ESET Technical support Showed me the way. This is working well for me.
My Environment
Citrix and PVS 7.15 LTSR
PVS machines reboot and rebuild nightly from base image
Windows 2016
Eset ERA 6.5
Solution
Install ESET File Security into PVS image directly
Deploy ESET Remote Administrator Agent via Computer GPO Software Installation (x64+ini)
Create ESET Task to Synchronise Active Directory regularly (Ensure Tenants are in correct ESET groups)
Create ESET Task to "delete computers not connected" for 24hours and deactivate (targeted at PVS tenant OUs)
Create ESET Task to update modules / virus definitions soon after boot on PVS tenant OUs
Outcome
PVS Tenants reboot and build at 5am, GPO install agent.
ESET AD sync task ensures new tenants are in their expected OUs/ESET Groups
Every reboot a new duplicate object for the tenant appear in the ESET Group for Tenants
ESET "delete computer task" removes these duplicate objects.
ESET Task to update modules ensures the virus signature are up to date as quickly as possible.
Concerns/Room for improvement.
Was concerned that the Agent Install GPO would not fire 100% on 1st boot, so far it has been 100% reliable.
undesirable that the write cache is being used up by agent install and signature updates, ideally the agent IDs and signatures would be redirect-able to a fixed drive in a future version? (Not possible for now?)
Need to keep the gold image updated so as to minimise the delta between boot version of definitions and latest version of virus definitions during the first few minutes. maybe an update can be forced as the products starts or the agent installs?