • If this VDA machine has a different service already listening on 443 (e.g.
IIS), then the VDA needs to use a different port for SSL connections. At the end of the command in the PowerShell prompt, enter -SSLPort 444 or any other unused port. • Press to run the Enable-VdaSSL.ps1 script. • Press twice to configure the ACLs and Firewall. • You might have to reboot before the settings take effect.
• Login to a Controller and run PowerShell as Administrator (elevated). • Run the command asnp Citrix.* • Enter the command: Get-BrokerAccessPolicyRule -DesktopGroupName ' ' Set-BrokerAccessPolicyRule?HdxSslEnabled $true where is the name of the Delivery Group containing the VDAs. • You can run Get-BrokerAccessPolicyRule -DesktopGroupName ' ' to verify that HDX SSL is enabled. • Also run the following command: Set-BrokerSite –DnsResolutionEnabled $true You should now be able to connect to the VDA using the HTML5 Receiver from internal machines. Anonymous Accounts If you intend to publish apps anonymously then follow this section.
• Anonymous accounts are created locally on the VDAs. When XenDesktop creates Anon accounts it gives them an idle time as specified at HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Citrix AnonymousUserIdleTime. The default is 10 minutes. Adjust as desired. • You can pre-create the Anon accounts on the VDA by running “C: Program Files Citrix ICAConfigTool CreateAnonymousUsersApp.exe”.
If you don’t run this tool then Virtual Delivery Agent will create them automatically when users log in. • You can see the local Anon accounts by opening Computer Management, expanding System Tools, expand Local Users and Groups and clicking Users. • If you open one of the accounts, on the Sessions tab, notice that idle timeout defaults to 10 minutes. Feel free to change it. Group Policy for Anonymous Users Since Anonymous users are local accounts on each Virtual Delivery Agent, domain-based GPOs will not apply.
To work around this limitation, you’ll need to edit the local group policy on each Virtual Delivery Agent. • On the Virtual Delivery Agent, run gpedit.exe. • Open the File menu and click Add/Remove Snap-in. • Highlight Group Policy Object Editor and click Add to move it to the right.
• In the Welcome to the Group Policy Wizard page, click Browse. • On the Users tab, select Non-Administrators.
• Click Finish. • Now you can for anonymous users.
Since this is a local group policy, you’ll need to repeat the group policy configuration on every Virtual Delivery Agent image. Also, Group Policy Preferences is not available in local group policy. Antivirus Install antivirus using your normal procedure.
Instructions vary for each Antivirus product. Microsoft’s virus scanning recommendations (e.g. Exclude group policy files) –. Citrix’s Recommended Antivirus Exclusions Citrix CTX127030: Based on Citrix Consulting’s field experience, organizations might wish to consider configuring antivirus software on session hosts with the settings below. • Scan on write events or only when files are modified.
It should be noted that this configuration is typically regarded as a high security risk by most antivirus vendors. In high-security environments, organizations should consider scanning on both read and write events to protect against threats that target memory, such as Conficker variants. • Scan local drives or disable network scanning.
This assumes all remote locations, which might include file servers that host user profiles and redirected folders, are being monitored by antivirus and data integrity solutions. • Exclude the pagefile(s) from being scanned.
• Exclude the Print Spooler directory from being scanned. • Remove any unnecessary antivirus related entries from the Run key ( HKLM Software Microsoft Windows Current Version Run). • If using the streamed user profile feature of Citrix Profile management, ensure the antivirus solution is configured to be aware of Hierarchical Storage Manager (HSM) drivers. For more information, refer to. Symantec Symantec links: • Symantec TECH91070. • Symantec TECH197344 • Symantec TECH180229 • Symantec TECH123419 has a script that automates changing the MAC address registered with Symantec.
• Citrix Blog Post Non-persistent session hosts: After you have installed the Symantec Endpoint Protection client and disabled Tamper Protection, open the registry editor on the base image. • Navigate to HKEY_LOCAL_MACHINE SOFTWARE Symantec Symantec Endpoint Protection SMC.
• Create a new key named Virtualization. • Under Virtualization, create a key of type DWORD named IsNPVDIClient and set it to a value of 1. To configure the purge interval for offline non-persistent session host clients: • In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains. • In the Domains tree, click the desired domain. • Under Tasks, click Edit Domain Properties. • On the Edit Domain Properties >General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number. The Delete clients that have not connected for specified time option must be checked to access the option for offline non-persistent VDI clients.
Example: Suppose a Windows 7 VDA is connecting to a client that has dual 4K monitors (3840×2160), then video buffer should be: (3840×160 x 4 x 2) + (3840 x 2160 x 4 x 2) = ~115MB • Open the registry (regedit) and navigate to: HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet services vd3d • Increase the value of “ MaxVideoMemoryBytes” REG_DWORD value to the above calculated memory. • Reboot the VDA From: To exclude applications from Citrix 3D rendering, create a REG_DWORD registry value “app.exe” with value 0 or a registry value “*” with value 0. • XD 7.1 and XD 7.5: • x86: reg add hklm software citrix vd3d compatibility /v * /t REG_DWORD /f /d 0 • x64: reg add hklm software Wow6432Node citrix vd3d compatibility /v * /t REG_DWORD /f /d 0 • XD 7.6/7.7/7.8 both x86 and x64: • reg add hklm software citrix vd3d compatibility /v * /t REG_DWORD /f /d 0 Wildcards are not supported.
The asterisk * here has a special meaning “all apps” but is not a traditional wildcard. To blacklist multiple apps e.g.
Both appa.exe and appb.exe must be done by creating a registry value for each app individually. This is most problematic in Remote PC since most physical PCs have GPUs. I recently had to blacklist Internet Explorer to prevent lockup issues when switching back to physical. Uninstall VDA Uninstall the VDA from Programs and Features. Then see CTX209255.
Related Pages • • Posted on Author Categories. Just went through 2012 RDS hell and found a simple solution to the errors about grace period and just setting it up in general. Microsoft explains it here: Basically Add Roles and Under Remote Desktop Services, choose Remote Desktop Licensing and Remote Desktop Session Host role services. (Note: The VDA installs Remote Desktop Session Host role service) Reboot and run the following 1. Open an elevated Windows PowerShell prompt 2. Type the following command on the PS prompt and press Enter: $obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting 3. Run the following command to set the licensing mode: $obj.ChangeMode(value) Note: Value = 2 for Per device, Value = 4 for Per User 4.
Run the following command to replace the machine name with License Server: $obj.SetSpecifiedLicenseServerList(“LicServer”) 5. Run the following command to verify the settings that are configured using above mentioned steps: $obj.GetSpecifiedLicenseServerList() You should see the server name in the output. Users can now initiate Remote Desktop Sessions to the server from any supported RDS client.
Hi Carl We have a hosted shared desktop. A issue is we have a c: temp folder where everyones sessionID gets created, while people are logged on they can all view eachothers session ID and see whats there. Lotus notes writes attachments in there as well which is a issue as our windows environment variable is c: temp for%temp%.
There is no c: users username appdata local temp path for some reason. Do you know if there a nice easy way to lock down each session so only the current user can see their own session. Upgrade of VDA from 7.7 to 7.8 is failing with this message. “11:: XenDesktopSetup:Process completed with error code 1603 11: $ERR$: XenDesktopSetup:Installation of MSI File ‘TelemetryServiceInstaller_x64.msi’ failed with code ‘InstallFailure’ (1603). 11: $ERR$: XenDesktopSetup:InstallComponent: Failed to install component ‘Citrix Telemetry Service’. Installation of MSI File ‘TelemetryServiceInstaller_x64.msi’ failed with code ‘InstallFailure’ (1603). 11: $ERR$: XenDesktopSetup:Recording installation failure.
Installation of MSI File ‘TelemetryServiceInstaller_x64.msi’ failed with code ‘InstallFailure’ (1603).” Even when I remove 7.7 and install 7.8, I get the same error message.