Cannot successfully change output type or name in tamper protected agent polices that contain Elastic Defend

[cmacknz]

• Relates Tamper protected endpoint-security should be able to continue operating normally when it rejects an attempt uninstall #11547

• Steps to Reproduce:

1. Create an Agent Policy with an Elasticsearch output and Elastic Defend and enable Tamper protection
2. Enroll an Elastic Agent in this policy and verify the agent is healthy and shipping data.
3. Modify the policy to use a Logstash output.
4. The policy will appear to apply successfully, but Elastic Defend will continue to use the previous Elasticsearch output.

Elastic Agent identifies components by the combination of the input name and the output name ($inputType-$outputName), so an endpoint input with an Elasticsearch output named default would have the name endpoint-default. Creating a new output with a different name say logstash, and assigning it to the endpoint input would create a new component named endpoint-logstash.

Creating a new output and assigning it to endpoint is viewed as stopping the endpoint-default output and start the endpoint-logstash component. This leads to agent uninstalling and installing endpoint again. This is both unnecessary (endpoint can handle this as a normal policy change) and leads to failure to make the change, because the uninstall operation is performed without endpoint unprotecting itself (since a policy change action does not cause endpoint to unprotect unless endpoint is removed from the policy explicitly).

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[cmacknz]

Example logs for a policy reassignment (note that changing the endpoint input ID may also cause unnecessary uninstall and reinstall of endpoint):

{"log.level":"debug","@timestamp":"2025-10-27T09:04:40.405Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/storage/store.(*StateStore).Save","file.name":"store/state_store.go","file.line":258},"message":"save state on disk : {Version:1 ActionSerializer:{Marshaler:<nil> Unmarshaler:<nil> Action:id: policy:55b661b8-fd23-40b2-a02c-48c574fbb134:254, type: POLICY_CHANGE} AckToken:ee55ce23-619d-4ff4-8253-9ae1e62e364f Queue:[]}","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

{"log.level":"debug","@timestamp":"2025-10-27T09:04:40.427Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/actions/handlers.(*PolicyReassign).Handle","file.name":"handlers/handler_action_policy_reassign.go","file.line":29},"message":"handlerPolicyReassign: action 'id: ad253bbe-4210-4e2a-adf4-56da51c9bcc0, type: POLICY_REASSIGN' received","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

{"log.level":"debug","@timestamp":"2025-10-27T09:04:53.443Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).Run","file.name":"runtime/service.go","file.line":273},"message":"got check-in for endpoint service, tearingDown: true, ignoreCheckins: false","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-10-27T09:04:53.443Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).Run.func2","file.name":"runtime/service.go","file.line":155},"message":"stop check-in timer for endpoint service","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-10-27T09:04:53.443Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).Run.func2","file.name":"runtime/service.go","file.line":159},"message":"stop connection info for endpoint service","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.448Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.newConnInfoServer.func1","file.name":"runtime/conn_info_server.go","file.line":56},"message":"failed accept conn info connection: use of closed network connection","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:53.448Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).stop","file.name":"runtime/service.go","file.line":387},"message":"stopping endpoint service runtime","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:53.449Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).stop","file.name":"runtime/service.go","file.line":403},"message":"endpoint service has checked in, send stopping state to service","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:53.449Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).stop","file.name":"runtime/service.go","file.line":411},"message":"uninstall endpoint service","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-10-27T09:04:53.449Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.uninstallService","file.name":"runtime/service.go","file.line":724},"message":"uninstall endpoint-security service","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: Main.cpp:280 Process machine 0x8664. Native machine 0x8664.","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: Main.cpp:483 Executing uninstall","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: debug: VaultLib.cpp:207 Vault initialized with existing seed file","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: debug: VaultLib.cpp:614 Successfully read vault key: config","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: debug: ECSUtilities.cpp:497 Tamper protection enabled","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: InstallLib.cpp:977 Checking installed uninstall protection artifacts","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: debug: VaultLib.cpp:614 Successfully read vault key: config","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: InstallLib.cpp:736 No custom public key detected in Endpoint config","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: debug: CryptoLib_Cpp.cpp:1403 RSA signature verified","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: InstallLib.cpp:909 Failed to read os section of tamper-protection-config, continuing","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: InstallLib.cpp:999 Finished checking installed uninstall protection artifacts with result deny","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: info: InstallLib.cpp:1071 Finished checking command line provided uninstall resource result deny","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.821Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:53: error: InstallLib.cpp:1265 Invalid uninstall token","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:53.824Z","log.logger":"component.runtime.endpoint-2a17b68d-5d5f-4a3e-aa44-14c6967de1b0.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).stop","file.name":"runtime/service.go","file.line":414},"message":"failed endpoint service uninstall, err: 2025-10-27 09:04:53: error: InstallLib.cpp:1265 Invalid uninstall token: exit status 284","ecs.version":"1.6.0"}

{"log.level":"debug","@timestamp":"2025-10-27T09:04:54.712Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).Run","file.name":"runtime/service.go","file.line":210},"message":"got action start for endpoint service","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:54.712Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).Run","file.name":"runtime/service.go","file.line":233},"message":"Creating connection info server for endpoint service, address: npipe:///.eaci.sock","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:54.715Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).start","file.name":"runtime/service.go","file.line":368},"message":"check if endpoint service is installed","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-10-27T09:04:54.715Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).check","file.name":"runtime/service.go","file.line":654},"message":"check if the endpoint-security is installed","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:54.726Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.logComponentStateChange","file.name":"coordinator/coordinator.go","file.line":756},"message":"Spawned new component endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec: Starting: endpoint service runtime","log":{"source":"elastic-agent"},"component":{"id":"endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:54.726Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.logComponentStateChange","file.name":"coordinator/coordinator.go","file.line":764},"message":"Spawned new unit endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec: Starting: endpoint service runtime","log":{"source":"elastic-agent"},"component":{"id":"endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec","state":"STARTING"},"unit":{"id":"endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec","type":"output","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:54.726Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.logComponentStateChange","file.name":"coordinator/coordinator.go","file.line":764},"message":"Spawned new unit endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec-bfa32a64-addd-437f-9b1e-47418210152d: Starting: endpoint service runtime","log":{"source":"elastic-agent"},"component":{"id":"endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec","state":"STARTING"},"unit":{"id":"endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec-bfa32a64-addd-437f-9b1e-47418210152d","type":"input","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:55.200Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:55: info: Main.cpp:280 Process machine 0x8664. Native machine 0x8664.","context":"command output","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-10-27T09:04:55.290Z","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*Manager).update","file.name":"runtime/manager.go","file.line":812},"message":"Starting component \"osquery-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec\"","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:55.427Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:55: info: Main.cpp:615 Verifying existing installation","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:55.427Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:55: info: InstallLib.cpp:629 Running [C:\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe] [version --log stdout]","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:55.427Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:55: debug: Service.cpp:828 PPL is supported. This process is unprotected. (TrustLevelSid: absent)","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:56.678Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:56: info: InstallLib.cpp:668 Installed endpoint is expected version (version: 8.19.3, compiled: Mon Aug 25 17:00:00 2025, branch: HEAD, commit: 2ed4a19bc08ca06afffb8c4ad97dd587d7163668)","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:56.678Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:56: info: Util.cpp:2252 Endpoint Service is running.","context":"command output","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-10-27T09:04:56.678Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.executeCommand.func2","file.name":"runtime/service_command.go","file.line":68},"message":"2025-10-27 09:04:56: info: Main.cpp:640 Endpoint health check","context":"command output","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-10-27T09:04:56.680Z","log.logger":"component.runtime.endpoint-dda4a9a5-5ed5-433b-8e1c-99c8c484a2ec.service_runtime","log.origin":{"function":"github.com/elastic/elastic-agent/pkg/component/runtime.(*serviceRuntime).start","file.name":"runtime/service.go","file.line":370},"message":"after check if endpoint service is installed, err: <nil>","ecs.version":"1.6.0"}

[cmacknz]

Changing the output name appears to be enough to trigger this in some circumstances, the policy change below triggered this in one instance (after another policy change within the same minute - possibly related) where the output name changed but the type stayed the same.

{
  "log.level": "info",
  "@timestamp": "2025-11-12T17:29:43.432Z",
  "log.origin": {
    "function": "github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.(*Coordinator).checkAndLogUpdate",
    "file.name": "coordinator/coordinator.go",
    "file.line": 1909
  },
  "message": "component model updated",
  "log": {
    "source": "elastic-agent"
  },
  "changes": {
    "components": {
      "added": [
        "osquery-126b7e60-c605-40ce-a89a-0d186534bcde",
        "endpoint-126b7e60-c605-40ce-a89a-0d186534bcde"
      ],
      "removed": [
        "osquery-default",
        "endpoint-default",
        "system/metrics-monitoring"
      ],
      "updated": [
        "beat/metrics-monitoring: [(beat/metrics-monitoring-metrics-monitoring-beats: updated) (beat/metrics-monitoring: updated)]",
        "http/metrics-monitoring: [(http/metrics-monitoring-metrics-monitoring-agent: updated) (http/metrics-monitoring: updated)]",
        "filestream-monitoring: [(filestream-monitoring: updated) (filestream-monitoring-filestream-monitoring-agent: updated)]"
      ],
      "count": 5
    },
    "outputs": {}
  },
  "ecs.version": "1.6.0"
}

[cmacknz]

We are treating endpoint like it is a sub-process and not a singleton component that should have as few starts and stops as possible. We don't need to uninstall endpoint when it's output changes, just forward it the policy change.

[nimarezainia]

We are treating endpoint like it is a sub-process and not a singleton component that should have as few starts and stops as possible. We don't need to uninstall endpoint when it's output changes, just forward it the policy change.

If it's tamper protected, should it even accept a policy change? (malicious actor pointing output to their own cluster)
I suppose tamper protection is just about uninstallation of agent and termination of service.

[cmacknz]

If it's tamper protected, should it even accept a policy change? (malicious actor pointing output to their own cluster)

Yes if the policy change is appropriately signed from the originating cluster. In this instance, we are uninstalling endpoint because of an Elastic Agent implementation detail and not because the policy change in question requires endpoint to be uninstalled. Endpoint sees the policy change as well and observes endpoint is still in the policy so denies the uninstall request legitimately and things get out of sync from there.

[cmacknz]

Also see #11547 which potentially could get included in the scope of this change depending on what it looks like.

If endpoint rejects our attempt to uninstall because it wasn't unprotected first, it needs to be left in a fully functional state afterwards.

[ycombinator]

Steps to Reproduce:

I'm not able to reproduce this issue, using Elastic Agent 9.3.0-SNAPSHOT I built from source.

Create an Agent Policy with an Elasticsearch output and Elastic Defend and enable Tamper protection
Enroll an Elastic Agent in this policy and verify the agent is healthy and shipping data.

At this point, I took a diagnostic and verified tamper protection was enabled and the output was Elasticsearch:

$ unzip elastic-agent-diagnostics-2025-12-09T03-41-14Z-00.zip -d diag-es-tp
$ cat diag-es-tp/computed-config.yaml | yq .agent.protection.enabled
true
$ cat diag-es-tp/components/*endpoint*/elastic-endpoint.yaml | yq .output
elasticsearch:
  api_key: <REDACTED>
  hosts:
    - https://XXXXXXX.es.us-central1.gcp.elastic.cloud:443
  preset: balanced
  type: elasticsearch

Modify the policy to use a Logstash output.
The policy will appear to apply successfully, but Elastic Defend will continue to use the previous Elasticsearch output.

I took a diagnostic again and verified tamper protection was enabled and the output was Logstash:

$ unzip elastic-agent-diagnostics-2025-12-09T03-42-32Z-00.zip -d diag-ls-tp
$ cat diag-ls-tp/computed-config.yaml | yq .agent.protection.enabled
true
$ cat diag-ls-tp/components/*endpoint*/elastic-endpoint.yaml | yq .output
logstash:
  hosts:
    - localhost:5044
  ssl:
    certificate: <REDACTED>
  type: logstash

There is nothing listening at localhost:5044 so I expected connection errors in Endpoint logs, which I was able to verify as well:

$ tail -5 /opt/Elastic/Endpoint/state/log/endpoint-000000.log
{"@timestamp":"2025-12-09T03:48:16.212217732Z","agent":{"id":"143ef08f-a3dd-47db-80aa-b7e45fb20e61","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"notice","origin":{"file":{"line":211,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:211 Logstash connection is down","process":{"pid":6198,"thread":{"id":6204}}}
{"@timestamp":"2025-12-09T03:48:21.2124999Z","agent":{"id":"143ef08f-a3dd-47db-80aa-b7e45fb20e61","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"notice","origin":{"file":{"line":211,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:211 Logstash connection is down","process":{"pid":6198,"thread":{"id":6204}}}
{"@timestamp":"2025-12-09T03:48:25.867565056Z","agent":{"id":"143ef08f-a3dd-47db-80aa-b7e45fb20e61","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"warning","origin":{"file":{"line":459,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:459 Endpoint is setting status to DEGRADED, reason: Unable to connect to output server","process":{"pid":6198,"thread":{"id":6235}}}
{"@timestamp":"2025-12-09T03:48:26.21274743Z","agent":{"id":"143ef08f-a3dd-47db-80aa-b7e45fb20e61","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"notice","origin":{"file":{"line":211,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:211 Logstash connection is down","process":{"pid":6198,"thread":{"id":6204}}}
{"@timestamp":"2025-12-09T03:48:31.212977207Z","agent":{"id":"143ef08f-a3dd-47db-80aa-b7e45fb20e61","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"notice","origin":{"file":{"line":211,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:211 Logstash connection is down","process":{"pid":6198,"thread":{"id":6204}}}

[cmacknz]

Is agent attempting to uninstall endpoint in the logs you see?

A policy change will go through, it is the uninstall (in combination with #11547) that causes the problem.

You may need to test this as a policy re-assignment and not just a policy change.

[ycombinator]

Is agent attempting to uninstall endpoint in the logs you see?

Yes, I can see in the Endpoint logs that it shuts down and restarts even with a policy change.

{"@timestamp":"2025-12-09T19:56:47.838844331Z","agent":{"id":"8dd5f1a8-3831-482e-b9cc-a8075656b61b","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":270,"name":"AgentV2PolicyBuilder.cpp"}}},"message":"AgentV2PolicyBuilder.cpp:270 Checkin v2 asking for shutdown, aborting policy application","process":{"pid":76288,"thread":{"id":76323}}}
{"@timestamp":"2025-12-09T19:56:47.83954136Z","agent":{"id":"8dd5f1a8-3831-482e-b9cc-a8075656b61b","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":159,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:159 Received a shutdown request from Agent.","process":{"pid":76288,"thread":{"id":76323}}}
{"@timestamp":"2025-12-09T19:56:49.852895988Z","agent":{"id":"8dd5f1a8-3831-482e-b9cc-a8075656b61b","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":54,"name":"EndpointCore.cpp"}}},"message":"EndpointCore.cpp:54 Hard shutdown enforcer has 90 seconds left","process":{"pid":76288,"thread":{"id":76970}}}
...
{"@timestamp":"2025-12-09T19:56:55.869487672Z","agent":{"id":"8dd5f1a8-3831-482e-b9cc-a8075656b61b","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":54,"name":"EndpointCore.cpp"}}},"message":"EndpointCore.cpp:54 Hard shutdown enforcer has 84 seconds left","process":{"pid":76288,"thread":{"id":76970}}}
{"@timestamp":"2025-12-09T19:57:03.818403738Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":91,"name":"PolicyLogging.cpp"}}},"message":"PolicyLogging.cpp:91 Read Logging config:","process":{"pid":77078,"thread":{"id":77078}}}
{"@timestamp":"2025-12-09T19:57:03.818477628Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":94,"name":"PolicyLogging.cpp"}}},"message":"PolicyLogging.cpp:94     file: info","process":{"pid":77078,"thread":{"id":77078}}}
{"@timestamp":"2025-12-09T19:57:03.818514942Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":429,"name":"Response.cpp"}}},"message":"Response.cpp:429 Policy action configure_logging: success - Successfully read logging configuration","process":{"pid":77078,"thread":{"id":77078}}}
{"@timestamp":"2025-12-09T19:57:03.818769077Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"info","origin":{"file":{"line":229,"name":"Logging.cpp"}}},"message":"Logging.cpp:229 Endpoint info: version: 9.3.0-SNAPSHOT, compiled: Mon Dec 8 03:00:00 2025, branch: HEAD, commit: 6943d0ea941832b982f003f60ae7d827a18f6d34","process":{"pid":77078,"thread":{"id":77078}}}
...

Notice the process.pid in the Endpoint logs above changing from 76288 to 77078.