By - Markus Zehnle

Install Trend Micro Deep Security Agent with Citrix Provisioning services

Today I want to write a short blog to show, how to install Trend Micro Deep Security agent on Citrix PVS target devices the proper way.

First make sure that you already set up a policy in Deep Security Manager (DSM) with the latest AV exclusions recommended by Citrix:

The configuration is pretty straight forward.
You just have to install the Deep Security Agent (DSA), do some configuration (see below) and make sure the agent will (re-)register itself during boot.

Below you will find the process with the scripts Iam actually using. Nevertheless when you copy&paste make sure you change the variables 🙂

1. Agent installation & configuration

Put your vDisk in maintenance mode (or use versioning if you’re brave) and install the DSA according to Trend Micros suggestions (here):

  • Install DSA
  • Stop the ‘ds_agent’ service and set the startup type to ‘manual’
  • Set the ‘ds_agent’ service to manual
    (you have to check in DSM that the machine you’re using for DSA installation have the rights to set the service to manual!)
  • Remove the files with the following extensions from $Env:ProgramData\Trend Micro\Deep Security Agent\ subdirs:
    • *.db
    • *.crt
    • *.ini
    • *.config
    • *.bin

B/C we are lazy guys, you can use the following Powershell script to execute all the steps mentioned above.
The script is based on the deployment script you can export in DSM. I slightly modified it according to my needs, make sure you change the variables accordingly…

# This code was created via DSM console, I just modified the code slightly to suit my needs (correct DSM server, x64 windows client, delete the files, etc):
# Attention: Make sure to change the variables according to your environment...

# FQDN to your Trend Micro Deep Security Manager
$DSMserver = "dsmserver.domain.tld:4119"

# Download x64 client from DSM server:

# Path for logfile
$env:LogPath = "$env:appdata\Trend Micro\Deep Security Agent\installer"

# InstallDir for DSA
$DSAInstallDir = "C:\Program Files (x86)\Trend Micro"

# Policy ID for your Citrix policy:
$DSAPolicyID = "34"

# Name of DS agent service
$DSAServiceName = "ds_agent"

New-Item -path $env:LogPath -type directory
Start-Transcript -path "$env:LogPath\dsa_deploy.log" -append

echo "$(Get-Date -format T) - DSA download started"
echo "$(Get-Date -format T) - Download Deep Security Agent Package" $DSAUrl

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
(New-Object System.Net.WebClient).DownloadFile($DSAUrl,  "$env:temp\agent.msi")

if ( (Get-Item "$env:temp\agent.msi").length -eq 0 ) {
echo "Failed to download the Deep Security Agent. Please check if the package is imported into the Deep Security Manager. "
 exit 1 }
echo "$(Get-Date -format T) - Downloaded File Size:" (Get-Item "$env:temp\agent.msi").length
echo "$(Get-Date -format T) - DSA install started, please be patient..."
echo &quot;$(Get-Date -format T) - Installer Exit Code:&quot; (Start-Process -FilePath msiexec -ArgumentList &quot;/i $env:temp\agent.msi /qn TARGETDIR=<code>&quot;$DSAInstallDir</code>&quot; ADDLOCAL=ALL /l*v <code>&quot;$env:LogPath\dsa_install.log</code>&quot;&quot; -Wait -PassThru).ExitCode
echo &quot;$(Get-Date -format T) - DSA activation started, this is going to take some time, please be patient&quot;
Start-Sleep -s 50
&amp; $DSAInstallDir&quot;\Deep Security Agent\dsa_control.cmd&quot; -r
&amp; $DSAInstallDir&quot;\Deep Security Agent\dsa_control.cmd&quot; -a dsm://$DSMServer/ &quot;policyid:$DSAPolicyID&quot;
echo &quot;$(Get-Date -format T) - DSA Deployment Finished&quot;

echo &quot;$(Get-Date -format T) - Stopping $DSAServiceName service and setting startup type to manual&quot;
While ((Get-Service -Name $DSAServiceName).Status -ne 'Stopped') {
    echo &quot;$(Get-Date -format T) -  $DSAServiceName service stopped, going to set startup type...&quot;
    Set-Service $DSAServiceName -StartupType Manual
    Start-Sleep 5

echo &quot;$(Get-Date -format T) - Removing some files according to manual...&quot;
Get-ChildItem &quot;$Env:ProgramData\Trend Micro\Deep Security Agent\&quot; -include *.db,*.crt,*.ini,*.config,*.bin -recurse | foreach ($_) {remove-item $_.fullname}

echo &quot;$(Get-Date -format T) - Script finished, good to go...&quot;

Now you can go ahead and seal the image like you always do (of course with the great BIS-F).


2. Deep Security Manager configuration

Doublecheck in DSM that you already configured the re-registration of the client, otherwise the agent registration will not work.
Go to “Administration > System Settings > Agents” and make sure the “Agent-initiated Activation” is configured like shown below:


3. GPO to start service and (re-)register agent

Because we have to start the service during boot I decided to use a GPO which will start the service and execute a Powershell script which is doing the (re-)registration of the agent.

Create a GPO (in my case “CTX_VDA_StartAndRegisterTMDSAgent”) with the following settings and link it to the OU with the VDAs:

To (re-)register the DSA against DSM you can use “RegisterDSAWithPolicy.ps1” I created:

    (Re-)Registers Trend Micro Deep Security Agent (DSA) against Trend Micro Deep Security Manager (DSM)
    This script will be fired up by a GPO called "CTX_VDA_StartAndRegisterTMDSAgent" and will (re-)register the DSA against the DSM.
    It will automatically assign the correct policy to the computer object
    Logfile, see $LogFile variable
    Double check that the variables suits your needs.
    Make sure the log file will be on a persistent drive.

    NAME: RegisterDSAWithPolicy.ps1
    VERSION: 1.00
    AUTHOR: Markus Zehnle
    LASTEDIT: 19.07.2017 #>
#region: variables
# Path to dsa_control.cmd
$DSAControl = '${env:ProgramFiles(x86)}\Trend Micro\Deep Security Agent\dsa_control.cmd'
# DeepSecurity Citrix Policy
$PolicyID = 'policyid:34'
# DeepSecurity Server
$DSServer = 'dsmserver.domain.tld:4120'
# ServiceName:
$ServiceName = "ds_agent"
# Local Logfile
$LogFile = "D:\LOG\tmdsaregistration.log"
# Computername
$ComputerName = $Env:computername
#endregion: variables
#region: magic
Write-Output "$(Get-Date): Start TrendMicro DeepSecurity Agent registration on $ComputerName" > $LogFile
Write-Output "$(Get-Date): --------------------------------------------------------------------" >> $LogFile
Write-Output "$(Get-Date):" >> $LogFile
Write-Output "$(Get-Date): Check if $ServiceName service is running:" >> $LogFile
While ((Get-Service -Name $ServiceName).Status -ne 'Running') {
    Write-Output "$(Get-Date):  $ServiceName service is not running, waiting until it starts..." >> $LogFile
    Start-Sleep 5
Write-Output "$(Get-Date): $ServiceName service is running, go ahead" >> $LogFile
Write-Output "$(Get-Date): " >> $LogFile
Write-Output "$(Get-Date): Check if $DSAControl exists:" >> $LogFile
If (Test-Path $DSAControl) {
    Write-Output "$(Get-Date): $DSAControl exists, lets fire up registration!" >> $LogFile
    Write-Output "$(Get-Date):" >> $LogFile
    Write-Output "$(Get-Date): $DSAControl -a dsm://$DSServer/ $PolicyID" >> $LogFile
    & $DSAControl -a dsm://$DSServer/ $PolicyID >> $LogFile
} else {
    Write-Output "$(Get-Date):" >> $LogFile
    Write-Output "$(Get-Date): No $DSAControl found! Script will Exit" >> $LogFile
Write-Output "$(Get-Date):" >> $LogFile
Write-Output "$(Get-Date): TrendMicro DeepSecurity Agent registration finished" >> $LogFile
#endregion: magic

As usual: Use your brain before putting my scripts in your environment!


Leave a Reply

Your email address will not be published.