Install the Endpoint Software from a Gold Image

Applies To: WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

In large networks with many similar computers, you can automate the process to install the operating system and other software with a gold image. This is sometimes referred to as a master image, base image, clone image, or template image. You then deploy the gold image to all computers on the network, which eliminates most of the manual work required to set up a new computer.

To generate a gold image, install an up-to-date operating system with all the software that users might need, such as security tools, on a computer on your network.

This installation procedure requires that a template (for persistent environments) or a gold image (for non-persistent environments) be prepared that will be later deployed to the virtual computers on the network.

WatchGuard Endpoint Security supports gold images on these virtual platforms:

  • VMware Workstation
  • VMware Server
  • VMware ESX
  • VMware ESXi
  • Citrix XenDesktop
  • XenApp
  • XenServer
  • MS Virtual Desktop
  • MS Virtual Servers

WatchGuard Unique ID

Every computer where WatchGuard Endpoint Security is installed has a unique ID assigned. WatchGuard uses this ID to identify the computer in the web UI. If you generate a gold image from a computer and then copy it to other systems, every computer that receives it inherits the same WatchGuard Endpoint Security ID and the web UI only shows one computer.

To avoid this, you can use the Endpoint Agent Tool to delete the ID. The tool is available for download. For more information, see Create an Image for Windows Persistent and Non-Persistent Environments.

In non-persistent VDI environments, some virtual hardware parameters such as the MAC address of network interface cards can change with each restart. For this reason, device hardware cannot be used to identify computers or assign licenses to them. Additionally, the storage system of non-persistent VDI computers is emptied with each restart, which also deletes the ID assigned to the computer.

It is important that you follow these procedures step-by-step and when complete, you should verify that all cloned devices are displayed with a unique ID in the web UI. Devices that are cloned incorrectly can impact the reliability of the Advanced Protection and can severely compromise the security of your infrastructure. If you only see a single device in the web UI, you must repeat the process, rebuild the template, and deploy it again to the affected endpoints as soon as possible.

Create a Template for Persistent VDI Environments

In a persistent VDI environment, the information stored on a computer hard disk persists between restarts. Therefore, to create a template you only have to configure updates of the WatchGuard Endpoint Security protection.

After you install an updated version of the operating system and all programs that users need, create a template.

To create a template for persistent VDI environments:

  1. Install an updated version of the operating system and all programs that users need on the device to be used for the gold image.
  2. Install the WatchGuard Endpoint Security software.
    For more information, see Download the WatchGuard Endpoint Agent Installer.
  3. Make sure the computer is connected to the Internet.
  4. Assign the computer a security settings profile that has updates to WatchGuard Endpoint Security protection and knowledge enabled.
    For more information, see Configure Automatic Signature File Updates, Configure Per-Computer Settings, and Assign a Settings Profile.
  5. Open the Endpoint Agent Tool.
    1. To scan the computer and preload the WatchGuard Endpoint Security goodware cache, click Start Cache Scan.
    2. To delete the computer ID, click Unregister Device.
    3. Make sure the Is a Gold Image check box is NOT selected.
      This removes the agent ID from the template, so that all virtual machines obtain their ID when they connect to cloud for the first time.
  6. Important: Disable the endpoint agent service so that the service does not start automatically when the template is used on virtual instances.
    The service is started with GPO policies for devices within a domain, which is described below.

This step is critical to make sure that each virtual machine is uniquely identified in the web UI.

  1. Turn off the computer.
  2. Generate a gold image with your virtual environment management software.
  3. To start the endpoint agent service you can create a GPO from a device with adequate permissions connected to the domain:

    1. In the GPO settings, select Computer Configuration > Policies > Windows Settings > Security Settings > System Services > WatchGuard Endpoint Agent.

    2. Update the service setting to Automatic.
      The service starts automatically on the next reboot and the client is integrated in the web UI.

To change the Endpoint Agent service startup type, you can create GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.

Create a Gold Image for Non-Persistent VDI Environments

In a non-persistent VDI environment, you create two security settings profiles — one to update the gold image when you prepare it and for maintenance purposes, and one to disable updates when you run the gold image because it does not make sense to update WatchGuard Endpoint Security if the computer storage system reverts to its original state with each restart.

Prepare the Gold Image

After you install an updated version of the operating system and all programs that users need, create a gold image.

It is important to carefully follow these steps. If you incorrectly create a gold image, these issues can occur:

  • Limitations managing cloned devices in the web UI — Only one device is displayed in the web UI. Any action executed on it will only affect one of the integrated devices and it will not be clear which device it would affect.
  • Reduction in the number of detections made by the advanced protection: The telemetry generated by devices that are not properly integrated in the web UI is discarded. The reliability of the protection is compromised.

To create a gold image for non-persistent VDI environments:

  1. Install an updated version of the operating system and all programs that users need on the device to be used for the gold image.
  2. Install the WatchGuard Endpoint Security software.
    For more information, see Download the WatchGuard Endpoint Agent Installer.
  3. Make sure the computer is connected to the Internet.
  4. Assign a security settings profile to the computer that has updates to WatchGuard Endpoint Security protection and knowledge enabled.
    For more information, see Configure Automatic Signature File Updates and Configure Per-Computer Settings.
  5. Open the Endpoint Agent Tool.
    1. To scan the computer and preload the WatchGuard Endpoint Security goodware cache, click the Start cache scan button.
    2. To delete the computer ID, click Unregister Device.
    3. Make sure the Is a Gold Image check box is selected.
      This removes the agent ID from the gold image, so that all virtual machines obtain their ID when they are run and connect to cloud for the first time. This step is critical to make sure that each virtual instance is uniquely identified in the web UI.
    4. If the device is protected by the anti-tamper protection, enter the password.
    5. Click Prepare image to delete the agent ID from the image.
      The virtual machines obtain their corresponding ID when they run and connect for the first time to the WatchGuard servers.
  6. Assign the computer a security settings profile that disables updates of the WatchGuard Endpoint Security protection and knowledge.
    For more information, see Configure Automatic Signature File Updates, Configure Per-Computer Settings, and Assign a Settings Profile.
  7. Important: Disable the endpoint agent service to make sure it does not start automatically when you use the gold image on virtual instances.
  8. Turn off the computer and generate a gold image with your virtual environment management software.
  9. In the WatchGuard Endpoint Security Web UI, from the top navigation bar, select Settings.
  10. From the left pane, select VDI Environments.
  11. Configure the maximum number of computers that can be active simultaneously.
    This allows automatic management of the licenses used by these computers. For more information, see Configure VDI Environments.

Run WatchGuard Endpoint Security in a Non-Persistent VDI Environment

For WatchGuard Endpoint Security to run properly, you must change the startup type of the endpoint agent service, which was previously disabled in the gold image.

To change the Endpoint Agent service startup type, you can create GPO policies for devices within a domain, or through other types of script applications such as Horizon, Windows Logon Scripts, etc.

To change the startup type of the endpoint agent service, from the GPO management tools:

  1. Make sure that the GPO management tools are on a domain-connected physical computer.
  2. Create a GPO to change the startup type of the agent service.
  3. In the GPO settings, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services > WatchGuard Endpoint Agent.
  4. Change the service setting to Automatic.
    The service starts automatically on the next reboot and the client is integrated in the web UI.

Manually Update the Gold Image in a Non-Persistent VDI Environment

Because the security settings that VDI computers receive have updates disabled, we recommend that you update the gold image manually at least once a month. This makes sure that the VDI computers receive the latest version of the protection and the signature file.

To manually update the gold image in a non-persistent VDI environment:

  1. In the Windows service app, enable the agent service.
  2. Make sure the computer is connected to the Internet.
  3. Assign a security settings profile with updates to WatchGuard Endpoint Security protection and knowledge enabled.
    For more information, see Configure Automatic Signature File Updates, Configure Per-Computer Settings, and Assign a Settings Profile.
  4. Open the Endpoint Agent Tool.
    1. To scan the computer and preload the WatchGuard Endpoint Security goodware cache, click Start Cache Scan.
    2. To delete the computer ID, click Unregister Device.
    3. Select the Is a Gold Image check box.
    4. If the device is protected by the anti-tamper protection, enter the password.
    5. Click Prepare image to delete the agent ID from the image.
      The virtual machines obtain their corresponding ID when they run and connect for the first time to the WatchGuard servers.
  5. Assign the computer a security settings profile that disables updates of the WatchGuard Endpoint Security protection and knowledge.
    For more information, see Configure Automatic Signature File Updates, Configure Per-Computer Settings, and Assign a Settings Profile.
  6. Important: Disable the endpoint agent service to make sure it does not start automatically when you use the gold image on virtual instances.
  7. Turn off the computer and generate a gold image with your virtual environment management software.
  8. In the VDI environment, replace the previous image with the new one.

View Non-Persistent Computers

WatchGuard Endpoint Security uses the fully-qualified domain name (FQDN) to identify computers which had their ID deleted with the Endpoint Agent Tool and which are marked as gold image.

To view a list of non-persistent VDI computers:

  1. In the web UI, from the top navigation bar, select Settings.
  2. From the left pane, select VDI Environments.
  3. Click the Show Non-Persistent Computers link.
    The Computers list shows only non-persistent computers.

See Also

Manage Settings

Configure Automatic Signature File Updates

Configure Per-Computer Settings

Create an Image for Windows Persistent and Non-Persistent Environments