Operational State : Disabled by Sentinelone on Capture Client Management Console

Operational State : Disabled by Sentinelone on Capture Client Management Console

What does "Disabled by S1" status mean?

• The Agent is disabled by SentinelOne due to a persistent error. This Agent is not protected. These functionalities are disabled: Detection, Device Control, Firewall Control, Ranger, and anti-tampering. This usually occurs when an endpoint does not have available resources. We recommend that you free resources, reboot the endpoint, and enable the Agent. If the issue persists, consult with Support.

How does a partner or customer check for "Disabled by S1" on the Endpoint.

• He would look on Endpoint GUI & Also check for S1 Status via CLI as below
  

When a partner or customer sees their endpoints have S1 agent in "Disabled by S1" state, what is the corrective action?

• SentinelOne Application logs on the endpoint with event ID 98 should be used to identify the reason for disabled agent.

• Use the time and date of the Agent crash to find a matching system event.
• In the Event viewer panel, expand Windows Logs and click System.
• Find the time and date range of the Agent crash.

One cause for the Agent to become disabled, is when there is low disk space detected by the operating system.

• Resource-Exhaustion-Detector, Event ID 2013 for Low Disk Space or The Page File is too small for this operation to complete

  
  

•  Resolve the Resource Exhaustion or clear disk space and restart the endpoint.

If the agent is not enabled after above steps, what should be the further guidance for partner or Customer?

If this issue is seen on 1 or 2 machine enable the Agent with SentinelCtl:

1.      Get the passphrase of the Agent.

2.      On the local endpoint, open the Command Prompt with Run as administrator.

3.      Go to the folder of SentinelCtl.exe: 

4.      Run:

-r If set to true, will automatically reboot the endpoint. Set to false by default.

5.      Reboot the Endpoint.

 If the Issue is seen on multiple machines run the enable agent from the backend server

             1. Partners should reach out to tech support, who can perform Bulk Enable agent from backend.

             2. After getting confirmation from Support Team. Reboot the Endpoint.

How To Solve Disabled Agent due to Database Error

To troubleshoot and solve Disabled by database error:

1. Open the Command Prompt with Run as administrator.

2. See if the Agent is disabled due to a database error:

C:\Program Files\SentinelOne\<Sentinel Agent version>\ sentinelctl status

Continue if the output shows: Disable State: Detection disabled due to database error

 4. Get the passphrase of the Agent.

 In the Management Console, Go to Devices Page. Download the Devices list in .csv format and pick the “S1 Passphrase” from the file.

 5. Remove Anti-Tamper protection from the Agent:

 sentinelctl unprotect -k "MY PASS PHRASE"

6. If you can, free disk space. Often, this issue is caused by insufficient resources on the endpoint.

 7. Recover the Agent database:

 sentinelctl config rebootlessConfig.recoverCorruptedDatabase false &:: version 22.1+

8. Stop Agent services:

 sentinelctl unload -a

9. Clear the database:

echo "" > %programdata%\Sentinel\data\prdb\CURRENT

10. Start Agent services:

sentinelctl.exe load -a

If the output shows all services loaded successfully, enable the Agent.

11. Turn on the Agent self-protection.

sentinelctl protect