When clicking "Full Dump" action on enrolled endpoint detail page, a dialog with title "Could not complete full dump request" is displayed with error "Unknown Failure".
Endpoint is not associated to Endpoint Data Recorder configuration due to ATP cache cleanup issue. This occurs when a group is removed and then re-added in the SEPM Group Inclusion setting for a SEPM Controller. When Endpoint Data Recorder is enabled and endpoint is enrolled, a link record is created in database to associate endpoint to Endpoint Data Recorder configuration, for performance reason the link record is also cached. Endpoint unenrollment process delete the link record from database but unfortunately not clean it from cache. When endpoint is re-enrolled, ATP should re-create the link record but since the cached link record is still there, ATP think the endpoint is still being associated to Endpoint Data Recorder configuration hence skip link record creation. When clicking "Full Dump" action on enrolled endpoint detail page, ATP fail to get endpoints' Endpoint Data Recorder configuration from database hence full dump fail
Workaround: Reboot ATP appliance, ATP re-creates the missing link record when refreshing endpoint from SEPM. While this problem reproduces in all ATP 3.0.5 and 3.1 releases, this workaround only applies to ATP 3.1 releases. There is no workaround for ATP 3.0.5 release. Please upgrade to 3.1 or newer if running ATP 3.0.5.
Subscribing will provide email updates when this Article is updated. Login is required.