Unenrolled endpoints still send events to EDR
search cancel

Unenrolled endpoints still send events to EDR

book

Article ID: 369046

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

You notice that the Symantec Endpoint Detection and Response (SEDR) appliance is still receiving events from a client after the client has been unenrolled from the SEDR appliance.

Environment

SEDR 4.10

Cause

 

The Symantec EDR will continue to accept endpoint activity logs from unenrolled clients until the clients receive an updated SEPM policy that removes the Symantec EDR enrollment information.

Resolution

This is expected behavior and it may take up to one SEPM heartbeat cycle for SEP clients to unenroll completely from Symantec EDR. Until the policy is updated, clients might continue sending endpoint activity logs, policies, and command requests to Symantec EDR.

Powered by Wolken Software