Sysprep Cloned Sensors are not Connecting with "Missing Keyset" Error.
Article ID: 288485
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Sensor diagnostics file "sensorcomms.log" shows 0x80072f9a errors:
Time | URL | HRESULT | Code | DurationMs | TxBytes | RxBytes | Throttle KB/s | Upload Speed KB/s -------------------- + ---------------------------------------------------------------------------------------------------- + ---------- + ----- + ---------- + -------- + -------- + -------------------- + -------------------- 2021-03-28 03:30:45 | https://<server url>:443/sensor/register | 0x80072f9a | 12186 | 16 | 0 | 0 | 500 | 0
- Running the Windows certutil shows the following error:
c:\windows\system32 certutil -store carbonblack missing stored keyset
Environment
- EDR(Formerly Carbon Black Response) Sensor: All Supported Versions
Cause
Sysprep changes keysets and other sensor configuration during imaging process of virtual machine creation after the sensor services have already started.
Resolution
Option 1:
- Uninstall the sensor
- Re-install the sensor
Option 2:
- Get the new machine GUID from the registry, open cmd.exe as an Admin
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ /v MachineGuid - Navigate to the cryptography folder.
C:\programdata\microsoft\crypto\keys\ - Find the newest file that starts with dd1ce9c399303009bda41fd33208b356. Example:
dd1ce9c399303009bda41fd33208b356_32f4f79d-955b-424c-945a-a80b964a2144 - Update the ending of the filename with the new machine GUID. Where 32f4f79d-955b-424c-945a-a80b964a2144 is the machine GUID of the example.
- The certificate keystore will automatically be picked up and the sensor will begin to connect.
Feedback
Yes
No
Powered by
