Environment
- EDR Sensor: 5.x and Higher
- Microsoft Windows: All Supported Versions
Objective
To create a gold master disk that will ensure all future cloned images will check in a unique sensors to the EDR Server.
Resolution
- On the base system, ensure that the sensor id is set to 0.
- Stop the EDR services on the base image sensor version 7.1.x and below:
- For sensor version 7.2.0 and above follow this link to disable sensor
sc stop carbonblack
sc stop carbonblackk
- Edit the registry key that holds the Sensor ID:
HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config\SensorId
- Set that value to 0.
- Delete everything in:
C:\Windows\CarbonBlack\EventLogs\*
- Delete any cached binaries in this folder, but leave the "catalog" file present.
C:\Windows\CarbonBlack\store\MD5_*
- Shutdown the master image
Additional Notes
- Full instructions can be found in the Integration Guide documentation here.
- It is important to not start the services on the Windows endpoint after the Sensor ID has been set to 0. If that occurs, you will have to reset it back to 0 because the server will provide it with a SensorID.
- Ensure that the Sensor Groups in the EDR console have been configured to allow VDI.
Related Content