The sensor service will start and be stopped if there is no "sensor group" private certificate/key. If it is already running for whatever reason, the extra start command won't hurt anything.
sc start carbonblack
Clean up password protected file and directory
rmdir %SYSTEMDRIVE%\cbtmp /Q /S
If using Microsoft Sysprep to generate VDI clones, you will run into certificate errors if you do not follow the above guidance. Once the clone is generalized (sysprep creates new machine GUID), the relationship to the existing certs is lost since they are retrieved from the cert store locally based on the machine GUID which now no longer matches.