Starting on Jan 17th, 2023, we started receiving alerts from Sophos Central randomly for various VDI desktops. Originally, my thought was the version of Sophos running on the VDIs needed to be updated, but that didn't resolve the issue. Essentially, if we use the legacy option of the "golden image prep" or the new switch, both seems to break updates. Not sure why it started on that date, but curious if anyone else in the community has this issue.
What we'll see in Sophos Central is that any new VDI desktop will show it is connect, but after about 1 hour, it will change to "Failed to Protect". The odd part is the Sophos "Update" button doesn't work and the update date never changes from the "golden image". It is connecting to Sophos Central, as we'll see an updated comment, but it doesn't appear to be updating.
Originally, we also were seeing 503 errors on our clients, when connecting, and that seems to have resolved itself. We did make a change on our Message Relay server, increasing the TCP connections, which may have helped. However, it still remains an issue of any new desktops failing to update.
Curious if anyone else in the community has had any issues?
It sounds like you're experiencing the issue detailed in the following article.- Failed to protect computer or server alerts in Sophos Central
Sounds like the same issue, although I'm in a different region.
I assume this must have just been released today (Feb 1st)? I did reinstalling the latest version of Sophos that was available on Jan 31st and still had the issue. I'll have to check the versions on my golden image and confirm I'm running AutoUpdate 6.14.839. What is really odd is the Update button not working, but that could explain why it wasn't working.
Opened a ticket with Sophos support last week in regards to this issue, glad I posted it also in the forum, as this may be the overall issue.
I did another test today, and found that even though I'm running Core 2220.127.116.11 and it shows AutoUpdate 6.14.839 installed, I'm still having the same issue. So I believe this must still be a work in progress.
For now, my workaround is to have Sophos deployed via a startup script on each non-persistent VDI. This does put a performance hit on my system, since it has to do a full install and download, compared to communicating and doing an update.
Following up again today, in case anyone else is following this thread or has a similar issue.
As of today (Feb 6, 2023), the issue still persists. We are running Vmware Horizon using Instant Clones. Sophos support recommends using the legacy method for the base image, which doesn't resolve the issue. Currently, we are experiencing the following:
1. The "Update" button in Sophos doesn't work.
2. Sophos Central will show the non-persistent VDI desktop is "Re-protected", but after an hour, will have a message "Failed to Protect".
This is very similar to the article listed by Qoosh ; however, I'm in a different region. So far, my alternative method has been working, but it is adding additional load to the system.
When you originally began seeing these alerts, did checking locally on the systems show any component installation failures or errors in the Endpoint Self Help tool?
There's no errors, but working with Sophos support we believe the issue is with the Endpoint Defense Service.
I'm working on recreating the script we're using and having it check and stop the Sophos MCS service at the very end of the script.
Resolution: You need to make sure you keep Sophos Endpoint Defense Service running when making the golden image. Currently, I was stopping this service, since it was causing the Sophos MCS Client service to startup again, and breaking the image. I've modified our optimization script to check and see if the Sophos MCS Client service is running, and if it is, will stop the service and then shutdown.
Currently, for our deployment, we have two methods that work the best:
Sophos Support stated that VMware Horizon Instant clones are only supported via the legacy script; however, this script isn't an option for us. We have MDR and if you use that script everything will default to "intercept x" only, and you have no MDR option.
Summary: Only disable the Sophos MCS Client service, and make sure you do that at the very end of your optimization script.