Starting on Jan 17th, 2023, we started receiving alerts from Sophos Central randomly for various VDI desktops. Originally, my thought was the version of Sophos running on the VDIs needed to be updated, but that didn't resolve the issue. Essentially, if we use the legacy option of the "golden image prep" or the new switch, both seems to break updates. Not sure why it started on that date, but curious if anyone else in the community has this issue.
What we'll see in Sophos Central is that any new VDI desktop will show it is connect, but after about 1 hour, it will change to "Failed to Protect". The odd part is the Sophos "Update" button doesn't work and the update date never changes from the "golden image". It is connecting to Sophos Central, as we'll see an updated comment, but it doesn't appear to be updating.
Originally, we also were seeing 503 errors on our clients, when connecting, and that seems to have resolved itself. We did make a change on our Message Relay server, increasing the TCP connections, which may have helped. However, it still remains an issue of any new desktops failing to update.
Curious if anyone else in the community has had any issues?
Resolution: You need to make sure you keep Sophos Endpoint Defense Service running when making the golden image. Currently, I was stopping this service, since it was causing the Sophos MCS Client service to startup again, and breaking the image. I've modified our optimization script to check and see if the Sophos MCS Client service is running, and if it is, will stop the service and then shutdown.
Currently, for our deployment, we have two methods that work the best:
Sophos Support stated that VMware Horizon Instant clones are only supported via the legacy script; however, this script isn't an option for us. We have MDR and if you use that script everything will default to "intercept x" only, and you have no MDR option.
Summary: Only disable the Sophos MCS Client service, and make sure you do that at the very end of your optimization script.