This article describes the recommended steps when setting up Windows Endpoints for use in virtual desktop environments. These guidelines have been set to avoid customers experiencing abnormal behaviour within their Virtual Desktop Infrastructure. The following sections are covered:
Applies to the following Sophos products and versions Central Endpoint Advanced 11.5.11Central Endpoint Standard 11.5.11
Follow the golden image creation article- including repeating it every time the golden image is updated. Sophos Central Endpoint: How to install on a gold image to avoid duplicate identities
We have created a script which you can set on shutdown so that these steps are completed each time the gold image is amended. Please Note: If this isn’t followed we will successfully de-duplicate clones however, Administrators will see alerts telling them to follow the above knowledge base article and a new entry in central will appear for each re-registered device
We strongly recommend using Central Intercept X Advanced to give suitable protection for devices; both the Endpoint Protection and Intercept X components
We advise that you use controlled updates; preferably the “Control Updates Manually” option as it allows the golden image to be updated and tested in advance of the normal instances.
Have a fixed pool of device names (i.e. not a unique name for every instance created; new instances reuse names used by previously terminated instances). The pool size should correspond to the maximum number of concurrent instances expected.
Note that instances will appear as servers or computers based on the OS variant used; specifically, server operating systems running a desktop user experience will still appear as servers. They will contribute to server license usage and use server policies.
Sophos Central has a connector for Azure hosted devices. As well as identifying unprotected devices, these allow the removal of terminated instances. Removing entries can help avoid large numbers building up in the Central admin interface, particularly if there isn’t a fixed name pool.
If a detection happens on an instance called Instance1, and that instance is terminated and replaced with a new instance with the same name, a cleanup failure alert will likely be seen in Sophos Central as it has not had a “cleanup successful” message and cannot tell that the original detection is no longer pertinent.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.