Carbon Black EDR provides support for environments in which client machines are frequently re-imaged or reverted back to a master image.
In these environments, agent-based software can experience complex agent management issues such as duplicate systems or sensor id collisions. These issues are typical in environments where the sensors are installed on a master image or on Virtual Desktop Infrastructure (VDI) images, particularly when using non-persistent images.
Carbon Black EDR provides a means to resolve these VDI issues. If VDI behavior is configured and enabled for some or all sensors, the sensor communicates first with the Carbon Black EDR server (single or clustered), attempting to register itself. The server then tries to correlate that sensor’s and client machine’s characteristics (i.e., hostname and DNS name) to an existing sensor. If the server can correlate the new client to a sensor it has seen already, it assigns that sensor its previous Sensor ID. If there is no correlation, the server performs a new registration for that client. This allows the client machine to report to the server with the same Sensor ID, maintaining the client event history despite having been re-imaged. If the endpoint's System ID (SID) changes, VMware Carbon Black must create a new Sensor ID for that endpoint.
The process for setting up VDI support can be divided into two stages:
- Configuring the Carbon Black EDR server to support the VDI behavior.
- Choosing the appropriate VDI support implementation option (global or sensor group).