Check DeviceID On Windows Endpoint
Article ID: 291852
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Explain the steps to confirm the DeviceID of a Windows Sensor on the machine where it is installed
Environment
- Carbon Black Cloud Sensor: 3.7.x.x and Higher
- Microsoft Windows: All Supported Versions
Resolution
CMD.EXE
- Launch an elevated command prompt (right-click cmd.exe > Run as Administrator)
- Run the following command
findstr "RegistrationId" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
- The output will be in the following format
RegistrationId=<org_id>-<device_id>
Powershell
- Launch an elevated Powershell.exe instance (right-click powershell.exe > Run as Administrator)
- Run the following command
Select-String "RegistrationId" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
- The output will be in the following format
C:\ProgramData\CarbonBlack\DataFiles\cfg.ini:<Line#>:RegistrationId=<org_id>-<device_id>
Note: On Windows Sensor versions 3.6.x and Below the path is C:\Program Files\Confer\cfg.ini
Additional Information
- Confirming the DeviceID locally on the machine with the Sensor installed can be helpful in troubleshooting issues and reviewing Alerts and other Events within the Carbon Black Cloud Console
- For example, with the DeviceID you can review Events specific to that single device on the Investigate page by replacing <DeviceID> with the ID retrieved using the above method
https://<DashboardURL>/investigate?selected[deviceId]=<DeviceID>&selected[selectedTab]=DEVICE&s[searchWindow]=ALL&s[c][DEVICE_ID][0]=<DeviceID>
- Searching for device_id on applicable Inventory pages will find the device tied to that registration, regardless of the current hostname
- device_id is the unique identifier for a given Sensor in relation to VMware Carbon Black Cloud
- Hostname, IP Address, and Active Directory information are all considered metadata for a device record as they all can be changed
- Point of presence (PoP) or Backend can also be found in the cfg.ini file to ensure a given device is registered to the correct PoP/Backend
cmd.exe \> findstr "BackendServer" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini BackendServer=<Device_Services_URL> Powershell.exe \> Select-String "BackendServer" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini C:\ProgramData\CarbonBlack\DataFiles\cfg.ini:<Line#>:BackendServer=<Device_Services_URL>
Feedback
Yes
No
Powered by
