Introduction
This document describes the steps to prepare a 'Golden Image' for the deployment of Cisco Secure Endpoints on hosts. This will work with Virtual Machines (VMs) or Hardware 'Golden Image' use. A 'Golden Image' is used for the installation of the Cisco Secure Endpoint on multiple hosts from one image file.
Prerequisites
Requirements
- Use of Windows OS command prompt
- Knowledge of Virtual environments
Note: On Secure Endpoint Windows Connector 6.3.1, a new install feature flag has been added. This will allow you to install the connector without the connector registering or causing issues with duplication in your deployment.
Override Flag
When you use the installer, the new flag to use for golden images is /goldenimage [1|0]
- 0 - Default Value - this value will not trigger the golden image option, operates just as if the installer was run without the option at all. Does not skip Initial Connector registration and startup on install.
C:\> CiscoInstaller_goldenimage.exe /R /S /goldenimage 0 [other options…]
- 1 - Install as golden image. This would be the typical option used with the flag and is the only expected usage. Skips initial Connector registration and Startup on install.
C:\> CiscoInstaller_goldenimage.exe /R /S /goldenimage 1 [other options…]
Steps
Note: It is best practice to install the connector last for preparation of the 'Golden Image'.
- Prepare the Windows image to your requirements; install all your required software configurations for the windows image except for the connector.
- Install the Cisco Secure Endpoint.
- Use the /goldenimage 1 flag to indicate to the installer that this is a golden image deployment.
C:\> CiscoInstaller_goldenimage.exe /R /S /goldenimage 1
- Complete installation.
- Freeze your golden image.
After the 'Golden Image' has had applications installed, the system prepped, and Secure Endpoint has been installed with the /goldenimage flag, the host is ready to be frozen and distributed. Once the cloned host boots up, Secure Endpoint will then start and register to the cloud. No further action is required with regards to configuraiton of the connector unless there are changes that you want to make to the policy or host.
The flag prevents the connector from starting and registering on the base image. On the next start of the image, the connector will be in the functional state it was configured to be in by the policy assigned to it.
Important: If the Golden Image gets registered to the AMP Cloud before you are able to freeze the VM, it is recommended to uninstall and re-install Secure Endpoint on the Golden Image VM and then freeze the VM again to prevent registration and duplicate connector issues. It is not suggested to modify any registry values for AMP as part of this uninstallation process.
Update the Golden Image
You have two options when you need to update a Golden Image in order to retain an unregistered connector.
Recommended Process
- Uninstall the connector.
- Install the host updates / upgrades.
- Reinstall the connector after the golden image process using the golden image flags.
- The host should not start the connector if the process is followed.
- Freeze the image.
- Verify before spinning up clones that the Golden Image did not register to the Portal to prevent unwanted duplicate hosts.
Alternate Process
- Ensure the host has no connectivity to the internet to prevent the connector registering.
- Stop the connector service.
- Install updates.
- Freeze the image once the updates have completed
- The connector needs to be prevented from registering in order to prevent duplicate hosts from occurring. When you remove connectivity, this prevents it from reaching out to register to the cloud. Also, the connector being stopped will keep it in that state until the next reboot which will allow the clones to register as unique hosts.
- Verify before spinning up clones that the Golden Image did not register to the Portal to prevent unwanted duplicate hosts.
Related Information
Feedback