There are a couple of blogs or articles you can find describing how to prepare Symantec Edpoint Protection clients within a Citrix provisioned environment by using a strartup script. Such scripts sets among other things the necessary hardware identifier. Also view

This blogs explains how to prepare a Symantec Endpoint Protection client for a citrix provisioning environment by using the Device Personality in the target device properties, which makes the use of Symantec EP quite easy.

Symantec Endpoint Protection secured machines needs to have a unique identifier in order to be identified and registered unique on a Symantec Server in order to avoid duplicate entries created on every reboot.

Therefore, Companys like Symantec can leverage the personality.ini which is located at “c:\personaltiy.ini” on each provisioned machine to grab necessary information already by startup.

To address this situation you can use the “Device Personality”-Tab (which can be found in the target device properties) to put the necessary information into it which would be copied into the personalty.ini during startup.

Symantec is searching for a registry key called “HardwareID” located under “HKLM\SOFTWARE\Symantec Endpoint Protection\SMC\SYLINK\SYLINK” with it’s corresponding value. After the smc service is started, symantec creates the kown sephwid.xml with the hwid string from the registry.

Therefore put the string “hwid” with a value composed of 32 hexadecimal digits into the Device Personality of each target devices. Since a MAC address is a unique parameter within a network , at least it should be, you have to create a value which might be consists of the machine mac address (12 Digits) plus 20 e.g. “0”.

Example: “hwid=128b20c91a7a00000000000000000000”. If you use the machine mac address it is necessary to remove all “-“.

To do that just for a couple of machines you do not really have to make any thoughts about automatism.

If you have let’s say several thousand machines it won’t make a lot of fun to put this string for each machine manually. 

For that reason you can make use of the Citrix Provisioning Command line (MCLI) in combination with Powershell.

The following scripts sets the needed “hwid”-string with the respective value for each target device within a predefined Provisioning Services Site and it’s corresponding Device Collection.

Therefore the script prompts for

1.       The Provisioning Server hostname (it could be any server within the PVS-Farm, it’s just needed to establish a connection to the farm in order to  be able to execute MCLI Commands)

2.       The Name of the Provisioning Services Site and finally

3.       The Device Collection which contains the target devices you want to modify

After the script was executed the hwid-string has been added to all target devices within this device collection with the respective value:



# User-Input


[string]$PVSSERVER=Read-Host“Enter a Provisioning Services-Server of your farm”

Write-Host“Connecting to Server $PVSSERVER…”-ForegroundColorBlue


MCLI-Run SetupConnection -p server=$PVSSERVER


[string]$Site=Read-Host” Enter the name of your Provisiong Services Site “

write-host“You entered the Site $Site”-ForegroundColorblue

[string]$Collection=Read-Host“Enter the name of a Device Collection”

Write-host“You entered $Collection as Device Collection”-ForegroundColorBlue


[hashtable]$Devices= @{}



# Automatically create hashtable (device name is a key, MAC address is a value)


ForEach ($linein $(Mcli-Get Device -p collectionName=$Collection, siteName=$Site-f deviceName, deviceMAC | Where {$_-like“deviceName:*”-or$_-like“deviceMAC:*”})) {

      If ($Line-like“deviceName:*”) {


            $Devices.Add($LastKey, “”)

      } Else {

            $Devices.Item($LastKey) =$Line.Remove(0,11)




ForEach ($Devicein$Devices.GetEnumerator()) {

      Mcli-SetList DevicePersonality -p deviceName=$($Device.Key) -r name=“hwid”, value=$($Device.Value -replace“-“)00000000000000000000


start-sleep-seconds 3

Symantec shoud grab the string defined in the “personality.ini” and copie it into the machine registry. This beahvior I have seen during my last project. Recently I had to realize that symnatec ignored the value in the personaltiy tab in my current project. The costumer uses Symantec EP 11.1.

Therefore following was requiered to make Symantec working with PVS:

1. Stop the SMC-Service with the command smc.exe -stop (smc.exe is located in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection)

2. Remove sephwid.xml (located in C:\Program Files (x86)\Common Files\Symantec Shared\HWID)

3. Remove the Registry-Itmes “HardwareID” and “HOSTGUID” (located in HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\SYLINK\Sylink)

4. Set smc service to manual by setting the value of the item “Start” from 2 to 3 (located in HKLM\System\ControlSet001\services\SmcService)

5. Create a startup script which grabs the HWID-String in the personality.ini and copies it into the registry. Finally the script has to start the smc service again.

This has to be done each time before you seal the vDisk!

I’ve created this script in powershell:

$1=select-string -pattern “hwid” -path “c:\personality.ini”

$2 = $1 -replace “.*hwid”, “”

$HWID = $2 -replace “=”, “”

$Regkey=”HKLM:\Software\Symantec\Symantec   Endpoint Protection\SMC\SYLINK\Sylink”

Set-ItemProperty -path $RegKey -name HardwareID -value $HWID

start-sleep -seconds 3

net   start SmcService

This solution works ever. 🙂