Uninstall the Cortex XDR Agent - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-11-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

You can uninstall Cortex XDR agent from one or more endpoints at any time using the Action Center, or one-by-one using the All Endpoints page.

If you want to uninstall the Cortex XDR agent from the endpoint, you can do so from the Cortex XDR management console at any time. You can uninstall them from an unlimited number of endpoints in a single bulk action using the Action Center. You can also uninstall each endpoints one-by-one, using the All Endpoints page. Uninstalling an endpoint triggers the following lifespan flow:

  • Once you uninstall the agent from the endpoint, the action is immediate. All agent files and protections are removed from the endpoint, leaving the endpoint unprotected.

  • The endpoint status changes to Uninstalled, and the license returns immediately to the license pool. After a retention period of 7 days, the agent is deleted from the database and is displayed in Cortex XDR as Endpoint Name - N/A (Uninstalled).

  • Data associated with the deleted endpoint is displayed in the Action Center tables and in the Causality View for the standard 90 days retention period.

  • Alerts that already include the endpoint data at the time of the alert creation are not affected.

Note

Before upgrading a Cortex XDR agent 7.0 or later running on macOS 10.15.4 or later, you must ensure that the System Extensions were approved on the endpoint. Otherwise, if the extensions were not approved, after the upgrade the extensions remain on the endpoint without any option to remove them which could cause the agent to display unexpected behavior. To check whether the extensions were approved, you can either verify that the endpoint is in a Fully Protected state in Cortex XDR or execute the following command line on the endpoint to list the extensions: systemextensionsctl list. If you need to approve the extensions, follow the workflow explained in the Cortex XDR agent administration guide for approving System Extensions.,

Note

For iOS and Android endpoints, uninstallation will reset account registration and data, but the app itself will remain on the device until removed locally by the user. The endpoint will be disconnected, and the user will no longer be able to connect the app to the tenant account.

  1. Log in to Cortex XDR.

    Go to Incident ResponseResponseAction Center.

  2. Click + New Action.

  3. Select Agent Uninstall.

  4. Click Next.

  5. Select the target endpoints (up to 100) for which you want to uninstall the Cortex XDR agent.

    Tip

    If needed, Filter the list of endpoints by attribute or group name.

  6. Click Next.

  7. Review the action summary and click Done when finished.

  8. To track the status of the uninstallation, return to the Action Center.

  1. Log in to Cortex XDR.

    Go to EndpointsAll Endpoints.

  2. Find and then right-click the agent that you want to uninstall, and select Endpoint ControlUninstall Agent.

  3. In the confirmation dialog box that appears, select I agree, and click OK.