Environment
- Carbon Black Cloud Sensor: 3.6.x - 3.7.x
- Microsoft Windows: All Supported Versions
Symptoms
- SCCM Sensor Update Fails
- Update via Carbon Black Cloud console succeeds
- Confer.log shows msiexec being blocked:
SUCCESS PSCRULES: Process:4704:132973514566025764 (c:\windows\system32\msiexec.exe) sha256:0A8797D088023A7F17BB00B22FF7C91036070CCA561BFF5337C472313C0CB4AD Op:REG_DELETE_VALUE TargetType:REGISTRY (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}\EstimatedSize) was:Block by policy:1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D rule:4DAF85DC-04B3-4058-BD15-9AF21080A286 (Tamper protect CbD uninstall/upgrade registry keys and values)
- Update log shows:
Could not delete value Comments from key \Software\Microsoft\Windows\CurrentVersion\Uninstall\{4CCC8204-5840-426A-81B7-23FF6E597A1B}. System error . Verify that you have sufficient access to that key, or contact your support personnel.
- "c:\program files\confer repcli find msiexec.exe" shows msiexec as unsigned:
"Signature Info" - "Not Digitally Signed"
Cause
Sensor is not treating msiexec as signed and therefore tamper protection blocks the uninstall/upgrade.
Resolution
. Workaround:
- Update via the Carbon Black Cloud console
or:
- Place sensor into bypass Bypass
- Update
- Remove sensor out of bypass
After an upgrade to 3.8+ is completed, the sensor will no longer lose track of the signature state and will re-confirm the signature status of msiexec.exe
Additional Notes
This query can help identify what machines may be affected (ran via the investigate page)
device_os:WINDOWS AND process_name:"c:\\windows\\system32\\msiexec.exe" AND process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED
