This knowledge base article describes the recommended steps when setting up Windows endpoints for use in virtual desktop environments. These guidelines have been set to avoid customers experiencing abnormal behavior within their Virtual Desktop Infrastructure. The following sections are covered:
Applies to the following Sophos products and versions Central Endpoint Advanced 11.5.11Central Endpoint Standard 11.5.11
Follow the KBA Sophos Central Endpoint: How to install on a gold image to avoid duplicate identities - including repeating it every time the golden image is updated.
We have created a script that you can set on shutdown so that these steps are completed each time the gold image is amended. Note: If this isn’t followed we will successfully de-duplicate clones, however Administrators will see alerts telling them to follow the above knowledge base article and a new entry in central will appear for each re-registered device
It is strongly recommended to use Central Intercept X Advanced to give suitable protection for devices; both the Endpoint Protection and Intercept X components
It is highly advised that controlled updates are used; preferably the Control updates manually option as it allows the golden image to be updated and tested in advance of the normal instances.
Have a fixed pool of device names (i.e. not a unique name for every instance created; new instances reuse names used by previously terminated instances). The pool size should correspond to the maximum number of concurrent instances expected.
Note that instances will appear as servers or computers based on the OS variant used; specifically, server operating systems running a desktop user experience will still appear as servers. They will contribute to server license usage and use server policies.
Sophos Central has a connector for Azure-hosted devices as well as identifying unprotected devices, which allows for the removal of terminated instances. Removing entries can help avoid large numbers building up in the Central admin interface, particularly if there is not a fixed name pool.
Using the gold image preparation script will register a device as a new device so the base policy will be assigned. For persistent VDIs, you can manually assign to a group, however, if using non-persistent VDIs it will always register as a new device so the base policy will be applied.
For these instances, it is suggested that the base policy is used.
If a detection happens on an instance called Instance1, and that instance is terminated and replaced with a new instance with the same name, a cleanup failure alert will likely be seen in Sophos Central as it has not had a successful cleanup message and cannot tell that the original detection is no longer pertinent.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.