Skip to main content
Red Canary help

Troubleshooting Existing VDI Deployment of the VMware CB EDR Sensor

  • Updated .

Issue

User is seeing multiple endpoints with the same sensor ID appearing in Red Canary, but not seeing those endpoints appear in their native VMware CB EDR console.

Environment

VMware CB EDR Windows Sensor 7.2.2+

Resolution

This issue typically occurs when the resultant clone devices are unable to properly register with the CB EDR server. Check the primary image to ensure that sensor was installed properly and that the correct files have been deleted before the image is used for deployment.

Configuring VMware Carbon Black EDR Sensors for use with Virtual Desktop Infrastructure (VDI)

(Follow the instructions for Setting up Global VDI Support on Windows (7.2.1 or above))

In addition to prepping the image for Global VDI Support, create a batch script with the following commands:

sc control carbonblack 210

timeout /t 60

sc control carbonblack 200

The above commands will perform the following actions:

  • sc control carbonblack 210 - resets the sensor to a new install state. If an admin clones a running sensor, you can run this command on the cloned machine to re-register without shutting down the services.
  • timeout /t 60 - inserts a delay of 60 seconds before executing the next command in a batch script.
  • sc control carbonblack 200 - initiates a connection attempt to the Carbon Black EDR server. In most cases, this is a near-immediate connection attempt. Exceptions are during sensor startup and shutdown, or if any outstanding connection or connection attempts to the server are in progress.

Create a scheduled task on the base image.

mceclip0.png

In the example above, the name of the task is Reregister.

  • If the base image is already joined to the domain, then it is recommended that the task be run as a Domain Admin or an account with administrative permissions on the Domain.
  • If the base image is not already joined to the domain, then it is recommended that the task be run as SYSTEM.

Select Triggers. From the Begin the task drop-down, select At startup. Check Delay task for and manually change the time to 2 minutes (this is not a drop-down option, but manually changing the value to 2 minutes will work). Click OK.

mceclip2.png

Select Actions. For Action, select Start a program. Under Program/script, click Browse and select the batch script that was created in a previous step. Click OK.

Shutdown the base image and deploy the clones according to your organization's standard operating policies and procedures.

If you encounter any issues after following the steps above, please open a support request.