A restart may be required to begin seeing some ETW events with EDR and SEP 14.3 RU3
search cancel

A restart may be required to begin seeing some ETW events with EDR and SEP 14.3 RU3

book

Article ID: 223251

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Detection and Response Endpoint Security Complete

Issue/Introduction

Beginning with SEP 14.3 RU3 where EDR is in use, a restart may be required to begin seeing some ETW events recorded from the device.

Environment

  • Endpoint Detection and Response.
  • Endpoint Protection (SEP) 14.3 RU3.

Resolution

Below are the following scenarios where a restart will be required to begin seeing ETW events.

  • If EDR is enabled and the SEP client is updated to 14.3 RU3.  
  • If SEP 14.3 RU3 is installed, then EDR is enabled.

Additional Information

If SEP 14.3 RU3 is installed and EDR is disabled, ETW events will still be generated until the system is restarted.

Powered by Wolken Software