Trend Micro Deep Security 9.5 ( Citrix VDI Environment-Agent Protection ) – Part 11.

Pls check my previous blogs for the DSM , Relay Server , vShield End Point , Filter Driver ,DSVA, DSA , SSP Server , Policies and Exclusions , Events and Monitoring and VMtools . In this blog we can see the Trend DPM with Pure Citrix VDI Enivronment.

Citrix XenDeskop

Deep Security Virtual Appliance (Agentless) does not work with a pure Citrix environment (ie. VMs running on Citrix XenServer).

For these environments, the physical agent based solution is recommended. Install the Agents in the Master Golden Image (deactivated mode) and then perform Agent based activation in the provisioning process. We can mention the policy in the script or use an Event Based Task to assign the correct policy based on the attributes available (I.e. Computer Name).

Steps to setup the Master Golden Image.

We need to install an un-activated Deep Security Agent on the Golden Image in the Citrix Xen Server environment and uninstall any other 3rd party anti-malware software from the Golden Image as this will cause scan contentions and Trend will take care of the Anti-Virus Windows Notification.


In the Golden Image set the Environment Variables so that dsa_control will consider as the internal command.


Once the Master Golden Image is setup and ready , We need to create the New VM using the Machine Catalog in the Citrix Studio .


Pls check how to enable the activation for the new vm using the Active Directory integration in Trend DSM . We have the option called Event-Based Tasks and look the  Activating the Event-Based Tasks blog for the steps.

If we dont have the AD integration with the OU folder structure in Trend DSM then we can get the command to activate the agent from the DPM – Help – Deployment Script option by selecting the appropriate Policy , Computer Group and the Relay Group. By having the BAT file in the GPO logon script , agent can be activated .


Before configuring it in the login script we can test the activation using the below command.

Pls note command have to be run in CMD prompt with runas Administrator.

c:\Program Files\Trend Micro\Deep Security Agent > dsa_control -a dsm:// (DSM IP address or hostname). “policyid:NO”

To Automate the same we can use a login script and copy the command in to the batch file and apply it to the appropriate OU in the Group Policy as the user logon script or use SCCM and target the service installed to run the command so that it wont be applied to the other VMs.

In case if the user doesn’t have the administrator rights on the new VMs and there is no SCCM is used in the environment then we can use the tool called CPAU to activate the agent. This eliminates the need to grant administrator privileges to users who need to activate DSAs on their machines but are being prompted for a username and password.

To create a login script, use a third-party program called CPAU. This tool can encrypt the user’s credentials.

  1. Download CPAU.
  2. Extract CPAU.exe to the desired folder. Take note of the location.
  3. Open the command prompt and go to the location of CPAU.exe.
  4. Run the following command to create an encrypted profile to be used for the login script:

cpau -u <domain\username> -p <password> -ex <“…installation directory\dsa_control.cmd /a dsm://<IP address / hostname>:4120/” -file <filename.txt> -enc

For example:

cpau -u dc4esxi \Administrator -p P@ssw0rd -ex “C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.exe /a dsm://” -file dsa_init.txt –enc

In the example above:

  • ‘dc4esxi\administrator’ is the user which has Domain administrator privilege
  • ‘P@ssw0rd‘ is the password
  • ‘C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.exe /a dsm://’ is the DSM IP address or hostname
  • ‘dsa_init.txt’ is the encrypted file to be used for the login script


5.  Create a login script based on the information below and save it as a BAT file. For example: dsa_logon.bat.

\\ad-dsm\SYSVOL\\cpau -dec -file “\\ad-dsm\SYSVOL\\dsa_init.txt” -hide


  • ad-dsm is the Active Directory server
  • com is the domain
  • txt is the encrypted file
  1. Add the login script by following the procedure in these articles:
  1. Copy the CPAU.exe and dsa_init.txt file to the Active directory location:

\\<active directory server>\sysvol\<domain>

For example: \\ad-dsm\SYSVOL\\

DSA activation will initiate once users log on to their machines.

Once the Login Script is set , When user login in to the New VM , It will initiate the agent activation and in the Trend Console we can notice the New computer is activated with the appropriate policy .

Deep Security Agent and the Citrix target device driver

On Citrix PVS 6.0 Environment, if you plan on installing (In-Guest) Deep Security Agent, the Citrix Target device driver may not be able to connect successfully to the Provisioning Server due to a possible conflict.

Pls note on Machine creation services environment no need to do the below steps.

If you plan on installing Deep Security Agent on a Windows operating system that is connected to a PVS server using disk provisioning, the temporary workaround is to change the tbimdsa driver loading order during system startup from PNP_TDI to NDIS.

To do so, manually change the loading order of tbimdsa driver used by Deep Security Agent.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tbimdsa

Add or modify String “Group” Value to: NDIS

Add or modify DWORD “Start” Value to: 0

By changing the (Group) from PNP_TDI to NDIS and Start value from 3 to 0, it allows tbimdsa driver to load after Citrix driver has loaded.

Reboot the machine and the PVS Target Device will be able to connect to the vDisk upon boot-up.

Reference :

Pls check for my Next Blog VDI in ESX Environment ( Agentless)

This entry was posted in Trend Micro Deep Security and tagged , , , , . Bookmark the permalink.

1 Response to Trend Micro Deep Security 9.5 ( Citrix VDI Environment-Agent Protection ) – Part 11.

  1. Gearmesh says:

    It says:
    Deep Security Virtual Appliance (Agentless) does not work with a pure Citrix environment (ie. VMs running on Citrix XenServer).
    So does that mean it will work in a XenDesktop vSphere environment?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s