Create gold images and clone new devices
You can create gold images from Sophos protection software. This process is supported on Windows computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:
- Windows 10 or later
- Windows Server 2016 or later
- Thin Installer 1.14 or later
- Sophos Core Agent 2022.1.0.78 or later
- Sophos Server Core Agent 2022.1.0.78 or later
When using virtual machines in a Virtual Desktop Infrastructure (VDI), you can create new virtual machines from a gold image. The gold image acts as a template for your virtual machines. You must ensure that each new virtual machine has a different identity from the device being used as the gold image.
You can create gold images from Endpoint Protection or Server Protection to create new virtual machines. Follow these instructions to install Endpoint Protection or Server Protection on a gold image so that every instance of a virtual machine that runs from that single gold image gets its own unique identity. We register these virtual machines as devices in Sophos Central Admin. You can then manage them in Sophos Central Admin.
You can't create a gold image for a server running Server Lockdown or Update Cache.
If you use VMWare Horizon InstantClone technology or QuickPrep/LinkClone, you'll need to manually prepare a gold image.
For help with installing Endpoint Protection see Endpoint Protection.
For help with installing Server Protection see Server Protection.
For help with setting up your firewall or proxy to communicate between Sophos Central Admin and your managed endpoints, see Domains and ports to allow.
This video gives more help on setting up a gold image.
Prepare your image
Update the device you want to use for your image so that the operating system and your apps are how you want them.
Set up your image
You can create a new installation on a new device. To do this, do as follows:
Install Endpoint Protection or Server Protection using the gold image option and any other applicable options. Ensure that Tamper Protection is turned off on the device hosting the gold image.
For more information about turning off Tamper Protection, see the following:
Run the following command:
This indicates that the device is a gold image and installs all your licensed options.
You only need to run this command once to configure the software to treat this device as a gold image. If you have an existing gold image device that doesn't use this process, run this command on the device so that it starts using it.
You can use some of the Sophos installation command-line options when you create your gold image. You could use the following options:
Install selected products on your gold image using the
SophosSetup.exe --goldimage --products=antiviruscreates a gold image with only the antivirus products installed.
Assign your cloned devices to a group using the
SophosSetup.exe --goldimage --devicegroup=Virtualcreates a gold image with all your licensed products installed. We add any devices cloned from it to a group called "Virtual" in Sophos Central Admin.
When the installation is complete, you can turn off the gold image device.
You can now create your virtual machines or clones. If you want to update the gold image restart the device.
How Sophos determines whether the virtual machine is a clone
When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.
If no change to the device name occurs we assume you're starting the gold image device.
We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.
If the change of the identity is taking longer than the default two minutes, use the
--goldimagetimeout option to change the default.
To set the timeout to 4 minutes, add the following option to your installation command:
After this two minute time period, regular communication with Sophos Central starts again for the gold image device. You can then update the operating system, apps, Endpoint or Server Protection.
We check the identity each time you restart the gold image device.
This process only works if all clones are created from the gold image, not from other clones. If any clones aren't created from the gold image, use the manual or scripted process for creating new clones. See Avoid duplicate identities when installing on a gold image.