Troubleshooting the disabled agent status

This article outlines common troubleshooting steps for component-specific issues that may cause the agent to appear as Disabled, along with the recommended remediation strategies.

Disabled status

A device is marked as Disabled in the EDR platform when the agent on an endpoint repeatedly attempts to download or install a specific component from the platform beyond an acceptable threshold.

In most cases, simply re-enabling the affected device in the EDR portal resolves the issue. However, if the agent continues to appear as Disabled, it may be necessary to address the root cause to prevent recurrence. Start by checking whether a new policy or license was recently assigned to the device. For example, did you recently apply a Ransomware Detection or Datto AV policy? If so, proceed to the relevant solution section below for recommended steps to resolve the issue.

EDR

If you suspect the endpoint may have been disabled due to the Datto EDR component:

Verify the endpoint meets the minimum operating system requirements. If it does not, consider upgrading the operating system on the device to meet the minimum requirements. See the article, Hardware and operating system requirements.
If you deployed the agent using a script, verify that your deployment script is installing the correct architecture for the endpoint. For example, when installing the EDR agent to a MacOS ARM device, ensure your script utilizes the MacOS ARM installer. See the article Deploying the Datto Endpoint Security agent.
Enable the device. Select Organizations > Devices. For the applicable device, click the ellipses menu and select Enable.

Ransomware Detection/Ransomware Rollback

If you suspect that the endpoint may have been disabled due to the Ransomware Detection and Ransomware Rollback component:

Verify that the endpoint has a compatible CPU architecture. Currently, Ransomware Detection and Ransomware Rollback are not compatible with ARM CPU processors. See the article Hardware and operating system requirements.
If the endpoint meets the hardware and operating system requirements, you have two options:
- Disable the Ransomware policy in the EDR portal at the Location level. Then, at the Location level, assign the policy to a device group comprised of devices that are compatible with the Ransomware policy. See the article Creating device groups.
- Move the agent to a location or organization in the EDR portal that does not have a Ransomware Policy or the Ransomware Policy is disabled.
Enable the device. Select Organizations > Devices. For the applicable device, click the ellipses menu and select Enable.

Datto AV

If you suspect that the endpoint may have been disabled due to the Datto AV component:

Was this a new installation?
- Yes, this was a new installation: Go to step 2.
- No, this was not a new installation: Reboot the device during a maintenance window before re-enabling the agent. If Datto AV was previously uninstalled followed by a reinstallation, a reboot may be required to complete the uninstall process to allow Datto AV to be reinstalled.
Verify that the endpoint has a compatible CPU architecture. Datto AV is not supported on Windows devices using ARM based processors. See the article Hardware and operating system requirements.
Verify that the device supports Azure Code Signing (ACS). Access the article KB5022661—Windows support for the Trusted Signing (formerly Azure Code Signing) program. Find your product in the table and click the corresponding KB number. If the update is not available through a standard release channel, such as Windows Update or Microsoft Update, use an alternative channel (for example, Microsoft Update Catalog) to install the update.
If you observe the following codes 10600005 or 10615609 in the Notifications center of the local endpoint, refer to the article Removing Windows Defender when installing Datto AV.
If none of the above apply to your situation or does not resolve your issue, you can try to unassign and then reassign the AV license to the endpoint in the EDR portal.
Enable the device. Select Organizations > Devices. For the applicable device, click the ellipses menu and select Enable.

Further Assistance

If you are unable to resolve the issue:

Note the hostname, device status and any troubleshooting you performed.
Search for the applicable device, click the ellipses menu (…) in the last column, then select Fetch Logs. This will pull all current device logs into the Reports section. The logs may be helpful to support when addressing the issue.
Contact Kaseya Support for assistance.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.