Carbon Black Cloud: User field in Endpoint page is incorrect for Windows Sensor
Article ID: 289732
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- The user field on the Endpoints page displays the username used during device install
- attended installation: The currently logged on user or email address used to send installation request during an attended Installation of the Sensor will be displayed in the user field of the Endpoints page.
- unattended (command line) installation: The elevated user account used during unattended Installation will be displayed in the user field of the Endpoints page.
- The user field is never updated or changed once the sensor is installed
Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.4 and below
- Microsoft Windows: All Supported Versions
Cause
This issue is due to a limitation of the sensor
Resolution
In the Endpoints page, the Windows 3.5 Sensor and above also report who is logged into an endpoint every 8 hours instead of reporting the user who installed the sensor.
Additional Information
- If there is no interactive user logged in to the endpoint within the 8 hour window, you may get a non interactive username such as “Windows Manager\DWM-2”.
- In the case of multiple logged in users, the most recently logged in user is associated with the endpoint.
Feedback
Yes
No
Powered by
