Skip Navigation

Deploy
CylancePROTECT Desktop
on virtual machines

  1. Create a device policy that you will use to prepare the VDI gold image. Configure the following options in the policy:
    Device policy category
    Options
    File Actions
    Turn on
    Auto Quarantine with Execution Control
    for unsafe and abnormal file types
    Protection Settings
    • Turn on
      Background Threat Detection
      (
      Run Once
      )
    • Turn on
      Watch for New Files
  2. Prepare the VDI gold image.
    1. Install the CylancePROTECT Desktop agent on the gold image. For example, use the following installation command and parameters:
      msiexec /i CylancePROTECTSetup_x64.msi /qn PIDKEY=<INSTALLATION TOKEN> VDI=1 LAUNCHAPP=1
    2. Apply the device policy that you created in step 1 to the gold image.
      Allow the background threat detection scan to complete. This can take several hours, depending on the size of the disk and the activity on the image as it is being scanned.
  3. On the gold image, clear the Fingerprint Values from the registry.
    1. Stop the CylanceSvc service. Visit support.blackberry.com and read KB 107236.
    2. Using the Local Administrator account, take ownership of the registry key and add full control permissions to the following registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop
    3. Back up or export the registry shown above.
    4. Remove the following registry keys: FP, FPMask, and FPVersion.
  4. Create the gold image.
  5. Create a device policy that is intended for production VDI workstations.
    BlackBerry
    recommends the following options in the policy, in addition to the options that you want to enable for your production workstations:
    Device policy category
    Options
    File Actions
    • Turn on
      Auto Quarantine with Execution Control
      for unsafe and abnormal file types
    • Turn on
      Auto Upload
    Protection Settings
    • Turn on
      Watch for New Files
    • Turn off
      Background Threat Detection
  6. Deploy and clone the gold image to production workstations. Each cloned image must have a unique UUID or ID that is different than the gold image.
  7. Apply the device policy from step 5 to the production workstations.
For the cloned devices, configure zone-based agent updates to
Do Not Update
or to a specific version of the agent. Updates should be managed on the gold image. See Update CylancePROTECT Desktop on cloned devices.