Sophos Central - VDI non-persistent Desktops "An attempt to protect a computer failed"

Question

Starting on Jan 17th, 2023, we started receiving alerts from Sophos Central randomly for various VDI desktops. Originally, my thought was the version of Sophos running on the VDIs needed to be updated, but that didn't resolve the issue. Essentially, if we use the legacy option of the "golden image prep" or the new switch, both seems to break updates. Not sure why it started on that date, but curious if anyone else in the community has this issue. 
 What we'll see in Sophos Central is that any new VDI desktop will show it is connect, but after about 1 hour, it will change to "Failed to Protect". The odd part is the Sophos "Update" button doesn't work and the update date never changes from the "golden image". It is connecting to Sophos Central, as we'll see an updated comment, but it doesn't appear to be updating. 
 Originally, we also were seeing 503 errors on our clients, when connecting, and that seems to have resolved itself. We did make a change on our Message Relay server, increasing the TCP connections, which may have helped. However, it still remains an issue of any new desktops failing to update. 
 Curious if anyone else in the community has had any issues? 
 Chris

Christopher Wolf · Accepted Answer

Resolution: You need to make sure you keep Sophos Endpoint Defense Service running when making the golden image. Currently, I was stopping this service, since it was causing the Sophos MCS Client service to startup again, and breaking the image. I've modified our optimization script to check and see if the Sophos MCS Client service is running, and if it is, will stop the service and then shutdown. 
 Currently, for our deployment, we have two methods that work the best: 
 
 Use the --goldenimage switch, making sure that Sophos MCS Client is stopped and set to manual. Then have VMware Horizon start the service via post deployment script 
 Include the Sophos installer in the golden image and have VMware Horizon run a silent install script via the post deployment script. 
 
 Sophos Support stated that VMware Horizon Instant clones are only supported via the legacy script; however, this script isn't an option for us. We have MDR and if you use that script everything will default to "intercept x" only, and you have no MDR option. 
 Summary: Only disable the Sophos MCS Client service, and make sure you do that at the very end of your optimization script. 
 Chris

Qoosh · Answer

Hi Christopher , 
 It sounds like you're experiencing the issue detailed in the following article. - Failed to protect computer or server alerts in Sophos Central

Sophos Central - VDI non-persistent Desktops "An attempt to protect a computer failed"

Top Replies