Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Show Sensors are Being Deregistered by a GPO

Carbon Black Cloud: How to Show Sensors are Being Deregistered by a GPO

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

Determine if GPO settings have caused Sensor Deregistration.

Resolution

  1. Gather date / time for Sensor Deregistration from Console.
  2. Gather Windows Event Logs from Device.
  3. Open Application Event Log.
  4. Check near time for Deregistration for events from Source Name "Application Management Group Policy".
  5. Description for these events may show "The assignment of application <Application Name> from policy <Policy Name> failed."
  6. If they show this value, a GPO policy is in place that is not properly configured. This causes the Sensor to begin a Sensor Upgrade that begins by uninstalling the Sensor which sends the Deregistration message to the Console. If the Upgrade fails the install portion the Device will have no active Sensor until action is taken.

Additional Notes

This issue can be resolved by removing the Device from the GPO membership or by correcting the GPO configuration so it functions correctly for upgrades / installs.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-04-2020
Views:
295
Contributors