Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deployment and setup guide for combined mode protection of computers in Deep Security

    • Updated:
    • 24 Feb 2021
    • Product/Version:
    • Deep Security 12.0
    • Deep Security 12.5
    • Deep Security 20.0
    • Platform:

This article will provide the high-level steps to configure an environment that uses combined mode protection for computers (Agent and Appliance).


VDI golden image preparation

  • Install the Guest Introspection Thin Agent with the Golden Image.

    When using either the traditional installation method or Microsoft Deployment Toolkit (MDT), and preparing the Golden Master Image(s), install the necessary VMware Guest Introspection Thin Agent, which is a part of VMware Tools.

  • Persistent and Non-Persistent VMs

    Both persistent and non-persistent view desktops need antivirus protection. Agentless protection is recommended for both scenarios. Install VMware Tools in the virtual machine before it is converted into a parent virtual machine for linked clones.

    If agent-based protection is required, install an unactivated Deep Security Agent (DSA) on the VM before it becomes the parent virtual machine.

    For reference, refer to Step 1-2, Page 81 of the Deep Security 12 Best Practice Guide.

DSA installation and post-installation depending on some considerations

Choose if Anti-Malware protection source when in Combined Mode will be appliance preferred or appliance only.

  • Appliance preferred
    Perform the following steps only if you prefer to make the switch to Anti-Malware to agent faster in case the appliance goes down since the Anti-Malware module will be pre-installed.

    On the VDI Golden Image, install DSA. Activate it first and enable Anti-Malware so succeeding clones will already have the Anti-Malware module pre-installed. After installing Anti-Malware the first time, it will require a reboot. After reboot, deactivate the DSA.

  • Appliance only

    No need to do further action.

    Note that the only drawback is that if the appliance goes down, there will be no Anti-Malware protection.

Scheduled Task PowerShell Script for System Startup Agent Activation

Create a Scheduled Task / Startup Script for the Agent Activation. Refer to this KB article.

Below is a sample script: C:\data\scripts\dsaActivate.ps1

Write-Host "Starting DSA Scripts..."
cd "C:\Program Files\Trend Micro\Deep Security Agent"
cmd /c "dsa_control.cmd -r"
Write-Host "Waiting for 5 seconds before attempting to activate agent..."
sleep 5
cmd /c "dsa_control -a dsm://dsm01.lab.local:4120"
Write-Host "Waiting for 5 seconds before attempting heartbeat to manager.."
sleep 5
cmd /c "dsa_control.cmd -m"
Write-Host "Completed..."
Write-Host "Setting Powershell execution policy to Restricted..."
Set-ExecutionPolicy Restricted

Note that the above script is already a modified sample. Make sure that the VDI machine can resolve the Deep Security Manager Activation URL via DNS.

Below is a sample command to create a scheduled task based on the above script.

schtasks.exe /Create /tn "Trend DS Agent Activate" /sc ONSTART /delay 0000:00 /ru "DOMAIN\SERVICE_ACCOUNT" /rp "PASSWORD" /tr "powershell.exe -f C:\data\scripts\dsaActivate.ps1"

Note that the command above is just a template. Modify it as needed or manually create a Scheduled Task using Administrative Tools > Scheduled Task GUI.

Configure VDI template for any other configuration you may need

Complete anything else you need on the VDI Golden Image Template.

Configuring Deep Security Manager (DSM) Event Based Task (EBT)

  1. On the DSM console, go to > Administration > Event-Based Tasks.
  2. Click New.
  3. Event: Choose "Computer Powered On (by System)".
  4. Click Next.
  5. Choose an Action to perform:
    • Activate Computer (add a delay of your choice, e.g. delay of 5 minutes. This delay needs to be longer than the time it takes for the Task Scheduler-based activation configured earlier since that does not have a policy assignment, and this EBT does have a policy assignment)
    • Assign Policy: your choice of policy for VDI Machines
  6. Click Next.
  7. Specify any match condition. For example, Computer Name matches ProtectedVDI.*
  8. Click Next.
  9. Ensure Task Enabled is ticked.
  10. Click Finish.

Below are sample screenshots:

Example of Event Based Task (Note: Computer Name is the Hostname, not the VM Name)


Example of a new computer, Activating (Delayed)


Example of Agent Initiated Activation (via Task Scheduler Script) and Appliance originated Activation (Event Based Task)


Modules Status

Visit this Help Center article for more references.

Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.



Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.