Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Deploy Windows Sensors using GPO

Carbon Black Cloud: How to Deploy Windows Sensors using GPO

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Group Policy Object Editor

Objective

How to deploy or install Endpoint Standard or Enterprise EDR Sensors for Windows machines using Group Policy Object (GPO)

Resolution

Create the .MST (Microsoft Installer Transform)
  1. Sign  in to the Endpoint Standard Console and select Endpoints
  2. Select Sensor Options > Download Sensor Kits. Download the CB Defense .MSI file for Windows sensor install
  3. Download Orca.exe from Microsoft
  4. Open MSI with Orca.exe
    • Right click .msi > Edit with Orca
  5. Start a new transform.
    • Click Transform > New Transform
  6. Create additional Property table entries
    1. Under left-hand column Tables > Property
    2. Right click in blank space > Add row
    3. REQUIRED: Company Registration Code
      • Select Property table and enter: COMPANY_CODE (PSC Console > Endpoints Page > Sensor Options > Company Codes)
      • Select Value and enter in the correct Company Code for the sensor version being deployed. The Company Code can be found in Sensor Options on the Endpoints page of the PSC Console
    4. REQUIRED: VDI switch(s) for Virtual Desktops. 
    5. Other optional parameters can be found in Carbon Black Cloud: How to Perform an Unattended Installation of the Windows Sensor
  7. Save the new MSI transform property.
    1. Select Transform > Generate Transform
    2. Use an easily recognizable file name to differentiate this MST from others you may create
    3. Save the transform file type as .mst

Deploy sensors using GPO
  1. Select Start > Administrative Tools > Group Policy Management
  2. Select Software settings > Software Installation > New > Package
    • Select the .msi file downloaded in Step 2 of the previous procedure
  3. Under Deployment Method > select Advanced
  4. Add name for package that is easily identifiable (e.g. WinSensor64) 
    • For 32 bit MSI only – in the Deployment tab click Advanced > uncheck make this 32-bit x86 application available to Win64 machines – click OK.
  5. Switch to Modifications tab > click Add
  6. Select the .mst you created in the previous procedure
  7. Select Save 
  8. If you utilize a script to force a reboot to update the policy objects, run that now
    • To verify that sensors are populating correctly, check the console periodically to verify that sensor information is populating and that the sensors are checking in regularly
 
Troubleshooting GPO Installs

Additional Notes

  • The path of both the CB Defense .msi and .mst files are located on a network share accessible to everywhere in your network and to which everyone has at least read permissions)
  • For a list of optional installation properties, please see the table in Carbon Black Cloud: How to Perform an Unattended Installation of the Windows Sensor
  • Active Directory does not support adding in command line parameters. You have to make a batch file to run with it to pass the parameters or package up an edited MSI. On next system restart, a drive is mounted and installation is scheduled. Note that failure rate when using AD is usually higher than with other software management tools.
  • GPO by default installs software on startup, meaning you have to reboot an endpoint for it to be effective. Not every endpoint reboots every night nor does every organization require a reboot on a regular basis. The restart requirement should be considered when deploying sensors via Group Policy.
  • If deploying a script to force a reboot to update the policy objects see Carbon Black Cloud: Can GPO Software Installation Deploy the Sensor Without Reboot?
  • We do not recommend using the option Uninstall this application when it falls out of the scope of management.

Related Content


Was this article helpful? Yes No
50% helpful (2/4)
Article Information
Author:
Creation Date:
‎07-15-2016
Views:
27837
Contributors