leandrojmp
(Leandro Pereira)
July 3, 2026, 2:46pm
1
Hello,
I have a deployment on Elastic Cloud for tests and I'm doing a test with Elastic Defend.
I have a policy that has Elastic Defend configured with 1 agent enrolled with healthy status.
But when I go into Assets > Endpoint, I'm being asked to Enroll an Agent.
Going into Assets > Policies, I can see the policie and it says that there is one Endpoint:
But once I click in the policy, it shows that there is 0 agents.
This seems a bug to me, am I missing something?
leandrojmp
(Leandro Pereira)
July 3, 2026, 4:18pm
2
Clicking on the policy page, it seems to make a request to the following endpoint:
https://kibana-endpoint/api/fleet/agent_status?policyId=2e2baf43-777d-4583-8d3f-8b4778d80c6a
Where 2e2baf43-777d-4583-8d3f-8b4778d80c6a is the current policy id.
Running the same request in Dev Tools, it returns this:
{
"results": {
"online": 0,
"error": 0,
"inactive": 0,
"offline": 0,
"updating": 0,
"unenrolled": 0,
"orphaned": 0,
"uninstalled": 0,
"all": 0,
"active": 0,
"other": 0,
"events": 0
}
}
But, there is an agent on this policy:
leandrojmp
(Leandro Pereira)
July 3, 2026, 4:30pm
3
Well, it seems a bug.
While getting information from the agent with GET kbn:/api/fleet/agents/35486eb6-f886-4d2a-9ecd-c82a833968b2 the relevante response is:
{
"item": {
"id": "35486eb6-f886-4d2a-9ecd-c82a833968b2",
"type": "PERMANENT",
"namespaces": [
"default"
],
"active": true,
"enrolled_at": "2026-05-13T01:36:06Z",
"upgraded_at": "2026-07-03T00:48:04Z",
"upgrade_started_at": null,
"upgrade_details": null,
"access_api_key_id": "37n6Hp4BhFyRaqMrEwWq",
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a#9.4",
"last_checkin": "2026-07-03T16:26:10Z",
"last_checkin_status": "online",
"last_checkin_message": "Running",
"policy_revision": 30,
The policy id returned is the versioned policy id, in this case 2e2baf43-777d-4583-8d3f-8b4778d80c6a#9.4
The request made by the Kibana UI uses the policy id 2e2baf43-777d-4583-8d3f-8b4778d80c6a without the version, I'm not sure the endpoint used supports wildcard.
If I made the same request using the policy id, I will have the expected information.
This is the request made by the Assets > Endpoints > Policies UI
Adding the versioned policy (escaping the #), I get results:
leandrojmp
(Leandro Pereira)
July 3, 2026, 6:51pm
4
Opened 2 issues about this:
opened 06:32PM - 03 Jul 26 UTC
Team:Fleet
Hello,
Some integration packages and inputs now may require minimum Elastic Age… nt version, this will lead to the creation of Version-specific agent policies according to this [documentation](https://www.elastic.co/docs/reference/fleet/version-specific-agent-policies).
If a policy **does not have** any integration or input package that has a minimum required agent version, the agents will report that their policy id as the policy id defined in fleet, for example:
```
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a"
```
If there is a package or input that would lead to a version-specific policy, the agents will report their policy id with their version `major.minor` added to the end, like:
```
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a#9.4"
```
Last month we opened a support ticket because some agents stopped syncing the changes on the policies and this was impacting on the management of the agents, this lead to this PR #273122, which aimed to fix this issue.
Before upgrading I've decided to validate the fix on a lab deployment and this issue may still happen in some cases.
If the agent policy **already has** an integration package or input that would lead to version-specific policies, it seems that the PR fixed the previous issue and agents on specific version will now sync to the last version of the policy and also subsequent changes
If the agent policy **does not have yet** an integration package or input that would lead to version-specific policies, this will trigger the creation of these policies and the agents would also sync for the last version and subsequent changes.
But if you remove the integration or input that requires version-specific policies, the agent will then revert to reporting the policy id without the version number and will stop syncing, it will be in an *outdated policy* state from now on.
To make the agent sync you would need to add back an integration/input that would trigger a version-specific policy or move it to another policy and then move it back to its correct policy.
### How to replicate
On a 9.4.3 deployment create a policy **without** any integration package or input that requires version-specific policy.
I've used these ones:
<img width="2166" height="360" alt="Image" src="https://github.com/user-attachments/assets/882219fb-7f9f-49c3-9a1f-a691f11fc763" />
Enroll an agent on this policy and check what is the `policy_id` it reports by running `GET kbn:/api/fleet/agents/AGENT_ID` in Kibana Dev Tools, example response:
```
{
"item": {
"id": "35486eb6-f886-4d2a-9ecd-c82a833968b2",
"type": "PERMANENT",
"namespaces": [
"default"
],
"active": true,
"enrolled_at": "2026-05-13T01:36:06Z",
"upgraded_at": "2026-07-03T00:48:04Z",
"upgrade_started_at": null,
"upgrade_details": null,
"access_api_key_id": "37n6Hp4BhFyRaqMrEwWq",
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a",
"last_checkin": "2026-07-03T18:20:28Z",
"last_checkin_status": "online",
"last_checkin_message": "Running",
"policy_revision": 42,
```
Make some changes in some of the integration or policy, like changing the description, to increase the revision and validate that the agent is syncing in the Fleet UI.
After that add an integration that will require a version-specific agent policy, for this I'm using the *Auditd* integration.
<img width="2169" height="426" alt="Image" src="https://github.com/user-attachments/assets/a1f33ca8-f302-441f-bb7b-125f62339c76" />
Validate in the Fleet UI that the agent sync with the last version, change the description of the policy to see that it stills sync with the last version.
Repeat the `GET kbn:/api/fleet/agents/AGENT_ID` request and the policy_id reported now has an specific-version:
```
{
"item": {
"id": "35486eb6-f886-4d2a-9ecd-c82a833968b2",
"type": "PERMANENT",
"namespaces": [
"default"
],
"active": true,
"enrolled_at": "2026-05-13T01:36:06Z",
"upgraded_at": "2026-07-03T00:48:04Z",
"upgrade_started_at": null,
"upgrade_details": null,
"access_api_key_id": "37n6Hp4BhFyRaqMrEwWq",
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a#9.4",
"last_checkin": "2026-07-03T18:26:59Z",
"last_checkin_status": "online",
"last_checkin_message": "Running",
"policy_revision": 46,
```
Remove the *Auditd* integration from the policy and new the issue happens, the agent will be in an *outdated policy* state and will not sync any changes anymore.
It will still report the policy_id with the specific version if you check the API, but this is not its correct policy anymore as none of the integrations in the policy requires it.
<img width="1987" height="160" alt="Image" src="https://github.com/user-attachments/assets/dd33ecf2-1589-4028-9cb5-3c18101d04e4" />
and
opened 06:47PM - 03 Jul 26 UTC
needs-team
Hello,
Some Elastic Agent integrations packages and Inputs now can lead to the … creation of an Version-specific policy, if a version-specific policy also has the Elastic Defend integration, those agents will not show up in the *Assets > Endpoints* and *Assets > Endpoints > Policies* pages.
Agents on version-specic policies report their policy_id with their version in the end:
```
"policy_id": "2e2baf43-777d-4583-8d3f-8b4778d80c6a#9.4"
```
It seems that neither of those Asset pages can work if the policy id is reported like this, for example the *Assets > Endpoints > Policies* makes a request to the Kibana API agent_status endpoint in this way:
```
/api/fleet/agent_status?policyId=2e2baf43-777d-4583-8d3f-8b4778d80c6a
```
No agents will be reported since this policy is now version-specific and will have a derived policy for each agent `major.minor` version.
This seems to be reletated to this issue I've just opened: #276294
I've also created a discuss topic with some evidences [here](https://discuss.elastic.co/t/endpoint-does-not-show-up-in-asset-management-page/387505).
This is all on version 9.4.3 on a cloud deployment.