Re-imaged PCs - Behaviour in Sophos Enterprise Console

Recently I began noticing that the number of connected machines reported back in the Sophos Enterprise Console started to drop and began to investigate.

I discovered that in the machines in some of the group folders had red crosses next to them and had not updated since a certain date, that date being when they were previously re-imaged.

To get them up-to-date again I had to select them all and click on the Protect Computers Wizard.

My question is this, if we have the machines in SEC and we want to re-image them, what do we need to do?

Thanks

Ian

  • Hello Ian,

    some computer that was previously protected and had the OS reinstalled (I deliberately avoid the term re-imaged for now) should in its new incarnation report as it did before.

    That Protect causes it to re-report (forgive the bad pun) suggests that they were re-imaged from a common (and perhaps incorrectly built) image, they all would report as the same computer but a Protect from the console would subsequently "unfold" them.

  • In reply to QC:

    Thanks QC.

  • In reply to Ian Doyle:

    Hello Ian,

    don't mention it. But does this mean you are using an image? If so please see this How to prepare and this Incorporating article.

    Christian

  • In reply to QC:

    Hi Christian, yes we are using an image and from what I've read here at the community I can also confirm that we have the 'multiple clients with the same Remote Management System address' issue.

    I will follow the instructions you have posted here to ensure that we prepare the Endpoint for inclusion in a disk image.

    Once this is done, what will happen when we re-image the machines within a group container?  Will they auto-connect again if we give them the same name?

  • In reply to Ian Doyle:

    Hello Ian,

    there's a matching algorithm which takes several attributes into account. Name, domain, platform/OS matching the computer is considered the same and it's assume that SAV/SESC has be reinstalled. Identity/address, OS matching it's assumed the computer has been renamed. An OS "mismatch" (e.g. XP vs. Windows 7) cause a new computer (with the same name) to be added. 

    Christian

  • In reply to QC:

    In the affected group container, those computer names which had been re-imaged (Win7 to Win10) still exist but have red crosses next to them.  I couldn't see any new computers in the SEC so I just go through the Protect Computer Wizard again and then they turn green and show as up to date.

  • In reply to Ian Doyle:

    Hello Ian,

    when a computer is shut down RMS disconnectes, in the console you get the red cross. One possible subsequent scenario is: You take the image after Sophos has been fully installed and the endpoint registered (and thus obtained an identity). The first re-imaged computer "takes over" the old entry (same name and domain/workgroup). The next one presents the same identity, the computer in the console changes its name. Same for all others, you'll have one computer which constantly changes its name and IP and accumulates all alerts, errors, and events. The seeming rename does not affect other old computer objects.(thus there's likely always a duplicate).
    Protect causes a re-initialization of RMS, creating a new identity for the computer. At this point it is matched against existing old computers. Consequently the old ones "come alive" again. That you can Protect them suggests they can be found on the network with their old name, IP isn't a discriminating attribute though. As said, when an endpoint connecting with a known identity connects a rename is assumed and it's not considered as "new" or reinstalled.

    Christian

  • In reply to QC:

    Thanks Christian, all understood.