Issue
When reviewing endpoints in Red Canary there are multiple endpoints listed under the past hostnames on one of the VDI endpoints already deployed, but a user is not seeing those endpoints appear in their native VMware CB EDR console.
Environment
Red Canary
VMware CB EDR Windows Sensor
Resolution
This issue typically occurs when the resultant cloned devices are unable to properly register with the CB EDR server. Check the primary image to ensure that sensor was installed properly and that the correct files have been deleted before the image is used for deployment.
For sensor versions prior to 7.2.1:
To clear the sensor ID on the primary image, please run the following commands from an elevated command prompt:
- sc stop carbonblack
- sc stop carbonblackk (for sensor version 7.2.x and above, use the fltmc unload carbonblackk command instead)
- reg delete hklm\software\carbonblack\config /v SensorId
(Note: ensure that the registry is backed up prior to deleting any registry keys.)
Save and redeploy the image as needed.
For sensor versions 7.2.1 or higher:
To clear the sensor ID on the primary image, please run the following command from an elevated command prompt:
- sc control carbonblack 209 (this command performs multiple actions: stopping the sensor services, deleting binary store and event log directories and resets the sensor ID to 0.)
Reference: Configuring VMware Carbon Black EDR Sensors for use with Virtual Desktop Infrastructure (VDI)
In addition to preparing the image for Global VDI Support, create a batch script with the following commands (this will only work with Windows sensor versions 7.2.1 or higher):
sc control carbonblack 210
timeout /t 60
sc control carbonblack 200
The above commands will perform the following actions:
- sc control carbonblack 210 - resets the sensor to a new install state. If an admin clones a running sensor, you can run this command on the cloned machine to re-register without shutting down the services.
- timeout /t 60 - inserts a delay of 60 seconds before executing the next command in a batch script.
- sc control carbonblack 200 - initiates a connection attempt to the Carbon Black EDR server. In most cases, this is a near-immediate connection attempt. Exceptions are during sensor startup and shutdown, or if any outstanding connection or connection attempts to the server are in progress.
Create a scheduled task on the base image.
In the example above, the name of the task is Reregister.
- If the base image is already joined to the domain, then it is recommended that the task be run as a Domain Admin or an account with administrative permissions on the Domain.
- If the base image is not already joined to the domain, then it is recommended that the task be run as SYSTEM.
Select Triggers. From the Begin the task drop-down, select At startup. Check Delay task for and manually change the time to 2 minutes (this is not a drop-down option, but manually changing the value to 2 minutes will work). Click OK.
Select Actions. For Action, select Start a program. Under Program/script, click Browse and select the batch script that was created in a previous step. Click OK.
Shutdown the base image and deploy the clones according to your organization's standard operating policies and procedures.
If you encounter any issues after following the steps above, please open a support request.