In virtual desktop infrastructure (VDI) environments, the VMware Carbon Black EDR sensor can be staged on your Gold Image to facilitate deployment and administration of EDR sensors across all related virtual machines.

Please note: The following instructions are for first-time VDI deployments. If you have previously deployed the VMware CB EDR sensor in your environment, then please refer to our article on troubleshooting existing VDI deployments.

Installing VMware Carbon Black EDR sensor on virtual desktop infrastructure (VDI) systems

You can install a specially configured VMware Carbon Black EDR sensor on VDI systems to ensure each new VDI endpoint is uniquely identified within the Carbon Black server.

To install Carbon Black EDR on VDI systems:

1. Enable VDI capabilities on the Carbon Black EDR Server.

• If Red Canary hosts your Carbon Black server, visit your Portal Help page and click Please enable VDI mode for my Carbon Black Response server.
• If Carbon Black hosts your Carbon Black server, please create a Red Canary support case and we will coordinate with Carbon Black’s support/ops team.
• If you host your Carbon Black server, please reference the correct Response Integration Guide on the Cb User Exchange for the necessary server-side configurations.

2. Log into your Carbon Black console and click Sensors.
3. Click Create Group to create a new sensor group where your VDI endpoints will reside.
4. Mirror the settings from your Default Group to your new group, paying close attention to the Server URL and Advanced Options.
5. Select VDI Behavior Enabled in the Advanced Options tab.
6. Click Download Sensor Installer and download the Windows Standalone Executable.

Setting up Global VDI Support on Windows (7.2.1 or above):

1. In the VMware Carbon Black EDR server on the Group setting set change the Tamper Protection Level to Detection or None.
2. From an elevated command prompt, run the following command:
   
   sc control carbonblack 209
   
   This command configures and shuts down the sensor in preparation for a VDI "gold image" snapshot being taken on the machine. This is the only command that would need to be executed after installing the sensor on the machine to be cloned.
   
   

Setting up Global VDI Support on Windows (7.2.0 or older):

Note that these steps must be performed each time the Gold Image is brought up for maintenance.

1. Bring up your Gold Image system (in Private Mode if possible) and install the sensor as usual.
2. Open an elevated command prompt and run the following commands:

   sc stop carbonblack
   
   fltmc unload carbonblackk
   
   for /d %G in ("%WINDIR%\CarbonBlack\store\MD5_*") do rd /s /q "%~G"
   
   del %WINDIR%\CarbonBlack\EventLogs\active-event.log
   
   del %WINDIR%\CarbonBlack\EventLogs\eventlog_*.log.zip
   
   reg add HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config /t REG_SZ /v SensorId /d 0 /f

3. Save and deploy your image.

Setting up Global VDI Support on macOS

1. Stop the VMware Carbon Black EDR services on the endpoint:
   • Open a terminal.
   • Execute the following command:
     

     sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plistSet

2. Set the Sensor ID by editing /var/lib/cb/sensor.id and replacing current id with 0.
3. Save the image and deploy.

Setting up Global VDI Support on Linux

1. Stop the Linux sensor daemon:
   systemctl stop cbdaemon
2. Remove any stored binary or event data:
   rm-rf /var/opt/carbonblack/response/store/*
rm-rf /var/opt/carbonblack/response/eventlogs/*
3. Enable VDI in sensorsetting.ini:
   sudo vim /var/opt/carbonblack/response/sensorsetting.ini
VdiEnabled=1
4. Set the Sensor ID to 0:
   sudo vim /var/opt/carbonblack/response/config.ini
SensorId=0
SensorIdforDisplay=0
5. Start the cbdaemon in the primary image VM:
   systemctl start cbdaemon