Issue
The SentinelOne Agent was placed into isolation, but it is not able to be reconnected to the SentinelOne Server (Management). How do I remove network quarantine (isolation) manually from an endpoint with the SentinelOne agent installed?
Environment
SentinelOne
Resolution
In order to restore network connectivity please follow these steps:
- Get the passphrase of the Agent (someone with Admin rights in the S1 portal will need to retrieve the Agent passphrase).
- Run unquarantine_net commands:
For Windows:
- Open the Command Prompt and Run as administrator.
- Go to the folder that contains SentinelCtl.exe:
cd "C:\Program Files\SentinelOne\<Sentinel Agent version>"
sentinelctl unprotect -b -k "<passphrase>"
sentinelctl unquarantine_net
sentinelctl protect
For macOS:
sudo sentinelctl unprotect -k "<passphrase>"
sudo sentinelctl set allow-network
sudo sentinelctl protect
Additional Troubleshooting (Windows):
If you cannot get the passphrase for the Agent, or these steps do not work, you can reconnect the endpoint from the registry.
- Open regedit.exe as Admin on the endpoint.
- Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\SubLayer
- Delete this key: 1F3649F2-1FB2-443E-8152-C209804E2A4F
- Reboot the endpoint.
Cause
This can happen for a variety of reasons. One example is a race condition where the S1 Agent does not recognize that it has been placed in isolation. Another example is a corrupted S1 Agent installation, or DNS resolution errors.