I created a post for Sensor deployment in a Desktop Clone scenario, now, I wanted to cover the 2nd aspect of desktop pools, updating them and keeping them current with the Crowdstrike sensors.
A quick overview of Virtual Desktop
Here are a few terms related to VDI. Blog from VMware. If you need more information on Instant Clones, Google is your friend…
When dealing with Desktop Virtualization, there are 2 scenarios where you should recommend controlling the Sensor version, i.e. build sensor update policies specifically for those. When a user logs off a Desktop Clone, any information that changed during that session is lost (outside of the user profile, if they use a profile management solution). So, a sensor version change or a channel file pushed, will be lost when the user logs off. That is also the reason you don’t want to have those desktop clones with a sensor update policy of N-1 or N-2, to avoid any potential sensor update that will end up being reverted back as soon as the user logs off.
You should also have specific groups for your Gold Master images (some call them reference images) and a different group for your Linked Clones or Instant Clones.
Of course, after setting these 2 group up, your customer will need to make sure they have good operational process in place to have a cadence of manually updating the sensor version for each of those group, making sure to update the Gold Master image group first.
In my environment, I created 2 groups.
From a desktop virtualization perspective, for a production customer, there’s a strong chance you will need multiple groups for your Desktop clones, as they will most likely require different configurations or update sequence, based on the desktop type. I have seen customer being able to regroup a lot of their desktop types but rarely being able to do this within only 1 group, just because of the differences in the desktops config (i.e. software deployed on it, cadence of OS update and OS type).
A desktop pool of clones built in VMware Horizon or Citrix XenDesktop, will almost always follow a naming pattern, i.e. hostname will have a fix part and a number, in my lab, I used “Win10T-” + a number. This makes the group assignment dynamic and easy to setup. Customer should use dynamic assignment for their VDI groups.
Then, the Gold Master image group should be a manual assignment.
Example of a sensor update policy for my VDI Clones. Again here, the only thing the customer needs to make sure is to put in place a proper cadence update and make sure the sensor does not fall out of support. Making sure to update the sensor version on the master image group first, then the VDI clones and running through a recompose operation (which I cover later in this post).
Updating the master image
The Gold Master images are Virtual Machines that are usually shutdown and only booted when you need to update those images. So, in a lot of cases, these machines will be booted once a month, for Microsoft Patch Tuesday or shortly after that day to update the Operating System and potentially updating other software in that reference image.
I’m going to describe the ideal scenario and what we should encourage our customer to do. In some cases, you might not be able to get them to do the recommended steps and I’ll explain the drawbacks as well if they choose not to follow the recommended steps.
Updating Master image and launching a desktop pool recompose
This is an example of what this will look like in VMware vSphere
6. Now, have them go in VMware Horizon or Citrix XenDesktop and complete the Recompose operation, based on the new snapshot taken.
This is an example of what it looks like in VMware Horizon (pool name is Win10Test), you schedule a maintenance operation
Here is the example of the recompose wizard in VMware Horizon, where you choose the new snapshot to use for the desktop pool
Once the customer has finished the wizard, the VMs will recompose, come back online and everything will be up to date!
Hope you found the above useful, both technologies work well together and it’s good to keep your VM’s up to date and secure 😉