Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/partner/help/en-us/index.html?contextId=deployment-gold-images

Create gold images and clone new devices

You can create gold images from Sophos protection software. This process is supported on Windows computers and servers, if you're using the thin installer and up-to-date versions of the core agents. You need the following versions:

  • Windows 10 or later
  • Windows Server 2016 or later
  • Thin Installer 1.14 or later
  • Sophos Core Agent 2022.1.0.78 or later
  • Sophos Server Core Agent 2022.1.0.78 or later

When using virtual machines in a Virtual Desktop Infrastructure (VDI), you can create new virtual machines from a gold image. The gold image acts as a template for your virtual machines. You must ensure that each new virtual machine has a different identity from the device being used as the gold image.

You can create gold images from Endpoint Protection or Server Protection to create new virtual machines. Follow these instructions to install Endpoint Protection or Server Protection on a gold image so that every instance of a virtual machine that runs from that single gold image gets its own unique identity. We register these virtual machines as devices in Sophos Central. You can then manage them in Sophos Central.

Restriction

You can't create a gold image for a server running Server Lockdown or Update Cache.

This video gives more help on setting up a gold image.

Prepare your image

  1. Update the device you want to use for your image so that the operating system and your apps are how you want them.

Set up your image

You can create a new installation on a new device. To do this, do as follows:

  1. Install Endpoint Protection or Server Protection using the gold image option and any other applicable options.

    • Run the following command: SophosSetup.exe --goldimage

    This indicates that the device is a gold image and installs all your licensed options.

    You can use some of the Sophos installation command-line options when you create your gold image. You could use the following options:

    • Install selected products on your gold image, using --products.

      Example

      SophosSetup.exe --goldimage --products=antivirus creates a gold image with only the antivirus products installed.

    • Assign your cloned devices to a group, using --devicegroup.

      Example

      SophosSetup.exe --goldimage --devicegroup=Virtual creates a gold image with all your licensed products installed. We add any devices cloned from it to a group called "Virtual" in Sophos Central.

See Installer command-line options for Windows.

When the installation is complete, you can turn off the gold image device.

You can now create your virtual machines or clones. If you want to update the gold image restart the device.

Use an existing device as a gold image

Alternatively you can use an existing device as a gold image. To do this, do as follows:

  1. Go to the device you want to use.

  2. Check the device is set up as you want it.

    • Check the operating system is up to date and any patches are installed.
    • Check that Endpoint Protection or Server Protection is installed.

  3. Run the command SophosSetup.exe --goldimage.

    This designates this device as your gold image.

You can now create your virtual machines or clones. If you want to update the gold image restart the device.

How Sophos determines whether the virtual machine is a clone

When you start a virtual machine, we use a change to the device name to determine whether you're starting a new clone. If a name change has occurred the existing Sophos configuration is cleaned, and we register a new device in Sophos Central Admin. We treat this clone as a unique device.

If no change to the device name occurs we assume you're starting the gold image device.

We wait two minutes, by default, after you start the gold image device before communication with Sophos Central happens. This avoids creating duplicate devices, if changing the identity of a new clone is taking longer than expected.

If the change of the identity is taking longer than the default two minutes, use the --goldimagetimeout option to change the default.

Example

To set the timeout to 4 minutes, add the following option to your installation command:

--goldimagetimeout=240

After this two minute time period, regular communication with Sophos Central starts again for the gold image device. You can then update the operating system, apps, Endpoint or Server Protection.

We check the identity each time you restart the gold image device.