Environment
- Cb Defense Sensor: 3.2.x.x and higher
- Microsoft Windows: All supported versions
- GPO is used to upgrade Sensor from 3.2.x.x to a higher version
Symptoms
- Group Policy upgrade from 3.2.1.x sensor version will fail
- Sensor 3.2.1.x will remain installed and continue to function
- MSI log will contain only a single entry referencing the Installer upgrade code
Cause
Group Policy upgrade from 3.2.1.x sensor version will fail unless the FilterMSI value is added to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense key.
Resolution
-
Enable Sensor Bypass from the PSC Console, Sensor UI, or Command Line
- Carbon Black Cloud: How to Enable\Disable Bypass from the Web Console?
- CB Defense: How to Enable\Disable Bypass from the Sensor UI
- Carbon Black Cloud: How to Enable/Disable Sensor Bypass on Legacy Sensors using Command Line (Window...
-
Create FilterMSI registry value (Manual or with a Group Policy immediate task)
-
Manual
a. Open Regedit and navigate the registry key tree to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense
b. Right click in a blank space in the right pane and select New > DWORD (32 bit value)
c. Name the value FilterMSI and leave the data set to 0
b. Right click in a blank space in the right pane and select New > DWORD (32 bit value)
c. Name the value FilterMSI and leave the data set to 0
-
Group Policy immediate task
a. Create Batch File
"c:\program files\confer\uninstall.exe" /bypass 1 <uninstall code> reg add HKLM\SYSTEM\CurrentControlSet\services\CbDefense /v FilterMSI /t REG_DWORD /d 0 TIMEOUT /t 2 "c:\program files\confer\uninstall.exe" /bypass 0 <uninstall code>
NOTE: Before following these steps create a batch file in a commonly accessible network folder the same way you would place the MSI for Group Policy installation. Put the following script inside the batch file and replace <uninstall code> with your uninstall code if Require code to uninstall sensor is enabled in the sensor policy otherwise delete <uninstall code> from the script.
b. In the Group Policy Management (GPO) Editor, go to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks.
c. Right click and select New > Immediate Task (At least Windows 7)
d. On the General tab, enter a name for the task and under security options select Change User or Group. In the Select User or Group dialog enter system in the object name to select text box. Click check names e. and click OK if the highlighted entry is SYSTEM. Click OK again in the Select User or Group dialog.
f. Select the Run whether user is logged on or not option and check the Run with highest privileges checkbox.
g. In the Configure for drop down menu at the bottom of the general tab select Windows 7, Windows Server 2008.
h. On the Common tab check Apply once and do not reapply.
i. On the Actions tab click New… an make sure the Action drop down is set to Start a program and in the Program/script text box enter the full path to the batch script created in step 1 and click OK. (There is a bug where the New Action dialog may crash if you select the file by using browse)
j. Click OK to set the new immediate task.
k. Force a Group Policy update and the task will run immediately. It is possible to check for the FilterMSI value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense to see that the policy was applied successfully.
WARNING: If using this method, it recommended to change the org’s uninstall code once this task has been completed since it may have been exposed in plain text format.
-
Disable Sensor Bypass from the PSC Console, Sensor UI, or Command Line
- Carbon Black Cloud: How to Enable\Disable Bypass from the Web Console?
- CB Defense: How to Enable\Disable Bypass from the Sensor UI
- https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-How-to-Enable-Disable-Sensor-Bypass-u...
NOTE: Uninstall code is only required if Require code to uninstall sensor is enabled in the sensor policy.
Related Content
Thank you for your feedback.
Your feedback has been submitted and will be reviewed.