Resolve policy conflicts, health issues with service VMs, and know how endpoint protection policy works. What to read next Resolve Partner Services IssuesWithout partner service virtual machine functional, guest VMs are not protected against malware. How Guest Introspection Runs Endpoint Protection PolicyEndpoint protection policies are enforced in a specific order. When you design policies, consider the sequence number associated to rules and the domains that host the rules. Endpoint Policy Conflict Resolution Consider a scenario where two policy domains exist, each consisting of multiple rules. As an admin you are not always certain of which VMs can end up getting membership of a group because VMs get associated to a group based on dynamic membership criteria, such as OS Name, Computer Name, User, Tagging. Quarantine VMs After rules are applied to VM groups, based on the protection level and tag set by partners, there might be VMs that are identified as infected that need to be quarantined. Verify Health Status of Service Instances Health status of a service instance depends on many factors: status of the partner solution, connectivity between Guest Introspection Agent (Context Multiplexer) and Context Engine (Ops Agent), and availability of Guest Introspection Agent information, SVM protocol information with NSX Manager. Delete Partner Services Delete partner services through NSX Manager UI or API call. Troubleshooting Endpoint Protection Endpoint Protection LogsThere are several different logs you can capture to use while troubleshooting Endpoint Protection. Collecting Endpoint Protection Environment and Work DetailsCollecting environment details is useful when checking the compatibility of components. Troubleshooting the Thin Agent on Linux or WindowsThe Guest Introspection thin agent is installed with VMware Tools™ on each guest virtual machine. Troubleshooting ESX EPP Module (MUX)If all virtual machines on an ESXi host are not working with Endpoint Protection, or there are alarms on a particular host regarding communication to the EPP SVA, then it could be a problem with the ESX EPP Module on the ESXi host. Service Status Unknown or Endpoint Protection fails to get IP AddressAfter deployment, Endpoint Protection (EPP) service has an “unknown” status in vCenter or the Endpoint Protection VM does not receive an IP address. Endpoint Protection Service Fails with ErrorNSX Manager is unable to deploy Endpoint Protection and an alarm error is displayed. Parent topic: Endpoint Protection