Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Multiple agent-protected VDIs show as a single entry on Deep Security Manager (DSM)

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Deep Security 12.0
    • Deep Security 20.0
    • Deep Security 9.6
    • Platform:
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard 64-bit
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2

After activating several computers on VDI infrastructure, all those machines seem to be managed by a single entry on the DSM with different IP addresses.

It is not clear how a proper configuration and deployment is usually set up for VDI clones of the Master Image. Citrix Xen App and VMware View are some examples of such infrastructure. These computers are protected by Deep Security Agent (DSA), but not by Deep Security Virtual Appliance (DSVA). Also, these machines may also be non-persistent causing a need for re-activation every startup.


In such cases, you can use agent-initiated activation with specific settings on the DSM to perform an automatic deployment. A PowerShell startup script will be used to install the agent on the machine, which can also function on non-persistent computers.

To enable the agent-initiated activation:

Before deploying this procedure in a production environment, please test the settings first in your test environment and make sure it helps you achieve your goal.
  1. Keep the Golden Image (Master Image) template without any Deep Security Agent installed. If needed, clean up the uninstallation as well to ensure that no drivers are left. For the list of files to check, refer to this article: Manually uninstalling Deep Security Agent, Relay, and Notifier from Windows.
  2. Set up the DSM to allow re-activation from known computers.
    1. On the DSM console, navigate to Administration > System Settings.
    2. Click the Agents tab.
    3. Tick Allow Agent-Initiated Activation checkbox and select For Any Computers radio button.
    4. Enable Allow Agent to specify hostname checkbox.
    5. For the section If a computer with the same name already exists, choose Re-activate the existing computer.
    6. Tick Allow reactivation of cloned VMs checkbox.

    Allow re-activation from known computers

  3. Create a deployment script for your machines.
    1. At the upper-right corner of the DSM console, click Support > Deployment Scripts.

      Deployment Script

    2. Select the appropriate platform (e.g. Microsoft Windows 64-bit).
    3. Tick the Activate Agent automatically after installation checkbox.
    4. Select the Security Policy you need for Citrix machines (e.g. Base Policy > Windows).
    5. Choose the target Computer Group.
    6. Select the Relay Group.

    The PowerShell script will be generated as seen below:

    Generated PowerShell script

  4. Copy all contents of generated PowerShell script and save it as .ps1 file in the startup scripts folder. Afterwards, set it as a startup script.

    Startup Script

The script downloads the DSA MSI package, then installs and activates it. This will always generate a different ID while keeping the deployment automatic. While re-activating the hosts based on their hostname, this procedure ensures that a new entry will be created for each new computer you deploy from your VDI.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.