000034878 - Agent Status shows as "Needs Reboot" on the machines table in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Feb 27, 2017Last modified by RSA Customer Support on Nov 5, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034878
Applies ToRSA Product Set: NetWitness Endpoint
RSA Version/Condition:,
Platform: Windows
IssueThe Endpoint agent during an upgrade of the agent to will show a reboot required message with a red slash through the machine in the machine's tab and also when opening the machine itself in the UI:

reboot required for selected agent

Tooltip attached to machine status displays: "Reboot required: The agent appears to be partially loaded. An endpoint reboot is required for full agent operation."
CauseDue to known upgrade issues with the NetWitness Endpoint agent moving to 4.3 from a prior version, the kernel driver error 0x20010007 code is detected, which informs the UI that the agent needs a reboot in order to enable correct functionality of the kernel driver on the agent endpoint, otherwise full functionality will be impaired when tracking data, scanning, or using containment features or blocking.
ResolutionTo resolve this issue, the agent must first be rebooted.
  1. Go to the agent in the UI during a window frame when it will not disrupt normal business operations on the endpoint in question and right-click the machine in the Machines tab go to Advanced>Reboot
  2. When the popup box asking if you wish to reboot the agent appears, select Yes
  3. Go to a command prompt and run ping -t <ip_of_rebooted_machine> to check for when the machine goes offline which may take some time and when it starts pinging again
Open the UI again and check the state of the machine. It may still show a red icon indicating it is not rebooted:

User-added image

If the agent has been rebooted and the state doesn't update, run a Quick Scan on the agent:
  1. Select the machine in the Machine's tab and right-click Request Scan>Advanced.
    • Select None and then select Processes so the scan is set to only scan processes
    • Click Proceed
  2. This will kick off a new scan which will resolve very quickly while updating the agent status. Once this is updated, after a few minutes at most you will see the agent state change to the blue icon and the agent will no longer show Reboot Required in the UI.
Normal scanning and tracking from the agent can then resume.