Environment

• Carbon Black Cloud Sensor: Version 3.2 - 3.4
• Microsoft Windows: All Supported Versions

Symptoms

• In the Carbon Black Console (CBC) > Inventory > Endpoints page, the Device OS Version and Sensor Version are blank although normally these details are populated 
• CBC Service is not installed or running on the device
• CBC Sensor is installed and functioning as expected, but install or upgrade fails

Cause

• "Require code to uninstall sensor" is or was enabled on the CBC Policy at the time of sensor install
• Sensor 3.2 and above uninstalled was attempted without providing the Deregistration Code and resulted in CBC tamper protection changing the permissions of certain cbc files and registry keys

Resolution

• In Sensor version 3.6.x and above, sensor will prompt with message "Uninstall is password protected. Please run uninstall.exe with a valid uninstall code." if deregistration code is required, but not provided.
• If this issue has already occurred, please Open a Support Case for additional assistance. 

Additional Notes

• In sensor versions 3.4 and below, we identified the following registry key and it's subkeys cannot be deleted because the permissions show they are owned by System. This was resolved in sensor 3.5 and above although there are other files and registry keys which are affected by the same issue depending on the sensor version installed 

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefenseWSC

• This is only one possible cause for CBC tamper protection changing the permissions of certain cbc files and registry keys. It is possible that other situations which may result in the permission being changed for various other cbc files and registry keys

Related Content