When reviewing endpoints in Red Canary there are multiple endpoints listed under the past hostnames on one of the VDI endpoints already deployed, but a user is not seeing those endpoints appear in their native VMware CB EDR console.
VMware CB EDR Windows Sensor
This issue typically occurs when the resultant cloned devices are unable to properly register with the CB EDR server. Check the primary image to ensure that sensor was installed properly and that the correct files have been deleted before the image is used for deployment.
For sensor versions 7.2.0 and older:
To clear the sensor ID on the primary image, please run the following commands from an elevated command prompt:
- sc stop carbonblack
- sc stop carbonblackk (for sensor version 7.2.x and above, use the fltmc unload carbonblackk command instead)
- reg delete hklm\software\carbonblack\config /v SensorId
(Note: ensure that the registry is backed up prior to deleting any registry keys.)
Save and redeploy the image as needed.
For sensor versions 7.2.1 or higher:
NOTE: Before proceeding, ensure that Tamper Protection is disabled on the endpoint that is being setup as the golden image.
- Log into the CB EDR console and navigate to the Sensor Group settings page. Go to Advanced > Tamper Protection Level and copy the Tamper Override Password. Once copied, open an elevated command prompt on the device being used as the golden image. Enter the following command:
To clear the sensor ID on the primary image, please run the following command from an elevated command prompt:
- sc control carbonblack 209 (this command performs multiple actions: stopping the sensor services, deleting binary store and event log directories and resets the sensor ID to 0.)
In addition to preparing the image for Global VDI Support, create a batch script with the following commands (this will only work with Windows sensor versions 7.2.1 or higher):
sc control carbonblack 210
timeout /t 60
sc control carbonblack 200
The above commands will perform the following actions:
- sc control carbonblack 210 - resets the sensor to a new install state. If an admin clones a running sensor, you can run this command on the cloned machine to re-register without shutting down the services (this only needs to be performed on the cloned image NOT the golden image).
- timeout /t 60 - inserts a delay of 60 seconds before executing the next command in a batch script.
- sc control carbonblack 200 - initiates a connection attempt to the Carbon Black EDR server. In most cases, this is a near-immediate connection attempt. Exceptions are during sensor startup and shutdown, or if any outstanding connection or connection attempts to the server are in progress.
Create a scheduled task on the base image.
In the example above, the name of the task is Reregister.
- If the base image is already joined to the domain, then it is recommended that the task be run as a Domain Admin or an account with administrative permissions on the Domain.
- If the base image is not already joined to the domain, then it is recommended that the task be run as SYSTEM.
Select Triggers. From the Begin the task drop-down, select At startup. Check Delay task for and manually change the time to 2 minutes (this is not a drop-down option, but manually changing the value to 2 minutes will work). Click OK.
Select Actions. For Action, select Start a program. Under Program/script, click Browse and select the batch script that was created in a previous step. Click OK.
Shutdown the base image and deploy the clones according to your organization's standard operating policies and procedures.
If you encounter any issues after following the steps above, please open a support request.
Note: The sc control carbonblack 210 command should ONLY be performed on the cloned image NOT the golden image.
Additional note: If newly cloned images do not have the desired sensor version installed, please ensure that the proper procedures for installing the sensor on the golden image have been performed. After the desired sensor version has been installed on the golden image, immediately run the sc control carbonblack 209 command and promptly shut down the image.
***There are no special configurations or considerations for installing the CB EDR sensor using different virtualization applications (i.e. Horizon, vSphere, Citrix).