The SEPM group is not using the latest SEDR certificate and is unable to communicate with EDR as a result.
A component of EDR is not able to process data correctly due to it becoming saturated. The symptoms this scenario causes include the reduction in the endpoints ability to record events and incidents normally. You will see reduced events or no events being reported. Incidents may also be affected.
EDR is working as designed. If the following two conditions are met the latest SEDR certificate will be updated on the endpoint and the endpoint will communicate with EDR and report events accurately.
EDR's engineering team is committed to investigating this issue and providing a resolution. This article will be updated with any additional information as it becomes available. Please use the provided workaround to resolve this issue.
For scenario 1, SEDR and configured SEPMs execute a cron job every hour which should sync any groups that were not previously configured correctly.
For scenario 2, please see the EDR 4.x documentation titled Symantec EDR platform support matrix for information regarding the system requirements for physical and virtual EDR appliances.