EDR: VDI Sensor keyset lost in imaging process
Article ID: 288485
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Sensor diagnostics file "sensorcomms.log" shows these errors:
Time | URL | HRESULT | Code | DurationMs | TxBytes | RxBytes | Throttle KB/s | Upload Speed KB/s -------------------- + ---------------------------------------------------------------------------------------------------- + ---------- + ----- + ---------- + -------- + -------- + -------------------- + -------------------- 2021-03-28 03:30:45 | https://10.38.220.15:443/sensor/register | 0x80072f9a | 12186 | 16 | 0 | 0 | 500 | 0 2021-03-28 03:32:45 | https://10.38.220.15:443/sensor/register | 0x80072f9a | 12186 | 15 | 0 | 0 | 500 | 0 2021-03-28 03:34:45 | https://10.38.220.15:443/sensor/register | 0x80072f9a | 12186 | 16 | 0 | 0 | 500 | 0
- Running the Windows certutil shows the following error:
c:\windows\system32 certutil -store carbonblack missing stored keyset
Environment
- EDR(Formerly Carbon Black Response) Sensor: All Supported Versions
Cause
Sysprep changes keysets and other sensor configuration during imaging process of virtual machine creation.
Resolution
Use of the action plans.
Action Plan -1:
Action Plan -1:
- Use Quickprep instead of Sysprep.
- Manually uninstall the corrupt sensor- https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-How-to-uninstall-a-corrupt-Cb-Response-sensor/ta-p/66330
- Reinstall the sensor on the Windows Endpoint.
Additional Information
https://docs.vmware.com/en/VMware-Horizon-7/7.13/virtual-desktops/GUID-46B71DA6-AC5C-4875-B754-DB0D66E1AA27.html
Feedback
Yes
No
Powered by
