This section describes two ways by which you can enable FIPS 140-2 for Carbon Black EDR Windows sensors.

Enable FIPS for Windows Sensors through Group Policy Settings

To enable FIPS 140-2 for Carbon Black EDR Windows sensors by using Group Policy settings, perform the following procedure.

Procedure

  1. On the Windows endpoint, open the Group Policy Editor.
  2. Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
  3. Enable System cryptography by using FIPS-compliant algorithms for encryption, hashing, and signing settings.

    Group Policy Editor showing system cryptography setting

  4. Reboot the endpoint.
  5. Install the Carbon Black EDR Windows Sensor kit. See Install Windows Sensors on Endpoints.
  6. Verify whether FIPS is enabled by running the following command: 
    C:\>reg query HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy

    The output should read as follows:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Enabled REG_DWORD 0x1
  7. Open the sensor.log file and check whether the Windows system-wide FIPS mode is enabled log is available.

Enable FIPS for Windows Sensors through the Registry

To enable FIPS 140-2 for Carbon Black EDR Windows sensors through the registry, perform the following procedure.

Procedure

  1. On the Windows endpoint, open the Windows Registry Editor.
  2. Go to HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled and set Enabled to 1.
  3. Reboot the endpoint.
  4. Install the Carbon Black EDR Windows Sensor kit. See Install Windows Sensors on Endpoints.
  5. Verify whether FIPS is enabled by running the following command: 
    C:\>reg query HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy

    The output should read as follows:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy Enabled REG_DWORD 0x1
  6. Open the sensor.log file and check whether the Windows system-wide FIPS mode is enabled log is available.