[Defend Workflows] [Policy failure insights] Policy Failure Insights displays incorrect failure reason for policy failure due to global artifact download issue

[sukhwindersingh-qasource]

Describe the bug:

• When the policy applied to a Windows endpoint fails due to a global artifact download issue, the Policy Failure Insights feature incorrectly reports that the “Elastic Defiant configuration appears to be missing endpoint event data.” This message is misleading because the real cause of the failure is the artifact download problem, not missing endpoint data.

Login Credentials:

• https://p.elstc.co/paste/cuf87KVK#BazFPooHb4Z-gaGMxf3KYcxuQ0D4/sr3wBRf/4maYmA

Testing Details:

Build Details:

VERSION: 9.2.0 BC3
BUILD: 91544
COMMIT: 0c40a02e995201d9395473309adda6cd020d56ca

Preconditions:

• Kibana version 9.2.0
• Endpoint has an assigned policy.

Steps to Reproduce:

1. Navigate to the endpoints tab
2. Open the policy applied to that Windows endpoint.
3. Click on Policy details.
4. Disable “Enable automatic updates.”
5. Set the policy version to one year back date.
6. Save the policy.
7. Wait for 2–3 minutes until a warning appears in the policy status.
8. Click on the endpoint name.
9. Click Scan to run the policy scan and observe the failure reason.

Actual Result:

• Policy Failure Insights displays incorrect failure reason for policy failure due to global artifact download issue

Expected Result:

• Policy Failure Insights should correctly identify and display the actual reason:
  • “It is due to global artifact download issue.”

Screen Capture:

Endpoints.-.Kibana.Mozilla.Firefox.2025-10-15.08-58-19.mp4

Logs:
N/A

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[sukhwindersingh-qasource]

@muskangulati-qasource Please review this

[muskangulati-qasource]

Reviewed and assigned to @dasansol92