For debugging purposes, support needs to collect Windows Software Trace Preprocessor (WPP) logs from a computer, but the system in question is a non-persistent virtual device and log files must be collected before login or are lost at shutdown.

No specific errors. WPP logging is generally captured in instances where the normal product error messages and logs are insufficient for troubleshooting.

Symantec Endpoint Protection
Any non-persistent virtual device environment (Citrix, VMWare, Microsoft App-V, etc)

WPP capture is needed at system startup or shutdown, so the SymDiag tool cannot be used.

This requires a persistent disk attached to the NPVDI, and changes made to the registry on the NPVDI image. You must also create a symbolic link on the NPVDI image. These instructions assume that the persistent disk is mapped to D.  

Before making any changes, you must disable Tamper Protection and stop the Endpoint Protection client services with the smc -stop command.

After disabling Tamper Protection, follow the steps in TECH171176, Enable debugging with WPP logs for Endpoint Protection clients, but do not start the client services with smc -start after making the registry changes.

Once you have made the registry changes to enable WPP logging, you will need to create a folder on your persistent disk to hold the logs and create a symbolic link from the current log location to the new log location.

1. Rename C:\ProgramData\Symantec\Symantec Endpoint Protection\<version number\Data folder to Logs.old
2. Make a folder on the D drive named Redirect, or any name you like
3. From an elevated (Run as Administrator) command line, create a symbolic directory link for a new Logs folder and point it to the D drive, like:

mklink /d C:\ProgramData\Symantec\Symantec Endpoint Protection\<version number\Data\Logs D:\Redirect

At this point, you would write these changes back to your NPVDI image master, or to a new image master for testing. If you write these changes to your baseline image, you will need to remove the Logs symbolic link and revert the Logs.old folder name change after collecting data.

After a reboot, you should see all of our logs being written to D:\Redirect, including the SEPAutoTraceSession_<date>_<time>.etl file that contains the WPP logs.

At that point, reproduce the issue, collect the contents of the D:\Redirect folder, and submit them to the case.