Deploying the Datto Endpoint Security agent to virtual machines

NAVIGATION   > Organizations > select an organization > select a location >  > Download Agent

SECURITY   Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access

SECURITY   Service account or administrator-level rights on the target endpoint

This article describes supported methods for deploying the Datto Endpoint Security agent to persistent virtual machines (VMs) and Virtual Desktop Infrastructure (VDI) and to non-persistent VMs and VDI.

NOTE  Datto AV protection is delivered by the Datto Endpoint Security agent and is managed from the Policies page.

Overview

All endpoints monitored by Datto EDR must have a unique agent ID. When you install the Endpoint Security agent on a target system, the endpoint receives its agent ID, which your EDR instance uses to identify and correctly categorize its audits.

If you pre-install the Endpoint Security agent on a base virtual machine and then clone it to create additional VMs, all subsequent endpoints created from that image will share the same agent ID. This duplication will cause reports and alerts from your new systems to consolidate under the ID of the original endpoint.

To avoid this problem, we recommend always installing the Endpoint Security agent separately on each virtual machine post-deployment.

IMPORTANT  Our agent software does not support deployment to hypervisors.

Prerequisites

Before you begin, we need to understand your current environment and what you'd like to do.

  • If you're a Datto EDR or Datto AV customer deploying the Endpoint Security agent to endpoints that currently don't have it, proceed to the next section of this article.

  • If you're a Datto EDR or Datto AV customer seeking to enable AV protection on one or more endpoints where the Endpoint Security agent is present, you do not need to redeploy any software. Refer to our Working with the Policies page article.

Supported installation methods

We support the following methods of installing the Datto Endpoint Security agent on virtual machines:

  1. Manual installation: Refer to Deploying the Datto Endpoint Security agent

  2. GPO deployment: Refer to Deploying the Datto Endpoint Security agent via Group Policy Object (GPO).

  3. PowerShell installation: Refer to our documentation and scripts available from the Datto EDR GitHub page.

  4. Distribution tools: You can also perform agent deployment via distribution tools such as Datto RMM.

Installing EDR on non-persistent VMs and VDI

When installing EDR on non-persistent environments you will want to make note of how and when the registry key is created to avoid situations such as devices being duplicated in the EDR portal and exhausting your available licenses.

In these situations, you should consult with your system administrator to review how you manage your instances and how you would like licenses to be used.

An example would be to create a unique agent ID registry for each username that logs in. This would help to pair a license to a user while also being able to associate any VM EDR security data to that user.

The steps below are an example of how to capture a unique agent ID per user. The exact steps depend on how your non-persistent environment is configured.

  1. Write a script (e.g., PowerShell) that installs the application and captures the registry key from HKLM.
  2. Store the captured registry key in a network location specific to the user or VM.
  3. On subsequent logins, the script checks for the existence of the registry key and restores it if it's missing.

Wrapping up

If this agent deployment is for or will include Datto AV service, proceed to our Working with the Policies page article to continue.