Trend Deep Security 11 – Non-persistent VDI/VDA/Citrix

Trend Micro Deep Security

This article is intended for engineers that understand a non-persistent VDI environment and  Trend Micro Deep Security.  This information is for Deep Security version 11, but it may be applicable to other versions.  It has not been tested with other versions.  This information may become outdated with new releases of Deep Security.

The method in this article will allow you to update Trend Micro Deep Security on your golden image without the need to do a complete reinstall of the agent.


  • Non-persistent Session Hosts are not activating in the DSM
  • Non-persistent Session Hosts keep rebooting to complete module installation
  • Non-persistent Session Hosts take on the hostname of the golden image in the DSM

I am not going into all configurations needed to get Trend Micro Deep Security up and running, the basics are covered in the documentation.

I have found that there are  missing components in the installation guides provided by Trend Micro.  Most of the information can be found in KB articles or are inferred in those articles.  My purpose is to consolidate some of this information.

By reading the documentation it seems that the PowerShell script provided from the DSM and checking the settings in the DSM to allow agents to re-register, Policies and Event Actions etc, would be all that is needed in a non-persistent environment. But this is not the case.

First, and contrary to some of the documentation (at the time of this writing), you do want to run the PowerShell script provided in the DSM against your golden image.  Let the DS agent activate and install the necessary modules.  Reboot the golden image to let the module installation complete.

Do not create a group policy object to push the PowerShell installation script to your session hosts.  This will cause a reboot loop as the agent modules update.

Create a computer GPO for your session hosts with a startup script containing a batch file that will do 2 things.

  1. Reset the Trend Deep Security Agent activation
  2. Send a new activation request to the DSM

This is required because the non-persistent session host has the configuration on the agent from your golden image.  If you do not reset the agent, it will take on the name of the golden image in the DSM. Sending a new activation request to the DSM will properly setup the session host.

Here is an example script you can put in your computer startup GPO batch file.

"C:\Program Files\Trend Micro\Deep Security Agent\dsa_control" -r & "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control" -a "dsm://FQDN_of_your_dsm:4120/"
  • The first part resets the DS Agent.
  • The second part re-registers the agent to the DSM.

Don’t forget the “&” between the commands or the second command will not run.

The quotes are required if there are spaces in the file path.

You may want to put a timeout command at the beginning of the script that will wait to process the commands.  This is needed if your session host takes a long time to start the DS Agent services. 

For Instance, use TIMEOUT 20, which will pause the script for 20 seconds before executing. If your agent services start up fast, don’t worry about using the TIMEOUT command. 


The DSM installer does not open all the needed firewall ports on the server.  However, it does open all ports specifically for the DSM application. But it doesn’t allow other TCP communications from the agent.

Open these inbound ports on the DSM server:

  • 4120 TCP
  • 4122 TCP
  • 4119 TCP (remote web console)

DS Notifier

If you do not want users to see alerts from the agent, change your PowerShell script before running it against the golden image.  This prevents installation of the DS Notifier.

Change this line:

echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=ALL /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode

Update the ADDLOCAL=ALL to ADDLOCAL=MainApplication

It will now look like this:

echo "$(Get-Date -format T) - Installer Exit Code:" (Start-Process -FilePath msiexec -ArgumentList "/i $env:temp\agent.msi /qn ADDLOCAL=MainApplication /l*v `"$env:LogPath\dsa_install.log`"" -Wait -PassThru).ExitCode

I hope this information helps prevent frustration for other engineers. 

If you need business technology assistance, send an email to or call 502.791.6093.

Visit or for information about our services.

Leave a Reply