A rejoin command has been issued to an isolated client via the Symantec Endpoint Detection and Response (SEDR) appliance, but the client is not rejoining the network.

The client is not receiving the command.  This is either because there is a communication issue between SEDR and the Symantec Endpoint Protection Manager (SEPM) or there is a communication issue between the SEPM and SEP client.

Verify status of the rejoin command from the EDR

  1. Log in to the SEDR GUI
  2. Navigate to Logging > Actions
  3. Find the event with the command_name of 'rejoin'
  4. Expand the entry by clicking on the '>'
  5. Make note of the 'command_uid'

Verify the command status in the SEPM

  1. Open the SEPM GUI
  2. Navigate to Monitors > Command Status
  3. Ensure the time range selected covers the time that the rejoin command was initially initiated.
  4. Make note of the 'Completion Status'

• If the status of the command in EDR is 'Started', but no command is shown in the SEPM command status screen, then there is an issue with SEDR to SEPM communication. 
  • Troubleshooting connections to SEPM

• If there is a command in the SEPM command status screen, and the Completion Status is NOT "100%", then the issue is likely a communication issue between the SEP client and SEPM. 
• • Troubleshoot communication issues with Endpoint Protection Manager