I was initially going to cover how to prepare your Gold Master image but then, I thought that this subject has been covered multiple times, so, if you want guidance on what should be your starting point for your Gold Master image, see this post (Optimized image for VDI ) and use this tool (VMware OSOT).
Keep in mind that you will need local administrative rights to run the tools mention in those post such as “SDelete”.
Deploying a Security sensor on a Virtual Desktop pool requires a few adjustments/steps that are different then deploying on a regular Virtual Machine or a physical desktop. Most solutions need a Unique Identifier for the Virtual Machine to be properly associated with the environment. The problem is, when doing a Virtual Desktop Pool, you start from the same Virtual Machine every time and you clone it. In VMware’s case for example, you either create a Linked-Clone or Instant Clone Pool.
In this blog, I will cover how easy and quick it is to configure and deploy the Crowdstrike Falcon Sensor on a Horizon 7.12, Windows 10 Instant-Clone Desktop Pool.
Installing the sensor
Once you have your gold master image configured with all the software you need and patched up, you should proceed to the sensor installation. The Crowdstrike sensor can be retrieved from your Falcon Platform by navigating to the Host section and choosing Sensor downloads. Make sure to note your CID while you’re in that section, you will need it for sensor install.
Next, login to the Windows 10 desktop (Gold Master Image) with Admin credentials and open an Elevated Command Prompt.
From the location where your sensor is located, run the command: WindowsSensor.exe /install /norestart CID=<CID> VDI=1 NO_START=1 /passive GROUPING_TAGS=“VDI,LAB”
The tags are optional, but good practice when building your environment. You can learn more about tags from the Crowdstrike documentation, accessible from your Crowdstrike platform.
After installation is complete, you can do a quick check of your services and you’ll see that the Sensor is installed as a service but not running, as expected.
You can also look at your filter drivers from the Filter Drive Management Console (FLTMC) and see that it is not present yet (as expected).
P.S. : Your list might differ from the above, this was taken from a very basic, vanilla Win10 image.
The “VDI” tag is optional, but recommended for Virtual Desktops as it makes it “cleaner” to categorize those desktops in the Crowdstrike management Console. The “LAB” tag is just to segment in my lab for testing.
Next, you would continue as you would do with any other Gold Master image preparation.
Shutdown the gold master image and take a Snapshot.
You would then create your Instant-Clone Desktop Pool.
Add your pool.
Steps 1 through 11 are very straightforward, however, if you’re unfamiliar with the process of creating a desktop Pool, you can learn more from the VMware Tech Marketing paper here.
The only additional thing I do before clicking the Submit button is to also prepare my pool entitlements by checking the little check box at the top of step 11. Of course, you can also do this at a later stage, I just prefer to do it right away to make sure I don’t forget to put in a couple of test subjects to kick things off!
Once the pool is created, you can go back to your Falcon Platform console and you will see the Instant-Clone Desktops ready to go
Validating that everything is running fine, you can login to a Horizon Desktop and see that Crowdstrike Sensor is running as expected and reporting back to the CrowdStrike console.
Now, let’s logoff the user session. This will delete the Instant Clone and create a new one.
Since the pool configuration is set to re-use the same hostname, it will create a new “Win10IC—2” Virtual Machine. After the Virtual Machine is available, you can then switch over your Falcon Platform console and see that the endpoint is available and reporting back successfully.
In conclusion, this was a very straightforward process and the most painless Security solution deployment I’ve done in over 20 years. In a future blog post, I will explain how to add VMware App Volumes on top of this combined solution (Horizon + Crowdstrike). Both Crowdstrike and App Volumes have filter drivers, but they can easily play nice together and I’ll show how easy it is for these solution to co-exist and work together.
Hope you enjoyed this basic tutorial, I’m looking at doing my next one on Crowdstrike with Horizon and App Volumes. Another easy one but I saw, in past experience, a lot of customers do this wrong :-)…