Carbon Black Cloud: How to Show Sensors are Being Deregistered by a GPO
search cancel

Carbon Black Cloud: How to Show Sensors are Being Deregistered by a GPO

book

Article ID: 290667

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Determine if GPO settings have caused Sensor Deregistration.

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Gather date / time for Sensor Deregistration from Console.
  2. Gather Windows Event Logs from Device.
  3. Open Application Event Log.
  4. Check near time for Deregistration for events from Source Name "Application Management Group Policy".
  5. Description for these events may show "The assignment of application <Application Name> from policy <Policy Name> failed."
  6. If they show this value, a GPO policy is in place that is not properly configured. This causes the Sensor to begin a Sensor Upgrade that begins by uninstalling the Sensor which sends the Deregistration message to the Console. If the Upgrade fails the install portion the Device will have no active Sensor until action is taken.

Additional Information

This issue can be resolved by removing the Device from the GPO membership or by correcting the GPO configuration so it functions correctly for upgrades / installs.
Powered by Wolken Software