System Center Endpoint Protection With XenDesktop

Using System Center Endpoint Protection Anti-Virus with XenDesktop and PVS.

In most environments you want your workstations and servers to be running current AV definitions so the challenge with using PVS images is that your virtual machines would have to download new definition updates every time they restarted. This can cause multiple performance issues if you have a decent amount of virtual machines starting up and rebooting.

To prevent performance issues from occurring you have a couple options. You can disable automatic updates and manually update your images with new definition files or you can redirect your Anti-Virus definition folder location to the write cache drive. Keeping your definitions on the write cache drive will allow your virtual machines to have the latest updates and persist on reboot.


Antimalware Policy-

Exclusion Settings- Add recommended exclusions from  and any other exclusions that you need for your specific environment.


Scan Settings-

Run a scheduled scan on client computers = No.

User control of scheduled scans= No control



Disable the client user interface=Yes

Allow users to exclude files and folders, file types and processes.=No

Set Randomize schedule scan and definition start times (within 30 minutes) = Yes


Definition Updates- 

Check for Endpoint Protection definitions at a specific interval=

Check for Endpoint Protection definitions daily at=

Force a definition update if the client computer is offline for more that two consecutive scheduled updates.=No

Set your source and order for Endpoint Protection definition updates=Configuration Manager, or WSUS.


Base Image changes-

Redirect all SCEP signatures/definitions to the write cache drive so updates persist after reboot.

If SCEP is already installed then Uninstall SCEP.
Delete C:\ProgramData\Microsoft\Microsoft Antimalware folder.
Reboot VM.
Create a folder for definitions on your write cache drive.
Open CMD Line with Administrator rights.
Change path to C:\ProgramData\Microsoft\
Mklink /d /j “Microsoft Antimalware” E:\SCEP
Install SCEP
Run updates, scan and install latest SCEP

Remove Unique Virtual Machine Registry Keys-

Since the SEP client is embedded in the OS image, delete the following registry keys that are unique to the virtual machine before sealing up the image.

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\InstallTime
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanRun
  3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastScanType
  4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastQuickScanID
  5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\LastFullScanID
Share or Save this: