Setting up VDI on Carbon Black EDR (Response) using Sysprep

Issue

Endpoints are not checking in and keep getting Certificate errors in Sensor Diags

Error seen in Sensor.log -
Sensor private cert is missing. Tid[05F0] 2021-04-30 23:11:59 (e): Association for client cert is lost, comms will probably fail. WinError[0x8009200B: Cannot find the certificate and private key for decryption.]

Environment

VMware Carbon Black EDR (Response)

VDI 

Using Microsoft Sysprep when imaging Machines

Windows Endpoints

Resolution

Reference Carbon Black VDI setup steps (Found here: https://community.carbonblack.com/t5/Documentation-Downloads/CB-Response-7-2-Integration-Guide/ta-p/92158?attachment-id=15109, starting on page 104)

1. Delete Windows binary data.
   • Directory: %WINDIR%\CarbonBlack\store
     • Sub-directories: MD5_*
2. Delete Windows event data.
   • • Directory: %WINDIR%\CarbonBlack\EventLogs
       • Files: eventlog_*.log.zip and active-event.log
3. Stop the CB Response services on the endpoint.
   • Open a command prompt with administrator privileges.
   • Execute the following commands:
     • sc stop carbonblack
     • sc stop carbonblackk (If Sensor version 7.2 use this command after disabling Tamper Protection on the Sensor Group: fltmc unload carbonblackk)
       • NOTE: This is due to the new Tamper Protection feature that was added to Sensor v7.2.0.  See Carbon Black article: Unable to Stop EDR Sensor Service Version 7.2.0 With 'sc stop carbonblackk'.
       • NOTE: To disable Tamper Protection, go to the Sensor Group > Advanced section and set "Tamper Protection Level" to "None." 
4. Set the Sensor ID by setting the registry value SensorId in the registry. key/HKEY_LOCAL_MACHINE/SOFTWARE/CarbonBlack/config to 0.
   Note: If the SensorId value does not already exist, create it as a QWORD value.
5. Before imaging, before running Sysprep, after sensor service ("CarbonBlack") has been stopped.  
   1. Create directory for "Sensor Group" private key file.

      mkdir %SYSTEMDRIVE%\cbtmp

   2. Export "Sensor Group" private key into a password-protected file for a one-time use during clone startup.

      certutil -p password -exportPFX CarbonBlack * %SYSTEMDRIVE%\cbtmp\cb.pfx

   3. Remove the existing "Sensor Group" private key from the Certificate Store.

      certutil -delstore CarbonBlack Sensor*

6. Machine Startup Script:
   • Import the private key into the Local Machine Store.

     certutil -p password -importPFX CarbonBlack %SYSTEMDRIVE%\cbtmp\cb.pfx
     

   • The sensor service will start and be stopped if there is no "sensor group" private certificate/key. If it is already running for whatever reason, the extra start command won't hurt anything.

     sc start carbonblack

   • Clean up password protected file and directory.

     rmdir %SYSTEMDRIVE%\cbtmp /Q /S
     dir %SYSTEMDRIVE%\cbtmp

Cause

If you do not export the cert before sysprep the machine will not get a new sensor ID