View 5 Personas with Forefront Endpoint Protection

Update 2/15/2012
I now have my very own VMware KB article documenting this issue – KB2011823

Update 1/20/2012
I have been trying to find a resolution to this for several weeks, scroll down for a full description of the performance problem that FEP causes with View 5 persona management. The issue found its way to the the View product manager. A GPO setting that specifically addresses this problem was accidentally left out of the ViewPM.adm file included with View 5.0 build 481677. The policy setting is called “Excluded Processes”. The description of the setting is: “Excluded processes are processes whose i/o is ignored by Persona.  Certain anti-virus applications might need to be added to prevent performance problems.  If an anti-virus application does not have a feature to disable offline file retrieval during its on-demand scans, this setting will prevent it from unnecessarily retrieving files.  However, changes to files/settings in the users’ profiles made by excluded processes are still replicated.” Using this setting eliminates the need to create any exclusions inside of FEP, so C:\Users will still be fully protected.

The solution for FEP is to use this GPO setting to exclude the FEP process MsMpEng.exe.  Here is the replacement ViewPM.adm file. There is also a viewPM_adm_patch that I created with WinMerge, you can apply the diff to the ViewPM.adm file that installs with View 5.0.

Here are 2 screenshots of the missing setting.

Special thanks to Kevin Goodman at VMware for providing this solution!

Update 1/12/2012
I opened a ticket with Microsoft support and they advise that there is no way to prevent the download and scanning of offline files. They have escalated the ticket internally to look for any way this could be supported, but the engineer is setting expectations that there will be no resolution. It appears that you can not use personas with FEP unless you disable scans of C:\Users. That’s not a risk that I’m going to recommend taking, so it looks like it’s roaming profiles for my View clients who use FEP.

Update 1/10/2012
The support engineer assigned to my case came back with this:

I was able to replicate the behavior you saw while working with persona management and FEP server. The reason I was able to identify is on logon FEP is downloading all data to the local machine to be scanned and thereby causing the delay.

Our expectation is that virus scanners will ignore scanning offline files, but not a case with MS FEP. I was unable to find any such option with FEP client to ignore scanning offline files. Hence this can only be worked around by excluding the folder to be scanned on individual VMs. This does not however completely compromises security as the file share where the persona eventually will be stored is being protected with FEP anyway.

Persona management works by selecting/clearing offline file attribute for the contents of entire %userprofile% folder.

I opened a ticket with Microsoft support with the above information. Setting up an exclusion on C:\Users prevents realtime scanning on that folder and I don’t think I want to let a potential virus sit out there unchallenged until the profile syncs up to the file server.

I am deploying a new View 5 setup and the client has Forefront Endpoint Protection. After enabling persona management for my Windows 7 image, I found that the logon process hung at “Welcome” for 3+ minutes.

I found this VMware communities thread suggesting that MS Forefront Endpoint Protection was the culprit. I enabled debug logging and tried logging on with FEP both enabled and disabled. The debug logs are identical other than the amount of time spent between log entries. With FEP disabled, files in C:\Users are touched quickly, less than 0.1 seconds between log entries. With FEP enabled, files in C:\Users have a 3-5 second delay between touches. This leads to the 3+ minute logon delay.

The VMware community post suggested excluding C:\Users from scanning – I tested that configuration and it does resolve the logon slowness problem – logon completes within 5 seconds and profiles are synced successfully. Obviously, this comes at the expense of the security of the environment – I wouldn’t go to production excluding the entirety of C:\Users from antivirus scans.

I’ll be opening up a VMware support ticket, but given the deadline I’m working under it looks like roaming profiles are in my near future. Disappointing because I was impressed with the speed of the View persona management when FEP isn’t in the way.

Leave a Reply

Your email address will not be published. Required fields are marked *