Endpoint Standard: Sensor Uninstalled After Attempted Upgrade (SCCM)
search cancel

Endpoint Standard: Sensor Uninstalled After Attempted Upgrade (SCCM)

book

Article ID: 291388

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Endpoint Standard Sensor no longer installed on endpoint (not shown under Programs and Features)
  • Sensor (by Device Name) show as Active on Enrollment page in Carbon Black Cloud Console
  • Sensor shows pre-upgrade version
  • Last Check-In for Sensor outdated/not updating
  • No recent Events or Alerts for the Sensor are showing in the Web Console
  • Original install of Sensor using System Center Configuration Manager (SCCM)
  • Upgrade command sent from Web Console
  • Manual upgrade now fails
  • Rebooting does not allow the uninstall or upgrade to finish

Environment

  • Endpoint Standard (Formerly CB Defense) Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Original Deployment from SCCM

Cause

  • Sensor upgrade will fail because the SCCM software deployment method will re-add the registry key for any and all packages which were used and which are currently still available in SCCM.
  • SCCM software will re-add the registry key for pre-upgrade sensor version. As a result, the sensor will be unable to upgrade to the latest sensor version unless the following registry key is removed.

HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID}
 

The {Cb Defense GUID} is a string of characters randomly generated for each new sensor install
This issue can happen if SCCM Configuration Manager is configured with detection rule: "This MSI product code must exist on the target system to indicate the presence of this application."

 

Resolution

  1. Use the Sensor Removal Tool provided in Cb Defense: How to Uninstall Windows Sensor to remove remaining Registry Keys
  2. Install the desired Sensor version using SCCM

Additional Information

  • The HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID} registry key is re-added to the device when Configuration Manager re-evaluates the requirement rules for all deployments.
    • The default value is every seven days and can be configured in SCCM under Administration > Client Settings > Software Deployment.
    • This action can be iniated from a client as follows: in the Configuration Manager control panel, from the Actions tab, select Application Deployment Evaluation Cycle.
  • To prevent SCCM from re-adding the HKEY_CLASSES_ROOT\Installer\Products\{Cb Defense GUID} registry key, please see Cb Defense: How to Configure SCCM to Allow Sensor Upgrades From Web Console
Powered by Wolken Software