An endpoint agent may continue to generate incidents for suspended / disabled / deleted policies.

DLP 15.x

This can happen if the endpoint agent matrix data id no longer matches the data id that is known by aggregator on endpoint servers. The exact cause for how the agent gets into this state is still unknown.

This can be resolved by disabling delta matrix replication until the agents have the correct matrix, which should be within their polling interval, or when they next are online and connect to their Endpoint Server and request the policy execution matrix.

To disable deltas, go to the Enforce Console, and Navigate to System -> Agents -> Agent Configuration. Select the configuration that applies to your affected agents, and go to the Advanced Settings tab and change CommLayer.ENABLE_POLICY_MATRIX_DELTA_REPLICATION.int to 0 and save. Be sure to update the configuration for the agents so that the change takes effect.

You can either leave delta disabled after the issue has been resolved, or re-enable if it's needed for network bandwidth savings between endpoint servers and agents.