Issue
After attempting to upgrade the EDR sensor, the sensor is no longer able to communicate with the VMware CB EDR server.
Environment
VMware Carbon Black EDR; Windows sensor
Resolution
Upon reviewing the sensorcomms.log from the diagnostics that were collected, you may see error code 0x80072f9a:
Execute the following command from an elevated command prompt:
c:\windows\system32 certutil -store carbonblack
If the following output is found:
Missing stored keyset
No key provider information
Cannot find the certificate and private key for decryption.
The sensor certificates might have been corrupted. Follow the steps below to resolve this issue.
- Uninstall the sensor from the affected endpoint.
- Create a new sensor group.
- Download a brand new sensor package.
- Install the sensor manually on the affected endpoint.
- Force a sensor check in by running the following command from an elevated command prompt:
sc control carbonblack 200
- Check the VMware Carbon Black EDR console to verify that the endpoint has successfully checked in.
Cause
There are various reasons for why the sensor certificate may have gotten corrupted. Some of the known reasons include:
- Upgrading the system operating system without uninstalling the sensor.
- The sensor package may contain an incorrect certificate.
- Exceptions were not configured for the VMware CB EDR sensor in third-party A/V solutions.
Comments
0 comments
Please sign in to leave a comment.