Companies want to provide a consistent and controlled work environment for employees using their own devices, but that’s often easier said than done. Managed virtual desktop collections can provide that, but integrating these virtual desktops into an enterprise environment while still using the existing desktop software can be a problem. On a recent Remote Desktop Services deployment I couldn’t use my antivirus software. Here’s how I fixed it.
I normally install ESET Endpoint Antivirus through a management console, but the virtual desktop collection was set to revert changes every time a user logged off, so ESET would disappear.
Next, I tried installing ESET on the template. I was able to Sysprep the image without issue, but when I tried to create the collection the virtual machines (VM) never finished their setup process, leaving me with a collection marked as “Not Valid.” Upon further inspection I noticed that each VM had stopped in the middle of its first-time boot sequence with an error stating, “Windows could not finish configuring the system.”
Here’s how to find the cause of the error:
Copy C:\Windows\Panther\Setup.etl off of the VM by mounting the virtual hard disk in the host system.
From the command prompt run
"tracerpt setup.etl -o logfile.csv"
in the folder you copied the file to.
Open the newly created logfile.csv and search for “failed to process.” Whichever registry entry the setup failed to process is associated with the program that is causing the problem. Thanks to Jeff Harrison in this thread for figuring that out.
In order to keep ESET installed, you can update the rollback snapshot on each VM, which is how it reverts changes after users log off. For even small deployments, this can take more time than you would want to spend. To speed up the process I created the following PowerShell script:
This script takes a snapshot of all the VMs matching the [Pattern] in the first command that don’t have users logged on and then removes all the old snapshots. It will keep retrying until all VM snapshots have been updated.
This script works well on a single machine configuration, but I had some issues checking for logged on users when the connection broker was on a separate machine and there were multiple virtualization hosts. To fix that I used the following simplified version:
You don’t really need to check for user connections with this script because it should be run soon after the collection is created or the desktops are recreated and ESET has been pushed. I would recommend disabling the collection in Web Access from the collection properties to prevent users from logging on while you update the system.
Installing ESET in this configuration keeps it installed until you update the template and recreate all the desktops, at which point you must run through this process again. Another unfortunate side effect is that definition updates don’t stick in between template updates either. ESET has to download all the definition updates since the last collection update every time a user logs off.
It’s Easier When It Just Works
Virtual desktop collections can be made to work with most software, but using software that doesn’t support virtualization can often require some creativity. Group policy can help with software incompatibilities, but if at all possible, it’s easiest to use software that just works.
Transform your business operations with our Microsoft solutions