Skip to content

Hyper-V (Windows 11) — Hyper-V Manager (GUI)

Import the RTA using the Import Virtual Machine wizard in Hyper-V Manager. This is the fallback method for environments where PowerShell script execution is restricted. The wizard cannot auto-detect your NIC or create an external switch, so you handle those steps manually.

Before you start

Review the Hyper-V (Windows 11) overview. You'll need the extracted contents of Sophos-RTA.zip, a wired Ethernet NIC with internet egress, and an External virtual switch already bound to that NIC. Create the switch before starting the import wizard (step 1 below).

1. Create an external virtual switch (if you don't have one)

Skip this step if you already have an External switch bound to your wired Ethernet NIC — check Hyper-V Manager → Virtual Switch Manager to confirm.

  1. Open Hyper-V Manager.
  2. In the right-hand Actions pane, click Virtual Switch Manager.
  3. Select External and click Create Virtual Switch.
  4. Give it a name (e.g. RTA-External).
  5. Under Connection type, select External network and choose your wired Ethernet NIC from the drop-down.
  1. Click OK. You may see a brief warning that your network connectivity will be interrupted while the NIC is re-bound — click Yes. Network access resumes in a few seconds.

Do not use the Default Switch

The Default Switch (and any Internal or Private switch) is a NAT network. The appliance will reach the internet but will be isolated from your physical LAN at L2 — ARP poisoning, MITM, and host discovery against on-premises targets will not work. Use an External switch bound to a physical NIC.

Use a wired Ethernet NIC — Wi-Fi will degrade the engagement

If the only available NIC is wireless, the VM gets internet access but cannot operate as a distinct Layer-2 peer on the LAN — ARP poisoning, MITM, and host discovery against on-premises targets will not work. Running the RTA on Wi-Fi degrades the quality of the engagement and is strongly discouraged. Connect a wired Ethernet cable and bind the external switch to that NIC instead.

2. Extract the package

Extract Sophos-RTA.zip to a local path. Avoid paths with spaces or non-ASCII characters. For example:

C:\RTA\
├── README.md
├── Import-RTA.ps1
└── Sophos-RTA\
    ├── Virtual Machines\
    └── Virtual Hard Disks\

3. Open the Import Virtual Machine wizard

  1. Open Hyper-V Manager.
  2. In the Actions pane (or Action menu), click Import Virtual Machine.
  1. Click Next past the Before You Begin page.

4. Locate the folder

  1. Click Browse and navigate to the Sophos-RTA folder inside your extraction path (e.g. C:\RTA\Sophos-RTA).
  1. Click Select Folder, then Next.

5. Select the import type

Select Copy the virtual machine (create a new unique ID) and click Next.

Note

Choosing "Copy" generates a new unique VM ID so the import is portable and repeatable. Do not select "Register in place" — that leaves the VM tied to its extracted path.

6. Connect the network adapter

The wizard will flag an incompatibility: the exported VM references a placeholder switch named ATTACH-EXTERNAL-SWITCH that does not exist on your host.

In the Connection column, select your External virtual switch (e.g. RTA-External) from the drop-down, then click Next.

7. Complete the import

Review the summary and click Finish. The wizard copies the VHDX and imports the VM configuration. This may take a few minutes depending on disk speed.

8. Confirm Secure Boot is Off

Always verify this step

Hyper-V Gen2 defaults Secure Boot On with the "Microsoft Windows" template. The package ships with Secure Boot already disabled, but confirm it survived the import. An enabled Secure Boot produces a black screen with the firmware error "The unsigned image's hash is not allowed (DB)".

  1. In Hyper-V Manager, right-click the imported Sophos-RTA VM and choose Settings.
  2. Under Hardware, select Security.
  3. Confirm Enable Secure Boot is unchecked (Off).
  1. Click OK.

9. Confirm MAC address spoofing is On

  1. In VM Settings, select Network Adapter → Advanced Features.
  2. Confirm MAC address spoofing is set to Enabled.
  1. Click OK.

Why this matters

Hyper-V drops frames whose source MAC does not match the adapter's assigned MAC. With spoofing Off, L2 tools that forge source MACs (bettercap, Responder, custom ARP frames) will silently fail.

Verify

  1. In Hyper-V Manager, right-click Sophos-RTA and choose Start.
  2. Right-click the VM again and choose Connect to open the console.
  3. The Win11 Hyper-V package is a generic image, so on first boot the appliance comes up in activation mode and shows an Appliance Registration screen with a one-time activation code.

Reading the activation code

The appliance keeps the Appliance Registration screen and its activation code displayed on the console until the device is activated — give the code to your Sophos engagement lead. Once activated, the appliance provisions itself, brings up the outbound VPN tunnel, and the console switches to the live status dashboard. If you miss the code, reconnect the console — it will still be there.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination
Destination connect.remotetesting.secureworks.com
IP addresses 3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol TCP 443, carrying OpenVPN (not HTTPS)
Direction Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Hyper-V (Windows 11) troubleshooting for the most common issues on this platform and how to fix them.