Pause Endpoint Protection - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Disable the Cortex XDR agent protection capabilities on an endpoint.

As of agent 7.7 and above, you can pause the agent protection capabilities on one or more endpoints while maintaining connectivity with Cortex XDR. By only pausing the protection and retaining connectivity, the agent will run with all the profiles disabled, but continue to send data and take actions from the server. After you are ready, you can resume the endpoint protection.


Pausing your endpoint protection modules leaves your machines exposed to risks.

To pause one or more endpoint protections:

  1. Navigate to EndpointsAll Endpoints.

  2. In the All Endpoints page, select the endpoints you want to pause protection on, right-click and select Endpoint ControlPause Endpoint Protection.

  3. Verify the endpoints, add an optional comment that appears in the Management Audit log, and Pause the protection.

    Endpoints that have been paused appear with a pause icon in the Endpoint Name field, and depending on the action progress, one of the following statuses in Manual Protection Pause field:

    • Protection Active

    • Pending Pause

    • Protection Paused

    • Pending Activation

  4. When you are ready to resume protection, select the endpoints, right-click and select Endpoint ControlResume Endpoint Protection and Resume protection on the listed endpoints.

    The All Endpoint table fields are updated accordingly.

  5. (Optional) Track your pause and resume endpoint protection actions.

    Navigate to Incident ResponseResponseAction Center and locate Action Type Pause Endpoint Protection or Resume Endpoint Protection.