Abstract
Changes to default behavior in Cortex XDR agent 8.3 for Windows, macOS, and Linux endpoints.
This section details behavior changes that you may encounter when using a new version of the Cortex XDR agent. For further details, refer to the admin guide for your product.
Certificate enforcement for Windows and macOS endpoints
To improve security, the Cortex XDR agent 8.3 is now ensuring the use of a provided certificate without using the local fallback store (trusted root CA file). In order to graduate the adoption of this requirement, Disabled (Notify) is default for existing tenants; new tenants will have the Enabled configuration by default.
There are three modes of operation, set in the
profile:Enforcement is enabled. Note, If the agent is initially unable to communicate without the local store, enforcement is not enabled and the agent will show as partially protected in the server UI.
Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk and direct them to change the certificate and the setting.
Enforcement is disabled. Agents with this policy will trigger a visible banner in the UI to notify customers about potential risk. With this mode, the Last Certificate Enforcement Fallback column in the Endpoints table is not updated, and there are no management audit logs related to the local store fallback.