pvs

Solution

Solved: 0x0000007B BSOD after unattended install of PVS Target Device

While building a deployment sequence for a XenApp 6 farm using SCCM, I ran into the problem that the unattended install of the PVS Target Device (5.6 SP1)  succeeds but after after creating a VHD file using “XenConvert P2VHD” and booting the newly created vDisk the Provisioned Server crashes with a BSOD 0x0000007b (inaccessible boot device).

After some investigation on the source machine I noticed the “Citrix Virtual Hard Disk Enumerator PVS”  device did not install correctly and displayed an yellow exclamation mark in Device Manager (devmgmt.msc).  After searching the citrix forums I ran into a thread in which the others experienced the same problem.

Unfortunatly a real solution is not provided in within the thread (other than a manual installation). So digging down the internet I found the solution for this problem. Somehow the drivers files are not transferred to the “%windir%\System32\Driver” folder during unattended (SCCM/Wisdom) installation.  Copy CFsDep2*.* files from “C:\Program Files\Citrix\Provisioning Services\drivers”  to “%windir%\System32\Driver”  afterwards you can install you can install the PVS Target Device client unattended by running “PVS_Device_x64.exe /S /v /qn

After the installation the exclamation mark has disappeared, a newly created vDisk booted successfully.

 

Citrix PVS command-line tools

After exploring and mastering a product through the GUI, It always tickles me to get to the CLI and get myself fimiliar with the true power and scripting possibilities of that product.  The standard tool for Citrix PVS is MCLI.exe and is installed by default when the console is installed. after installing the PVS Console you may have to run the setup of the SOAP Server Communication, use this command to set the values for the SOAP Server

connection:
MCLI Run SetupConnection -p name=value[ name2=value2]
Setup the SOAP server connection that will be used for the MCLI and PowerShell command line interfaces.

-p Parameters needed for this Run.

Optional
server Server used for the connection.
Default=localhost

port Port used for the connection.
Default=8000

user User used for the connection.
Default=Current user

domain User domain used for the connection.
Default=Current user

password User password used for the connection.
Default=Current user

Add a device
MCLI Add Device -r deviceName=Device1 deviceMac=1a-2b-3c-4d-5e-6f description=”A description”

Remove a device:
MCLI Delete Device -p deviceName=Device1

To get a detailed overview of the capabilities of this interface I have attached the programmer’s guide, there is a Powershell guide available too.

MCLI Powershell Guide (1650)
MCLI Programming Guide (1205)

Mcafee ePo considerations using Citrix Provisioning Services

In a hunt for complete best practices guide I found the following considerations:

ePo Agent recommendations:

Delete the Agent GUID for McAfee EPO agent; otherwise all machines deployed came up in EPO server as the same computer. So, if you are going to use the Provisioning Services image in Shared Image mode, Citrix recommends stopping the McAfee framework service and deleting the following registry key, just before your create your Provisioning Services image.
  • Stop the McAfee Framework service (but leave on Automatic start up) and delete the AgentGUID registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\
Additional registry keys may need to be cleared or deleted before rolling out an image in Standard Image mode. To run McAfee 8.5i and EPO on a vDisk in Standard Image mode, the values for the following registry keys must be deleted before imaging the Master Target Device (this could also be done after building the image by putting the image back into Private Image Mode):
  • Associates\ePolicy Orchestrator\Agent\AgentGUID
  • Associates\ePolicy Orchestrator\Agent\MACADDRESS
  • (if using Host Intrusion)
Make sure there is not a policy applied to this PC on EPO that restarts the framework service after X seconds…. (Otherwise this key might be recreated before you start the Provisioning Services image creation process).
The problem here is that each time a PC restarts in Shared Image Mode, a different GUID is recreated. It might be necessary to set EPO to delete stale entries from its Asset database. The results might also not provide a true reflection in reports of a particular PCs infection history, as it will have a new record in the EPO database each time a reboot occurs. This is preferable over having lots of PCs with only one of them having updated antivirus at a time.
Virusscanning recommendations:
  • Scan local drives only. DO NOT scan network drives.
  • Only scan “Incoming” files (ie. write events).
  • Exclude the pagefile(s) from being scanned.
  • The “%ProgramFiles%\Citrix” folder contains many configuration and log files that are always changing, especially the Local Host Cache (imalhc.mdb) and Resource Manager Local Database (RMLocalDatabase.mdb). You could exclude the whole folder. More specifically, the main ones are:
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB”
  • “%ProgramFiles%\Citrix\Citrix Resource Manager\SummaryFiles”
  • “%ProgramFiles%\Citrix\Independent Management Architecture”
  • “%ProgramFiles%\Citrix\logs”
  • Exclude the Print Spooler (%SystemRoot%\System32\spool\PRINTERS) folder. Note that in our deployments we typically place these folders on the non-System Drive.
  • We would recommend excluding as much of the user’s profile (%UserProfile%) as possible. In fact, the only folder that is of major concern is the Temporary Internet Cache (”%UserProfile%\Local Settings\Temporary Internet Files”).
  • If you do not exclude the Profiles, then exclude the user‘s Presentation Server Client bitmap cache (”%UserProfile%\Application Data\ICAClient\Cache” or “%AppData%\ICAClient\Cache”) used for ICA pass-through connections by the locally installed PNClassic and PNAgent.
  • Exclude .dat and .tmp files.
  • Disable the heuristics mode of scanning, this setting can be very intensive on the system
  • Exclude smss.exe, winlogon.exe, userinit.exe, csrss.exe and wfshell.exe
  • Exclude the Softgrid folders (especially the cache)
Provisioning Services recommendations:

Limit antivirus definition updates to the Target Device. Create a plan to upgrade the vDisk periodically using manual, automatic or automated techniques such as Automatic vDisk updates or by using something like WorkFlow Studio.
  • Avoid scanning your disk write cache location if that write cache is hosted on the Provisioning Services server. In limited testing it has been observed that most scanners cannot detect a virus within this location because of their inherit design and the methods used to determine a virus.
  • Do not scan your Targets I/O stream in real-time. This can cause excessive retries when the Target expects it’s I/O and that process is delayed by real-time scanning, there is good potential for a second and maybe more requests for the same packet fragment.
  • Avoid scanning the BNDevice.exe process on the Target. There are a few drivers that should be excluded from scanning, as well, in the <systemroot>\windows\system32\drivers directory you can exclude BNNS.sys, BNNF.sys, BNPort.sys, and bnistack.sys

source

General server recommendations

  • Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder: %windir%\SoftwareDistribution\Datastore
  • Turn off scanning of the log files that are located in the following folder:
  • “%windir%\SoftwareDistribution\Datastore\Logs” Specifically, exclude the following files: