With Symantec Endpoint Protection (SEP) installed to client computers that run in a Citrix XenDesktop virtual desktop infrastructure (VDI), Early Launch Anti-Malware (ELAM) fails to stop bad drivers as expected.
 

While the virtualization layer is still off, ELAM loads at the very beginning of the Windows boot process, before all other drivers, including Citrix drivers, and before the private virtual disk (PvD) mounts. The PvD is where the differences between the master image and the user data reside. Therefore, the bad drivers load after ELAM loads, so ELAM is unable to detect them.
 

Since ELAM does not work as expected in the Citrix XenDesktop VDI, you should disable ELAM on XenDesktop VDI deployments via GPO.
 

Applies To

• Citrix XenDesktop VDI
• Symantec Endpoint Protection 12.1.2 and later