We allow updates to run normally, every 5 minutes. When it becomes a concern, we'll break up the update schedule using slightly modified clones of the original update policy with different times.

We also use DFS file shares to balance update distribution.

I've been playing with this deployment method today and thought I'd update you on my progress, so here goes.

First of all I had to change a few things in relation to the preparation script. The file locations are slightly different as my VMs are Windows 7 based, so the delete files part of the script is as below:

del /F /Q "C:\ProgramData\Sophos\AutoUpdate\data\status\status.xml"
del /F /Q "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Machine.xml"
del /F /Q "C:\ProgramData\Sophos\AutoUpdate\data\machine_ID.txt"

I'm hoping the above is correct anyway. I added the "machine_ID.txt" file purely because it mentions it in the Sophos KB article. Is there a reason why you've not got that in your prep script? Maybe that's why I'm running into a few issues later on!

The next change I made was within the services part of the prep script. Because I'm using a Customisation Specification within vCenter to prep my VMs rather than the View QuickPrep there is a brief period where the new VM has the machine name of the template. With the services set to automatic this was causing issues within Enterprise Console and all the machines would have a "Comparison Failure" error. I have set the three services to disabled as well as stopping them and then set a post-customisation script to change them back to automatic once the machine has its unique name. It also states in the Sophos KB about making sure the services are disabled until the machine has it's unique name. This was accomplished by adding the following to the services section:

sc config "Sophos Message Router" start= disabled

sc config "Sophos Agent" start= disabled

sc config "Sophos AutoUpdate Service" start= disabled

And the post-sync script:

sc config "Sophos Message Router" start= auto
sc config "Sophos Agent" start= auto
sc config "Sophos AutoUpdate Service" start= auto

Pretty simple really. After the services are set to auto your install script is run. The install script had to be changed slightly as the MSI location is within ProgramData, although the sub-folder structure remains the same. The machine is then rebooted so the services all start up upon reboot and it checks in to Enterprise Console for the first time.

With the above in place the machines appear to be checking in correctly, but they're stuck with "Awaiting policy transfer" and a warning to say that the machine requires a reboot. I've rebooted the machines multiple times but neither the warning nor the "Awaiting policy transfer" will go away. When you look at the machine details within Enterprise Console they don't appear to be checking in properly apart from immediately after reboot.

Any suggestions would be very welcome as I've been working on this for a few days now.

Fantastic timing. I've just been handed a deadline to deploy our first pool of win7. Thanks for your detailed addition to this thread.

Hi, VMMikeC

How are your linked clones prep'd, Sysprep or QuickPrep? Do you set your services to disabled too? Also, how do you assign your VMs a policy within Enterprise Console? Win7 or XP? Apologies for all the questions.

I've never witnessed Sophos using lots of CPU resources within any of my VMs, linked clone or full. I guess it would have been good to look at Windows Task Manager to pin it down specifically to Sophos.

I'm actually using Quickprep. I only stop the services. I do not set them to disabled. I'm running XP(32bit) and Win 7(64bit) clones. I have an OU in active directory for all my clones, and then I have a View policy within Sophos Enterprise Console and I assign that View policy to that particular AD OU

A good thing to note that I picked up along the way...prior to making the snapshot on the parent, I checked into Sophos to see if everything looked ok on the Parent VM. To clarify, originally my parentvm in sophos said "different from policy"...then once I made my clones, all of them said the same thing. To resolve, I updated the parentVM (update now) and restarted....once I did that, parentvm within sophos looked good. I took a new snapshot, then recomposed....and sure enough, all the clones were good to go from that point on.

Mike

Sent from my Verizon Wireless BlackBerry

Thanks for the reply.

Good work replying from your Blackberry, that's some excellent forum dedication!

In terms of AD OU placement and Enterprise Console, that's exactly the same as me. All our View machines go into a particular OU which is then sync'd every 5 minutes into Enterprise Console. I originally had EC install Sophos automatically as soon as it found a new machine upon each AD sync. This worked well, but I really want to incorporate Sophos within the template, and of course each machine then required a reboot after install too.

I installed Sophos on my template VM through Enterprise Console. After a reboot it appears completely error free and complies to all policies. The only thing to note here is that my template sits within a different OU in AD and therefore a different container within EC, although the policies applied to the template OU and the View OU are the same. I might try moving my template into the View OU to see if that makes a difference.

I keep my master vm's in a dedicated OU that is assigned the same policy as the snapshots.

Re: machineid.txt - I'll need to check my batch file - I could have sworn it was removing that file, but I have have missed it in my original post above. I'll look tomorrow and see what going on.

Thanks for pointing that out!

---

Jason

I would have used the browser, but the internet on my blackberry stinks and this was just faster haha

Hmmm interesting. My parentVM actually sits in the same OU as my clones....however, since your policy is the same for both OUs, it should be a non issue. I will be moving my parents to a new OU soon enough, so I'd be interested in seeing if you notice any difference by having them in the same OU.

I actually have a batch file that I use to install Sophos. I do not install from the EC. I can paste the contents of the batch file if you'd like to see.

Sent from my Verizon Wireless BlackBerry

A little update for you, so here's what I've found...

The prep of the image is the same, stop services and set to disabled, delete the registry keys and delete the machine_ID.txt file only.

Template in seperate OU to VDI Desktops

Post-customisation process: Set services to auto & reboot.

Result: Machine checks in but shows "Comparison failure" warning.

Post-customisation process: Run MSI & set services to auto & reboot.

Result: Machine checks in but shows "Awaiting policy transfer" and never complies with policy.

Template in same OU as VDI Desktops

Post-customisation process: Set services to auto & reboot.

Result: Machine checks in but shows "Comparison failure" warning.

Post-customisation process: Run MSI & set services to auto & reboot.

Result: Machine checks in and complies with policy. There is a warning to say that it requires a reboot, but I can live with that.

I find this rather weird as the policies within EC are the same for the two OU's. Interesting though.

When they were in separate OUs, did you try to log into any of the clones? How long did you leave them there? I'm just wondering if it was a timing issue for EC to catch up

I forget, is this XP or Win 7? Are you using VMwares customization wizard for sysprep or importing your own?

Sent from my Verizon Wireless BlackBerry

I left the clones for quite some time as well as logging in to them and rebooting multiple times, it didn't seem to make any difference.

They are Windows 7 VMs and I'm using a Customisation Specification within vCenter to Sysprep my machines. The post-customisation script is run via the "Run once" section.

I used a Windows 7 master desktop that is joined to the domain and has a full, up-to-date sophos installation on it (and rebooted).

I use snapshot clones, so I didn't use a customization specification - I use QuickPrep to join the clones to the domain.

My batch file is called in the Post-synchronization script and I placed it in C:\programdata\sophos\scripts\deploy.bat to get it out of the root of the C drive.

I also left the services set on automatic, only stopped them to delete the files and reg keys before shutting it down to create the final snapshot needed.

So far, all of my Win 7 desktops have been arriving in the Enterprise Console in compliance or awaiting policy update while the services start. I do have a reboot warning - but I can easily fix that.

six4rm,

Would it be possible to create a test pool using Quickprep just to see if you still experience the same issue? Try to narrow it down to a sysprep issue.

Not that it should matter but whenever I sysprep, I always import a custom script. That's the only reason why I asked.

Funnily enough I binned my Sysprep customised pool last night and changed to Quickprep to test this Sophos deployment. I'll test out a few scenarios and get back to you.

So here's what I've found using Quickprep as my customisation tool.

In each instance the prep work has involved the following:

• Set services to disabled
• Delete the two registry keys
• Delete machine_ID.txt

Template & Desktops in same OU

Post-customisation steps

• Services set to auto & started
• Reboot

Result

• Checks in to EC
• Complies to policies

Post-customisation steps

• Set services to auto.
• Run MSI
• Reboot

Result

• MSI didn’t run fully due to default 20 second script timeout.      Changed to 60 seconds.
• VM checks in to EC
• VM complies to policies

Template & Desktops in different OU

Post-customisation steps

• Services set to auto & started
• Reboot

Result

• Checks in to EC.
• Awaiting policy transfer. [Right click -> Comply with -> All group policies] resolves the issue.

Post-customisation steps

• Set services to auto.
• Run MSI
• Reboot

Result

• Checks in to EC.
• Awaiting policy transfer. [Right click -> Comply with -> All group policies] resolves the issue.

So it would appear that running the MSI makes no difference to the overall result. I've not tested simply stopping the services and leaving them on auto, that's one for next week, I've spent three days on this already!

I'm thinking that I'll have my template in a different OU and deal with the "Awaiting policy transfer" message. At least this time around you can force the compliance which I couldn't before using Sysprep. I'd like to have my script run before the snapshot is created using the "Power-off script" field. That way when the machine powers on for the first time after the snapshot the services are all ready to go and no post-customisation script is required. Or you could have a post-customisation script to force Sophos to check for updates (a script I already have) or something similar. This also means that I could start using the "Refresh on logoff" option.

What do people think?

Could you share your Sophos update script? I plan on deploying kiosks with instant refresh on logout - that would be very handy!

I think you'll have better luck leaving the services set to auto.

---

Jason Thoms

Sent from a mobile device.