Citrix PVS prep script for Sophos

Some of you will know that Sophos is my, ahem, favourite Sophosanti-virus product.  However it was the product of choice at the time (they are now moving to McAfee) for a large school district I deal with hence I had no choice but to remain acquainted with it irrespective of it’s poor performance (Sophos have advised to leave real-time scanning *off* for performance reasons?!?), it’s poor management console (customer had to write their own deployment scripts for reliable deployment) and poor customer service from Sophos.

I wrote a small script to prepare Sophos for PVS deployment on XenApp and XenDesktop machines, run this script just prior to shutting down your Private mode image and switching back to Standard.

@echo off
REM Script by Daniel Marsh
REM run at shutdown to prep Sophos on Citrix XenApp/VDI machines.
REM refer to

net stop "Sophos Agent"
net stop "Sophos Anti-Virus"
net stop "Sophos Anti-Virus status reporter"
net stop "Sophos AutoUpdate Service"
net stop "Sophos Message Router"
net stop "Sophos Web Control Service"
net stop "Sophos Web Intelligence Service"

del C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt

reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkp /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private" /v pkc /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkp /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private" /v pkc /f

When I have a spare few minutes I may even see if I can another feature – it could be run via GPO as a machine shutdown script that only executes if the image is in private mode, which would save you having to run it manually.  I haven’t figured out how to do this yet, if you do know please drop me a comment below.

Refer to for more detail on what each key/service etc does.

5 thoughts on “Citrix PVS prep script for Sophos

  1. hello, do you have any experience installing sophos central server on an PVS Master Template( W2012 R2)? i made a new Version and launched the SophosInstaller but then my Master crashes. is it a requirement that my vDisk is in private Mode?not just a new Version with maintenance Mode?

    kind regards,

  2. Thanks for this article. I’ve written something similar in our environment. Wish id come across this earlier.

    Is there a way to redirect the Sophos updates & signatures directory to the write cache drive?

    I also make sure the services are reconfigured to auto start below:

    PowerShell Set-Service ‘Sophos Agent’ -startuptype “”Automatic””
    sc config “SAVService” start= auto
    sc config “SAVAdminService” start= auto
    sc config “Sophos AutoUpdate Service” start= auto
    sc config “Sophos Message Router” start= auto
    sc config “Sophos Web Control Service” start= auto
    sc config “swi_service” start= auto

  3. We’ve been using this WMI query on GPPs to determine if a vDisk is in private/maintenance mode versus test/production to prevent Windows Update and other services from being enabled where they don’t make sense, but it’s easily translatable to PowerShell scripting. This is a WMI class intended for ConfigMgr, but it seems to work irrespective of if you have it installed or not.

    Private/Maintenance mode:
    NameSpace: Root\citrix\desktopinformation
    Query: SELECT * FROM Citrix_VirtualDesktopInfo WHERE OSChangesPersist=TRUE

    Test/Production mode:
    NameSpace: Root\citrix\desktopinformation
    Query: SELECT * FROM Citrix_VirtualDesktopInfo WHERE OSChangesPersist=FALSE

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s