SEP to SES successful upgrade and Cloud Managed = 1, but Cloud Enrolled = 0 (unknown error : 0)
search cancel

SEP to SES successful upgrade and Cloud Managed = 1, but Cloud Enrolled = 0 (unknown error : 0)

book

Article ID: 439626

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Protection

Issue/Introduction

The On Prem SEP upgrade to SES cloud was successful, and the client shows "Cloud Managed = 1" but shows "Cloud Enrolled" = 0 or (unknown error : 0) similar to the below. 

After opening the SEP client interface and clicking Help and Troubleshooting the following is observed:

- Cloud Management:
       Cloud: Not Enrolled
       Group: Not Enrolled
       ...
       Policies for the current location. 
      "Waiting for data"

 

- Cloud Connection Status: "Not Enrolled" similar to the screenshot below: 



- Client Management Type

      Failing device shows: 
      CloudManaged = 1
      CloudEnrolled = 0

      Successful device shows: 
      CloudManaged = 1
      CloudEnrolled = 1

Use this link to Determine the SEP/SES agent client management type by using the registry.

Environment

Symantec Endpoint Protection (SEP) 14.3x and later
Symantec Endpoint Security (SES) 14.3x and later

Cause

The client is failing to enroll because the enrollment token is "missing." Without this token the SEP client is unable to connect to SES cloud "indefinitely" until addressed.  

A way to determine if this is a match to your issue, check the relevant file sizes below: 

- Cloud Connection.dat (should be 3KB, if only 2KB or less, this indicates that the token is missing)
- Connect.dat (should be 536 Bytes or larger)

Path:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\

Resolution

Broadcom is aware of this behavior and working on a fix.  We will update this kb once available.  

As for a workaround consider one of the options below: 

#1. Run smc -cloudmanaged <path\to\Symantec_Agent_Setup.exe> per Using smc to Switch a Windows Client Between SEP and SES Management or to Change a Device's Tenant or Environment
NOTE: Using the same Symantec_Agent_Setup.exe version works fine


#2. Upgrade the SEP client to a later version of Symantec_Agent_Setup.exe installer

#3. Run a SEP client repair (from Add or Remove Programs)

NOTE: msiexec /fa {<PRODUCT_GUID>} /norestart 

Additional Information

CRE-17696
CRE-19469
CRE-23906

Powered by Wolken Software