Carbon Black Cloud: How to Use RepCLI to Prepare Non-Persistent VDI Clones
search cancel

Carbon Black Cloud: How to Use RepCLI to Prepare Non-Persistent VDI Clones

book

Article ID: 291761

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Use RepCLI to prepare images that will be used to clone non-persistent VDIs

Environment

  • Carbon Black Cloud Console: December '18 Release and Later
  • Carbon Black Cloud Sensor: Version 3.4.x.x and Higher
  • Non-Persistent VDI clones
  • RepCLI authentication is enabled

Resolution

  1. Install the primary image OS and required applications
  2. Install the Carbon Black Cloud Sensor with CLI_USERS switch to ensure RepCLI Authentication is enabled
  3. If Background Scan or Local Scanner are disabled, please skip to Step 4
    1. Verify that Background Scan has completed and Policy has updated. See Check Background Scan Status of Carbon Black Cloud Sensor
    2. Verify that virus signature files have been updated to the latest using RepCLI. See How to manually Update Virus Definition Signature via RepCLI
  4. As the final preparation step, schedule the command "repcli reregister now" to run on the clones, not on the "primary/golden" image, ideally as a scheduled task (or GPO) upon login OR restart, preferably from a batch file, and a five-minute delay if scheduled at bootup, change "Primary" with the computer name of the master machine. 
NOTE: Do not run commands repcli reregister now or repcli reregister onrestart on the golden image. Either command turns the golden image into a clone, which might de-register other pre-existing clones because they become orphans. Also, do not enable auto-cleanup of deregister devices. Keeping this capability off will ensure no persistent full clones get auto-deregistered.
 
  1. Shut down the machine
NOTE: By default, every newly installed sensor is assigned to the Standard policy unless otherwise specified. The endpoint inherits the policy from the primary image unless you have previously created sensor groups, and the installed sensor matches a sensor group’s criteria. Manual policy assignment post-installation overrides the inheritance. If GROUP_NAME or POLICY_NAME was used to install the primary image OS into a specific VDI policy (e.g. VDI Standard), move the primary image OS to a separate policy (e.g. Standard).
NOTE: Disable Local Scanner and Background Scan on the specified VDI policy (e.g. VDI Standard) to be used for non-persistent VDI endpoints. Persistent VDI endpoints also should be managed in a separate policy.
 
  1. Create the primary image/VM template
  2. Deployed clones will register as separate devices and be assigned a new device ID at boot
  3. To create a new template, repeat steps 4-6.

Additional Information

  • WARNING: If VDI=1 was used and the sensor is uninstalled from the primary image, cloned VDI will fail to register and display within the Carbon Black Cloud Console. VDI=1 has been deprecated in favor of "repcli.exe register now" in sensor versions 3.4.x and Higher and is no longer supported for use in these versions. 
  • For non-persistent deployments leveraging Horizon version 7.13, 2012, and later versions, and Carbon Black Cloud sensor version 3.6+, you must remove the batch file (example batch file path: C:\CB.bat) inserted into the golden image previously. This is possible because the registry of HKLM\Software\VMware, Inc.\ViewComposer\ga\AgentIntegration is now automatically set by the the Instant Clone Agent. 
  • Step 4 should only be RUN ONCE per cloned device, and not on every logon or bootup 
  • This steps are not intended for image deployment of physical machines, for that, use the BASE_IMAGE=1 parameter instead
  • RepCLI authentication/authorization is not tied to any OS-side permissions, the SID could be that of a normal user with no admin permissions and they would still be able to use RepCLI functions requiring authentication.
  • If C:\temp\cb_reregister.txt is not present on a clone, the command did not run successfully