Advanced Settings Non-Persistent Desktops

This section shows how to configure clients manually for the Non-Persistent VDI solution in the Signature Server and Signature Server Consumers roles.

Use this approach if the "Policy Approach" is not available.

Configuring the Shared Signatures Server

You can configure the Signature Server manually or with a script.

Create a Shared Folder

  1. Create a folder to store the shared signatures.
  2. Share the folder and grant read access to members of the Domain Computers' group.
    Note:

    On Workgroup machines, the "SYSTEM" account does not have network login rights. This configuration is not supported.

Configure the Windows Registry Keys

  1. Configure the value 0x01 for the key VdiSignatureServer (to configure the machine as "Shared Signatures Server"):
    • On 64-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01
    • On 32-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01
  2. Configure the path to the shared signatures folder in the key AVSharedBases:
    • On 64-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"DISK:\\Path\\To\\Shared\\Folder"
    • On 32-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"DISK:\\Path\\To\\Shared\\Folder"

    ../../Images/Notes/Note.png

    Notes:

    • If you do not configure the path, then the default shared folder is:

      C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\bases\shared
    • The default shared folder exists after the first successful update.

  3. Reboot the machine to restart the Anti-Malware blade.
  1. Download the Shared Signatures Server Configuration script file.
  2. Execute the script on the Signature Server and follow the instructions.
  3. Make sure the script finishes successfully.
  4. Make sure you reboot the machine to restart the Anti-Malware blade.
Configuring the Client Machine

You can configure the Client Machine (the Golden Image) manually or with a script.

  1. Disable the Anti-Malware Periodic Scan. See the instructions above.
  2. In Windows Registry, configure the value 0x01 for the key AVBasesScheme (to enable the "Shared Signatures" scheme):
    • On 64-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVBasesScheme=(DWORD)0x01
    • On 32-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVBasesScheme=(DWORD)0x01
  3. In Windows Registry, configure the path to the shared signatures folder in the key AVSharedBases:
    • On 64-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"\\Server\FolderWithSharedSignatures"
    • On 32-bit operating system:

      HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"\\Server\FolderWithSharedSignatures"

    ../../Images/Notes/Note.png

    Notes:

    • If you do not configure the path, then the default shared folder is:

      C:\ProgramData\CheckPoint\EndpointSecurity\Anti-Malware\bases\shared
    • The default shared folder exists after the first successful update.

  4. Reboot the machine or restart the Anti-Malware process.
  1. Download the Golden Image Configuration script file.
  2. Execute the script on the Golden Image and follow the instructions.
  3. Make sure the machine is rebooted.