Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Activating non-persistent Deep Security Agent via Task Scheduler and PowerShell

    • Updated:
    • 16 Jan 2020
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 11.0
    • Deep Security 12.0
    • Platform:
    • Windows 7, Windows 8.1, Windows 10

Virtual Desktop Infrastructure (VDI) Golden Image is configured with Deep Security Agent (DSA) already been installed but not yet activated. This article explains how to use a combination of Windows PowerShell and Windows Task Scheduler to automatically activate non-persistent VDIs.



  1. In the VDI golden image of PowerShell, make sure the Set-ExecutionPolicy is set to "RemoteSigned" to allow the script execution.
  2. Set up the Deep Security Manager (DSM) to allow re-activation from known computers.
    1. On the DSM console, navigate to Administration > System Settings.
    2. Click the Agents tab.
    3. Tick Allow Agent-Initiated Activation checkbox and select For Any Computers radio button.
    4. Enable Allow Agent to specify hostname checkbox.
    5. For the section If a computer with the same name already exists, choose Re-activate the existing computer.
    6. Tick Allow re-activation of cloned VMs checkbox.
  3. Create a PowerShell file (.ps1) and input the following. Make sure to edit the DSM location accordingly.
    Write-Host "Starting DSA Scripts..."
    cd "C:\Program Files\Trend Micro\Deep Security Agent"
    cmd /c "dsa_control.cmd -r"
    Write-Host "Waiting for 30 seconds before attempting to activate agent..."
    sleep 30
    cmd /c "dsa_control -a dsm://<IP or FQDN of the DSM Server>:4120"
    Write-Host "Waiting for 10 seconds before attempting heartbeat to manager.."
    sleep 10
    cmd /c "dsa_control.cmd -m"
    Write-Host "Completed..."
    Write-Host "Setting Powershell execution policy to Restricted..."
    Set-ExecutionPolicy Restricted
If the golden image's PowerShell settings Set-ExecutionPolicy is already configured to RemoteSigned by default in the client's environment, just delete the last two lines of the PowerShell script to avoid restricting the Set-ExecutionPolicy before saving the file.


  1. Go to the Control Panel.
  2. Open the Windows Task Scheduler and go to Administrative section.
  3. On the Task Scheduler window, highlight the Task Scheduler Library and create a new task by doing either of the following:
    • On the top menu, click Actions > Create Task…
    • On the left section, right-click Task Schedule Library and select Create Task…
  4. On the Create Task window under the General tab, label the DSA activation task accordingly and enable the following options:
    • Run whether the user is logged in or not
    • Run with highest privileges

    Create a Task

  5. Under the Trigger tab, set a trigger At startup.

    Trigger Startup

  6. Select the Actions tab and click New...
  7. On the New Action window, set the following:

    Action: Start a Program
    Program/Script: powershell.exe
    Add arguments (optional): -f "<full path of the PowerShell .ps1 file location>"

    "-f" means file.

    Create new action

    Create new action

  8. Click OK. When the new VDIs are generated from the golden image, the start-process should automatically execute the PowerShell script to activate the agent protection.

    Generated VDIs

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.