logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: Sensor Uninstalled After Attempted Upgrade (SCCM)

Cb Defense: Sensor Uninstalled After Attempted Upgrade (SCCM)

Environment

  • Cb Defense Sensor: all versions
  • Microsoft Windows: all supported versions
  • Original deployment by SCCM

Symptoms

  • Cb Defense Sensor no longer installed on endpoint (not shown under Programs and Features)

  • Sensor (by Device Name) show as Active on Enrollment page in Cb Defense Web Console

  • Sensor shows pre-upgrade version

  • Last Check-In for Sensor outdated/not updating

  • No recent Events or Alerts for the Sensor are showing in the Web Console

  • Original install of Cb Defense Sensor using System Center Configuration Manager (SCCM)

  • Upgrade command sent from Web Console

  • Manual upgrade now fails

  • Rebooting does not allow the uninstall or upgrade to finish

Cause

Sensor upgrade will fail because the SCCM software deployment method will re-add the Cb Defense registry key for any and all Cb Defense packages which were used and which are currently still available in SCCM. SCCM software will re-add the Cb Defense registry key for pre-upgrade sensor version. As a result, the sensor will be unable to upgrade to the latest sensor version unless the following registry key is removed.

HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID}

The {Cb Defense GUID} is a string of characters randomly generated for each new sensor install.
This issue can happen if SCCM Configuration Manager is configured with detection rule: "This MSI product code must exist on the target system to indicate the presence of this application."

Resolution

  1. Use the Sensor Removal Tool provided in Cb Defense: How to Uninstall Windows Sensor to remove remaining Registry Keys
  2. Install the desired Sensor version using SCCM

Additional Notes

  • The HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID} registry key is re-added to the device when Configuration Manager re-evaluates the requirement rules for all deployments. The default value is every seven days and can be configured in SCCM under Administration > Client Settings > Software Deployment. You can also initiate this action from a client as follows: in the Configuration Manager control panel, from the Actions tab, select Application Deployment Evaluation Cycle.
  • To prevent SCCM from re-adding the HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID} registry key, please see Cb Defense: How to Configure SCCM to Allow Sensor Upgrades From Web Console

Related Content

About Client Settings in System Center Configuration Manager

Cb Defense: How to Configure SCCM to Allow Sensor Upgrades From Web Console

Cb Defense: Can’t Update Sensors Deployed by GPO

Cb Defense: How to Uninstall Windows Sensor

Cb Defense: How to Update Sensors from Dashboard

Cb Defense: Sensor Upgrade Doesn't Complete Until Reboot

rogue policy preventing further software deployments

Labels (1)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
aglasco
Creation Date:
‎12-20-2017
Views:
3133
Contributors
logo