Skip to main content
Red Canary help

Configuring VMWare Carbon Black EDR for use with Virtual Desktop Infrastructure (VDI)

  • Updated .

In virtual desktop infrastructure (VDI) environments, VMWare Carbon Black EDR can be staged on your Gold Image to facilitate deployment and administration of EDR sensors across all related virtual machines.

Installing VMWare Carbon Black EDR on virtual desktop infrastructure (VDI) systems

You can install a specially configured VMWare Carbon Black EDR sensor on VDI systems to ensure each new VDI endpoint is uniquely identified within the Carbon Black server.

These settings apply to Windows VDI configurations only, as Linux VDI behavior features are not supported at this time.

To install Carbon Black EDR on VDI systems:

  1. Enable VDI capabilities on the Carbon Black EDR Server.
  • If Red Canary hosts your Carbon Black server, visit your Portal Help page and click Please enable VDI mode for my Carbon Black Response server.
  • If Carbon Black hosts your Carbon Black server, please create a Red Canary support case and we will coordinate with Carbon Black’s support/ops team.
  • If you host your Carbon Black server, please reference the correct Response Integration Guide on the Cb User Exchange for the necessary server-side configurations.
  1. Log into your Carbon Black console and click Sensors.
  2. Click Create Group to create a new sensor group where your VDI endpoints will reside.
  3. Mirror the settings from your Default Group to your new group, paying close attention to the Server URL and Advanced Options.
  4. Select VDI Behavior Enabled in the Advanced Options tab.
  5. Click Download Sensor Installer and download the Windows Standalone Executable.

To install the sensor on your Windows Gold Image:

Note that these steps must be performed each time the Gold Image is brought up for maintenance.

  1. Bring up your Gold Image system (in Private Mode if possible) and install the sensor as usual.
  2. Open an elevated command prompt and run the following commands: 
    sc stop carbonblack

    sc stop carbonblackk

    for /d %G in ("%WINDIR%\CarbonBlack\store\MD5_*") do rd /s /q "%~G"

    del %WINDIR%\CarbonBlack\EventLogs\active-event.log

    del %WINDIR%\CarbonBlack\EventLogs\eventlog_*.log.zip

    reg add HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config /t REG_SZ /v SensorId /d 0 /f
  • Save and deploy your image.

Upgrading sensors from the VMware Carbon Black EDR console

You can set your sensor groups to automatically upgrade sensors to a specific version or the latest version, or you can choose no automatic upgrades.

Note that if you choose to automatically upgrade to the latest version, your endpoints may be upgraded without warning and before your internal testing. Upgrading to a specific version is recommended to allow more control and testing.

To configure your sensor group upgrade settings:

  1. From within your VMware Carbon Black EDR console, click Sensors.
  2. Click Settings on the sensor group you wish to view or change.
  3. Expand Upgrade Policy and choose the options that are appropriate for your environment.