All or some endpoint detection servers showing in unknown state.

Release : 16.0

In the controller logs you see the following:

SEVERE: UpdateMonitorVersion caught exception.
com.vontu.util.ProtectRuntimeException: Endpoint Channel mapper failed to get provisioned keystore/truststore data. Provision Ids <id>, <id>. Error: Failed to get keystore data for provision id <id>. Error: <drive lettter>:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000\keystore\<endpoint server name_date>.jks

Unlike all other monitors, each endpoint server require a jks keystore file stored on the Enforce server (EPS) which is required so that endpoint prevent server can get the keystore data so that endpoint agents are able to connect to the EPS. On each startup of the EPS (or MonitorController) this keystore has to be replicated to the EPS to run in memory.
If the keystore is not available, the EPS will not start.  You will se the above error in this case.

As noted in the logs this keystore which is only created when a EPS is first created is stored under the DLP's data location (in this case "<drive letter>:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000") along with all the other data used for DLP services.

Since the jks file is created when the endpoint server is first created, you will need to copy this jks file from the other server and copy it onto the new enforce server in the keystore directory.

<drive lettter>:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000\keystore\

Another possible workaround is that you can rename the hostname and IP of that endpoint server in Enforce.  Next add a new endpoint server with the same name and ip and see if this connects.  Since you adding a new server, it will create the new keystore file.  If all is good you can delete the original endpoint server connection that was renamed.  If for some reason it does not help, you can delete the new server added and rename the original server back to what it was.