Issue
- How do I deploy my Carbon Black EDR Sensors using Group Policy?
- How do I deploy my Carbon Black Enterprise EDR or Endpoint Standard Sensors using Group Policy?
- Are there any problems that I should be aware of when choosing to use Group Policy to deploy my Sensors?
- Is there any way to deploy the Sensors using Group Policy without having to reboot the Computers?
- If I install the Sensor manually using the .exe file, will my software installation Group Policy affect the manually installed version?
- Will the Software installation GPO uninstall the Sensor for any reason?
Environment
VMware Carbon Black EDR (Carbon Black Response)
VMware Carbon Black Cloud
Resolution
1. If you are deploying your Carbon Black EDR (CB Response) Sensors using Group Policy, first follow these instructions from Carbon Black: How to perform a GPO Deployment for CB Response.
2. If you are deploying Carbon Black Endpoint Standard (CB Defense) or Enterprise EDR (CB Threathunter) with Group Policy, follow these instructions from Carbon Black (Be sure to carefully read through all of the instructions, including the "Note" section): How to Deploy Windows Sensors using GPO
3. NOTE: the failure rate when using GPO is usually higher than with other software management tools (like SCCM for example). Deploying software with Group Policy also has many limitations. Here are the 3 most important limitations to understand if you are going to choose to deploy software via GPO.
- The first limitation is: you can’t control when the software gets installed. It is all dependent on if the policy is forced, when Computer is rebooted (for Computer policies), or when the User logs in (for User polices). Even during the 90-minute GPO refresh cycle, software installation will only occur when the computer is restarted or when the User logs in or logs off. You can try setting up a script using Group Policy Preferences to force reboot, but this doesn’t guarantee the software will be installed on that reboot.
- The second limitation is: you can’t control the order in which packages are installed. For example you have multiple packages and one has dependencies, you can’t control the order in which those installations happen.
- The last and most important limitation is: there’s no built-in reporting or auditing (i.e you’re not able to determine if software was successfully installed or why the software installation failed by running reports). There is some minimal logging that can be enabled through the MSI logging feature. MSI logging can sometimes prove to be helpful, and it's definitely worth having it enabled. Here are the instructions for setting up MSI logging: How to configure GPO to create Sensor MSI log
4. Group Policy software installation requires that either the User login (for User policies) or the Computer be rebooted (for Computer policies). This is a limitation of the Microsoft Group Policy technology, and should be carefully considered before deciding to use Group Policy to deploy software. As a workaround it may be possible to create a custom script which is configured to install the Sensor and deploy it via a Scheduled Task in Group Policy Preferences. However, at this time Carbon Black does not provide a custom script which has been tested and qualified for use in deploying Sensors using GPO Scheduled Tasks.
5. If you manually install the Sensor with the .exe (binary) file, once the GPO policy refreshes it can and will affect the manually installed version. This is another problem with GPO software installation policies. If you are going to manually install the Sensor on an Endpoint, you would need to put that Computer object into an OU where your main software installation GPO has either been blocked or is not linked.
6. NOTE: If the Computer object is removed from "Security Filtering" within the GPO, once the Endpoint updates its GPO again, it will uninstall the Carbon Black Sensor.
- Carbon Black recommends disabling the Deployment setting "Uninstall this application when it falls out of scope of management"
7. If you are deploying your GPO to a VDI environment you must include additional parameters in your .MST (Transform) file. Which parameters you will use depends on whether the VM is a "Persistent VM" or "Non-Persistent" VM. These instructions can be found here: Installing Sensors on Endpoints in a VDI Environment.
8. Make sure you have MSI logging enabled on the GPO.
- To configure Group Policy to automatically create Windows Installer .msi log
- Open the Group Policy editor and expand: Computer Configuration > Administrative Templates > Windows Components.
- Select Windows Installer and double-click Logging or Specify the types of events Windows Installer records in its transaction log depending on the windows version.
- Select Enabled.
- In the Logging textbox, type voicewarmupx
- Select Save Changes.
- NOTE: The msixxx.log file will be created in the Temp folder of the system volume C:\Windows\Temp\
- NOTE: This setting will create an msi install log for all users in the GPO
- To enable Windows Installer .msi log using the registry
- Go to registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer.
Set registry value Logging to: voicewarmupx - NOTE: If Group Policy is configured to automatically create a Windows Installer .msi log, this registry value voicewarmupx should match whatever is configured in Group Policy
- Go to registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer.
Comments
0 comments
Please sign in to leave a comment.