VDI Master Image Prep

Hi! New Sophos central user here.

I'm following the guide @ https://community.sophos.com/kb/en-us/120560 to prep my master images.

Am I right in thinking this needs to be done every single time an image is updated? Presumably if I fire up an image just to do a simple take like updating Chrome, the MCS service will start and re-create all the settings that were cleared.

This could add quite a lot of time/work if it has to be done every time an image is booted up.

  • Hi Rick Waddington,

    It depends on the type of VDI that you have. 

    In case you are using persistence VDI - this would not be required as the changes made in it will be retained.

    In case you are using Non-persistence VDI - Yes, the above mentioned KBA needs to be followed if the MCS services are in the started state. However, you may try having the MCS services in the disabled state while making the required changes and then set services in stop state once you are done. This way once you fire up the image again it will automatically start the MCS services. This is something that is not officially documented but logically should work.

    Please do let us know if that works. 

  • In reply to Gowtham Mani:

    Hi,

    I tried setting the service to disabled and then using a script to set it back to auto on first boot but that hasn't worked. Looks like tamper prevention is preventing the script from changing the service start type.

    The only other way I can see is to have it in auto delayed start and then when I need to modify the image hope I can change it to disabled before it starts up. Is this what you mean?

    Rick

  • In reply to Rick Waddington:

    Hi Rick Waddington,

    Smart work in churning a script to get the job done, Can you please try disabling Tamper protection via policy when you are making changes to the gold image?

  • In reply to Gowtham Mani:

    Hi!

    I do disable tamper protection on the gold image anyway but it gets re-enabled when the clone boots up which stops the script from changing the service startup type.

    Rick

  • In reply to Rick Waddington:

    Hi Rick Waddington,

    In that case, we need to disable the MCS agent too. In short, it would be efficient in following up the KBA after each change.  

  • In reply to Gowtham Mani:

    Having followed the KB process a few times I can now do it pretty quickly anyway so I'll just stick with that.