Install WatchGuard Endpoint Security on Virtual Computers — Non-Persistent VDI Environment (Windows Computers)

Before you generate the gold image, you must prepare the machine where is it created:

1. Install or update the operating system with the user's applications.
2. From the management UI, create one group to host the gold image ( Gold Image) and another group to host virtual computers (Virtual Machines).
   

• Gold Image Group
  
  • On the Settings tab, select Per-Computer Settings and create a settings profile for future image updates. This profile is used to update the golf image when it is prepared and for ongoing maintenance on the virtual machine.
  • Make sure automatic updates of the protection engine are enabled.
  • Select the Automatically Restart Both Workstations and Servers option to make sure the computer will be updated.

• Assign these settings to the group you created for the gold image (Gold Image group).
• On the Settings tab, select Workstations and Servers and create a settings profile for future image updates.
• Make sure automatic knowledge updates is enabled.
• Assign these settings to the Gold Image group.

• Virtual Machines Group
  Virtual instances are based on the updated gold image. To optimize the VDI server resources and reduce bandwidth usage, disable updates:
  • Create a per-computer settings profile that has updates disabled, and assign it to the Virtual Machines group. This profile will disable updates when the gold image is running.

• On the Settings page, select Workstations and Servers, and disable knowledge updates. Assign those settings to the Virtual Machines group.

3. Install the agent and the protection on the Virtual Machines group to generate the gold image.
   • On the Computers tab, select the Virtual Machines group, and click Add Computers to download the installer.
   • Install the agent on the virtual machine used to create the gold image and wait for the progress window to finish. The protection is automatically installed and configured. After the installation is complete, the machine appears on the list of protected computers in the management UI.

4. Move the machine with the gold image to the Gold Image group so it receives the settings with the option to update. We recommend you right-click the WatchGuard icon in the systems tray of the task bar, and force a synchronization. This pushes the settings to the computer so that it starts to update.
5. Run the Endpoint Agent Tool on the computer with the gold image.

• (Optional) In non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer. For WatchGuard EDR, click Start Cache Scan in the Endpoint Agent Tool to scan the virtual machine. For WatchGuard EPDR and Advanced EPDR, right-click the EPDR icon in the Windows task bar, and select Antivirus and Advanced Protection > Scan Now.

  This fills the goodware cache and leaves the protection in an appropriate state for virtual images. The scan process can take some time, depending on the contents of the hard disk. You receive a notification when the operation is complete.

• In the Non Exclusive Events section, select the check boxes for Detections, Counters, and Check Commands. Click Send.
  
6. Important: Remove the device ID.
   • Make sure the Is a Gold Image option is selected.
   • If required, enter the AntiTamper Password.
   • Click Prepare Image.

This removes the agent ID from the gold image, so that all virtual machines obtain their device ID when executed and connect to the cloud for the first time.

7. Important: Disable the WatchGuard agent service to prevent it from starting automatically when using the gold image on virtual instances.
   

Caution: This step is critical to make sure that each virtual instance is uniquely identified in the management UI.

8. Access the VDI management tools and generate the gold image. For more information, contact your vendor.
9. You can configure, in the VDI environments section of the management UI, the maximum number of non-persistent machines that can be active at the same time. This enables automatic management of the licenses used by those machines.

When customization of the deployed virtual machine is completed, you must change the agent service startup type. This service was disabled in the previous step. You can use different methods depending on the VDI deployment system. To change the WatchGuard agent service startup type, you can create GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.

For more information on how to work with the Group Policy Management Editor, contact Microsoft support.

Important: After you clone the virtual machine, the WatchGuard agent service must be the last thing enabled. The first time the agent starts, it registers the unique device ID.

Because the security settings that VDI computers receive have updates disabled, we recommend that you update the gold image manually at least once a month. This makes sure that the VDI computers receive the latest version of the protection and the signature file.

To manually update the gold image in a non-persistent VDI environment:

1. Start the machine where the gold image is installed.
2. From the management UI, move the machine with the gold image to the Gold Image group so that it receives the appropriate settings with automatic updates of the engine and knowledge.
3. Right-click the WatchGuard icon in the systems tray of the task bar to force a synchronization. This updates the machine.
   • Updates are performed silently in the background. We recommend you wait a few minutes to make sure the image is correctly updated.
   • If a new version of the protection is available, a restart window is displayed and the machine restarts automatically (as configured in the per-computer settings profile).

When the restart is complete, we recommend you force a new synchronization to make sure the product is up-to-date.

4. Run the Endpoint Agent Tool on the machine with the gold image.

   • (Optional) In non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer. For WatchGuard EDR, click Start Cache Scan in the Endpoint Agent Tool to scan the virtual machine. For WatchGuard EPDR and Advanced EPDR, right-click the EPDR icon in the Windows task bar, and select Antivirus and Advanced Protection > Scan Now.

   • This fills the goodware cache and leaves the protection in an appropriate state for virtual images. The scan process can take some time, depending on the contents of the hard disk. You receive a notification when the operation is complete.

   • In the Non Exclusive Events section, select the check boxes for Detections, Counters, and Check Commands. Click Send.

     

   • Important: Remove the machine ID.
     • Make sure the Is a Gold Image option is selected.
     • If required, enter the AntiTamper Password.
     • Click Prepare Image.
       This removes the agent ID from the gold image, so that all virtual instances obtain their device ID when executed and connect to the cloud for the first time.

Caution: This step is critical to make sure that each virtual instance is uniquely identified in the management UI.

• Disable the WatchGuard agent service so that the service does not start automatically when using this image on virtual instances.
  
• Access the VDI management tools and generate the gold image. For more information, contact your vendor.