Install WatchGuard Endpoint Security on Virtual Computers — Non-Persistent VDI Environment (Windows Computers)
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
In environments with very specific characteristics, it might be necessary to follow the recommendations provided by the virtualization vendor to adapt these general instructions to your needs. For a customized solution, contact WatchGuard Support.
This installation procedure creates a gold image to be deployed later to virtual computers on the network. The procedure to manage non-persistent VDI environments consists of three steps:
- Step 1 — Prepare and Generate the Gold Image
- Step 2 — Modify the Agent Service Startup Type
- Step 3 — Manually Update the Gold Image in a Non-Persistent VDI Environment
After you generate and update the gold image, Verify the Procedures.
Caution: It is important that you follow these procedures step-by-step and when complete, you should verify that all cloned devices are displayed with a unique ID in the management UI. Devices that are cloned incorrectly can impact the reliability of the Advanced Protection and can severely compromise the security of your infrastructure. If you only see a single device in the management UI, you must repeat the process, rebuild the gold image, and deploy it again to the affected endpoints as soon as possible.
Prerequisites
- The computer used to generate the gold image must have an Internet connection.
-
Endpoint Agent Tool for Windows must be run as administrator. It has a graphic interface but can also be run from the command line. If you run the tool from a .bat or .cmd file, you must use this command: start /wait "". For example, if the instruction is: EndpointAgentTool.exe /sg, you would type: start /wait "" "C:\Path\EndpointAgentTool.exe" /sg
Before you generate the gold image, you must prepare the machine where is it created:
- Install or update the operating system with the user's applications.
- From the management UI, create one group to host the gold image ( Gold Image) and another group to host virtual computers (Virtual Machines).
- Gold Image Group
- On the Settings tab, select Per-Computer Settings and create a settings profile for future image updates. This profile is used to update the golf image when it is prepared and for ongoing maintenance on the virtual machine.
- Make sure automatic updates of the protection engine are enabled.
- Select the Automatically Restart Both Workstations and Servers option to make sure the computer will be updated.
- Assign these settings to the group you created for the gold image (Gold Image group).
- On the Settings tab, select Workstations and Servers and create a settings profile for future image updates.
- Make sure automatic knowledge updates is enabled.
- Assign these settings to the Gold Image group.
- Virtual Machines Group
Virtual instances are based on the updated gold image. To optimize the VDI server resources and reduce bandwidth usage, disable updates:- Create a per-computer settings profile that has updates disabled, and assign it to the Virtual Machines group. This profile will disable updates when the gold image is running.
- On the Settings page, select Workstations and Servers, and disable knowledge updates. Assign those settings to the Virtual Machines group.
- Install the agent and the protection on the Virtual Machines group to generate the gold image.
- On the Computers tab, select the Virtual Machines group, and click Add Computers to download the installer.
- Install the agent on the virtual machine used to create the gold image and wait for the progress window to finish. The protection is automatically installed and configured. After the installation is complete, the machine appears on the list of protected computers in the management UI.
- Move the machine with the gold image to the Gold Image group so it receives the settings with the option to update. We recommend you right-click the WatchGuard icon in the systems tray of the task bar, and force a synchronization. This pushes the settings to the computer so that it starts to update.
- Run the Endpoint Agent Tool on the computer with the gold image.
-
(Optional) In non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer. For WatchGuard EDR, click Start Cache Scan in the Endpoint Agent Tool to scan the virtual machine. For WatchGuard EPDR and Advanced EPDR, right-click the EPDR icon in the Windows task bar, and select Antivirus and Advanced Protection > Scan Now.
This fills the goodware cache and leaves the protection in an appropriate state for virtual images. The scan process can take some time, depending on the contents of the hard disk. You receive a notification when the operation is complete.
- In the Non Exclusive Events section, select the check boxes for Detections, Counters, and Check Commands. Click Send.
- Important: Remove the device ID.
- Make sure the Is a Gold Image option is selected.
- If required, enter the AntiTamper Password.
- Click Prepare Image.
This removes the agent ID from the gold image, so that all virtual machines obtain their device ID when executed and connect to the cloud for the first time.
- Click Check Registration to confirm that the agent ID was removed from the gold image.
- If it was not removed, click Stop Service and then Unregister Device to manually remove the agent ID.
- Click Check Registration again to confirm that the agent ID was removed.
- Important: Disable the WatchGuard agent service to prevent it from starting automatically when using the gold image on virtual instances.
Caution: This step is critical to make sure that each virtual instance is uniquely identified in the management UI.
- Access the VDI management tools and generate the gold image. For more information, contact your vendor.
- You can configure, in the VDI environments section of the management UI, the maximum number of non-persistent machines that can be active at the same time. This enables automatic management of the licenses used by those machines.
When customization of the deployed virtual machine is completed, you must change the agent service startup type. This service was disabled in the previous step. You can use different methods depending on the VDI deployment system. To change the WatchGuard agent service startup type, you can create GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.
For more information on how to work with the Group Policy Management Editor, contact Microsoft support.
Important: After you clone the virtual machine, the WatchGuard agent service must be the last thing enabled. The first time the agent starts, it registers the unique device ID.
Because the security settings that VDI computers receive have updates disabled, we recommend that you update the gold image manually at least once a month. This makes sure that the VDI computers receive the latest version of the protection and the signature file.
To manually update the gold image in a non-persistent VDI environment:
- Start the machine where the gold image is installed.
- From the management UI, move the machine with the gold image to the Gold Image group so that it receives the appropriate settings with automatic updates of the engine and knowledge.
- Right-click the WatchGuard icon in the systems tray of the task bar to force a synchronization. This updates the machine.
- Updates are performed silently in the background. We recommend you wait a few minutes to make sure the image is correctly updated.
- If a new version of the protection is available, a restart window is displayed and the machine restarts automatically (as configured in the per-computer settings profile).
When the restart is complete, we recommend you force a new synchronization to make sure the product is up-to-date.
- Run the Endpoint Agent Tool on the machine with the gold image.
(Optional) In non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer. For WatchGuard EDR, click Start Cache Scan in the Endpoint Agent Tool to scan the virtual machine. For WatchGuard EPDR and Advanced EPDR, right-click the EPDR icon in the Windows task bar, and select Antivirus and Advanced Protection > Scan Now.
This fills the goodware cache and leaves the protection in an appropriate state for virtual images. The scan process can take some time, depending on the contents of the hard disk. You receive a notification when the operation is complete.
- In the Non Exclusive Events section, select the check boxes for Detections, Counters, and Check Commands. Click Send.
- Important: Remove the machine ID.
- Make sure the Is a Gold Image option is selected.
- If required, enter the AntiTamper Password.
- Click Prepare Image.
This removes the agent ID from the gold image, so that all virtual instances obtain their device ID when executed and connect to the cloud for the first time.
Caution: This step is critical to make sure that each virtual instance is uniquely identified in the management UI.
- Click Check Registration to confirm that the agent ID was removed from the gold image. If it was not removed, click Stop Service and then Unregister Device to manually remove the agent ID. Click Check Registration again to confirm that the agent ID was removed.
- Disable the WatchGuard agent service so that the service does not start automatically when using this image on virtual instances.
- Access the VDI management tools and generate the gold image. For more information, contact your vendor.
Verify the Procedures
Make sure that the procedures were successful. If the list only includes a single device, you must remove the device from the Computers list and re-start this procedure (that is, rebuild the gold image and deploy it again to the affected endpoints).
WatchGuard Endpoint Security uses the Fully Qualified Domain Name to identify computers whose IDs were deleted with the Endpoint Agent Tool and were marked as a gold image.
To view a list of non-persistent VDI computers:
- In the management UI, select Settings > Computer Maintenance.
- In the VDI Environments section, click the Show non-persistent computers link.
The Computers list shows the non-persistent computers.