Golden Image problems

i have installed Sophos on my Golden Image (Citrix Terminalserver) and followed this instruction:

Some machines get errors, see attachments........
But the Gold Image (CTXVAAT-MAINT) is green in my console.
How can i solve that?


Parents Reply Children
  • Like described in the article of the knowledgebase the problem is solved.
    I have newly installed Sophos on my Golden Image but the problem still occur :-(

  • If you use the command line option:

    --traillogging the Central Installer as mentioned here:
    Installer command-line options for Windows - Sophos Central Partner
    Then run the installer it will have a little more information in the installer log. Maybe you can share the log?

    The good news is, looking at the command line options for the installer, there appears to be 2 new options:

    • goldimage
    • goldimagetimeout

    Apparently it needs the new MCS version which is starting rollout very soon, but this automates all the steps in the gold image article.  So that will be a nice addition.

  • Thanks.....i have installed ophos with the parameter and attached all logs i have

  • Sorry I think I misunderstood slightly. So the issues you have are with existing installed computers rather than new installs.

    If new installs are working for fresh computers, the --traillogging switch to, which will log more info to the Sophos Central installer log, found here:


    May not help but it is useful for failing new installs.

    If there are deployed clients with issues, the problem might lie with the file "Endpoint.jwt" under: "C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\"

    Note: Tamper will need to be disabled to browse to that location in Explorer if UAC is on, you can navigate to the location with an admin prompt if Tamper is still enabled.

    This jwt file is used by AutoUpdate to update and needs a valid tenant ID and the endpoint id should be that of the client.

    So part of identity strip steps so "childs" of the image, that file should ideally be removed I suspect so when MCS requests a new jwt the endpoint id is correct.

    So the MCSClient.log might be of most interest here, you did provide one which shows:


    Line 43: 2022-05-17T08:06:25.153Z [ 8548: 8580] E Authentication token file is invalid, error: No such node (features)

    Line 51: 2022-05-17T08:06:25.916Z [ 8548: 8656] I POST

    Line 56: 2022-05-17T08:06:26.258Z [ 8548: 8656] I Authentication token expires at 2022-05-18T08:05:26Z

    The first time the jwt was checked by mcsclient.exe the token didn't have any features, these would be required that would cause a problem as you are seeing.

    I think you should see at least every hour, lines:
    Authentication token expires
    in the mcsclient.log as the new jwt is requested as they only last 24 hours.

    I would try initially:
    1. disable Tamper on a failing client.
    2. delete the .jwt file.
    3. restart the MCS client service.
    4. hopefully a new jwt file is created.
    5. try "update now", do you still get the 403 errors?

    If so I suspect there is something wrong with the contents of the jwt, either the features are wrong or the endpoint id doesn't match.  

  • Thanks.
    Yesterday i deleted all my terminalserver from the Sophos console and after that i reinstalled Sophos on my Gold Image CTXVABDF-Maint.
    After the installation the status of the Gold Image was green. Then i run the Gold Image skript.....
    Today i have the following:
    Some terminalservers are ok, some not. All servers bootet from the same Gold Image via provisioning.


    18.05.2022 02:49
    Server konnte nicht geschützt werden: ctxvabdf01
    Letzte Agent-Aktualisierung
    vor 3 Tagen Aktualisierung fehlgeschlagen Jetzt aktualisieren
    I don't understand that some servers are ok and some not. All servers bootet from the same image.......