Hyper-V Server — Hyper-V Manager (GUI)

Create the RTA VM with the New Virtual Machine wizard in Hyper-V Manager, attach both VHDX disks, and apply the required settings (Secure Boot off, MAC spoofing on, external switch). This path uses no PowerShell.

Before you start

Review the Hyper-V Server overview. You need:

• The two extracted VHDX disks (rta_latest.vhdx + cidata.vhdx) on the server
• The Hyper-V Manager console open with Administrator rights
• An external virtual switch already created and bound to a wired Ethernet NIC (see step 1 below if you don't have one)
• Outbound internet access from that NIC

1. Create an external switch (if you don't already have one)

Skip this step if the server already has an external virtual switch connected to a wired Ethernet NIC with internet access.

External switch only — not Internal or Default Switch

Windows Server Hyper-V has no built-in "Default Switch". Even if it did, you need an External switch bound to a physical NIC so the appliance gets Layer-2 access to the engagement LAN. An Internal or Private switch will prevent the appliance from reaching the headend or its targets.

1. In Hyper-V Manager, click Virtual Switch Manager in the right-hand Actions pane.
2. Select External → Create Virtual Switch.
3. Give it a name (for example RTA-External).
4. Under Connection type, select External network and choose the wired Ethernet adapter that provides internet access.
5. Leave Allow management operating system to share this network adapter checked.
6. Click OK. Expect a brief network blip while Hyper-V re-binds the NIC.

2. Extract the disks

Extract the VHDX zip to a local path on the server, for example C:\RTA. Confirm both disks are present:

C:\RTA\
├── rta_latest.vhdx     # appliance root disk (boot)
└── cidata.vhdx         # cidata seed disk (engagement identity)

3. Create the Gen2 VM

1. In Hyper-V Manager, click New → Virtual Machine in the Actions pane → Next.
2. Specify Name and Location: name it Sophos-RTA → Next.

3. Specify Generation: select Generation 2 → Next.

   Generation 2 is required

   The image uses a GPT disk with an EFI System Partition. A Generation 1 VM (Legacy BIOS) will not boot it.

4. Assign Memory: set Startup memory to 8192 MB (minimum 4096). Leave Dynamic Memory unchecked → Next.

5. Configure Networking: choose your external switch (e.g. RTA-External) → Next.
6. Connect Virtual Hard Disk: select Use an existing virtual hard disk, browse to C:\RTA\rta_latest.vhdx, → Next.
7. Summary: review and click Finish.

4. Attach the cidata disk

The wizard only attaches the root disk. Add the seed disk as a second disk:

1. Right-click Sophos-RTA → Settings.
2. Select SCSI Controller in the left pane → Hard Drive → Add.
3. Under Virtual hard disk, click Browse and select C:\RTA\cidata.vhdx → OK.

Attach both disks — the cidata disk carries the appliance identity

Without the cidata seed disk the appliance has no engagement identity and will not register. Confirm both rta_latest.vhdx and cidata.vhdx are listed under the SCSI controller before you start the VM.

5. Set the processor count

1. In Settings, select Processor.
2. Set Number of virtual processors to 4 → OK.

6. Turn Secure Boot Off

1. In Settings, select Security in the left pane.
2. Uncheck Enable Secure Boot → OK.

Secure Boot must be Off

The appliance's bootloader is unsigned. With Secure Boot enabled, the firmware refuses to execute it and the VM shows a black screen with the message "The unsigned image's hash is not allowed (DB)". This is the single most common cause of a non-booting RTA on Hyper-V.

7. Turn MAC address spoofing On

1. In Settings, select Network Adapter → Advanced Features.
2. Set MAC address spoofing to Enabled → OK.

MAC spoofing is required for L2 tooling

Hyper-V drops frames whose source MAC differs from the adapter's assigned MAC, which breaks ARP poisoning, Responder, and bettercap MITM forwarding.

8. Start the VM

Right-click Sophos-RTA → Start, then double-click the VM to open the console.

The disks are customized for your engagement (the cidata disk carries the appliance identity), so the appliance boots already registered and connects to the Sophos headend automatically — no further configuration is needed.

Verify

Double-click the VM in Hyper-V Manager to open the console. Because this image is pre-registered, the console shows a live status and troubleshooting dashboard (network interface, VPN tunnel, connectivity health).

Run the following checks in an elevated PowerShell to confirm the VM is correct:

# Secure Boot must be Off
(Get-VMFirmware -VMName "Sophos-RTA").SecureBoot

# MAC spoofing must be On
(Get-VMNetworkAdapter -VMName "Sophos-RTA").MacAddressSpoofing

# Both disks must be attached
Get-VMHardDiskDrive -VMName "Sophos-RTA" | Select-Object Path

# NIC must be on an External switch
Get-VMSwitch -Name (Get-VMNetworkAdapter -VMName "Sophos-RTA").SwitchName | Select-Object SwitchType

Expected: SecureBoot = Off, MacAddressSpoofing = On, two disk paths (rta_latest.vhdx and cidata.vhdx), SwitchType = External.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination

Destination	connect.remotetesting.secureworks.com
IP addresses	3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol	TCP 443, carrying OpenVPN (not HTTPS)
Direction	Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Hyper-V Server troubleshooting for the most common issues on this platform and how to fix them.