EDR: How to Create a Base "Gold Disk" Image For VDI Deployment
search cancel

EDR: How to Create a Base "Gold Disk" Image For VDI Deployment

book

Article ID: 288137

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To create a gold master disk that will ensure all future cloned images will check in a unique sensors to the EDR Server.

Environment

  • EDR Sensor: 5.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

  1. On the base system, ensure that the sensor id is set to 0.
  2. Stop the EDR services on the base image sensor version 7.1.x and below:
    sc stop carbonblack 
    sc stop carbonblackk
  3. For sensor version 7.2.0 and above use below commands:
    sc stop carbonblack 
    fltmc unload carbonblackk
  4. Edit the registry key that holds the Sensor ID:
    HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config\SensorId
  5. Set that value to 0.
  6. Delete everything in:
C:\Windows\CarbonBlack\EventLogs\*
  1. Delete any cached binaries in this folder, but leave the "catalog" file present.
C:\Windows\CarbonBlack\store\MD5_*
  1. Shutdown the master image

Additional Information

  • Full instructions can be found in the Integration Guide documentation here
  • It is important to not start the services on the Windows endpoint after the Sensor ID has been set to 0. If that occurs, you will have to reset it back to 0 because the server will provide it with a SensorID.
  • Ensure that the Sensor Groups in the EDR console have been configured to allow VDI.  
Powered by Wolken Software