Upgrade Cortex XDR Agents - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

After you install the Cortex XDR agent and the agent registers with Cortex XDR, you can upgrade the Cortex XDR agent software using a method supported by the endpoint platform:

  • Android—Upgrade the app directly from the Google Play Store or push the app to your endpoints from an endpoint management system such as AirWatch.

  • Windows, Mac, or Linux—Create new installation packages and push the Cortex XDR agent package to up to 5,000 endpoints from Cortex XDR.


    • You cannot upgrade VDI endpoints or a Golden Image.

    • Before upgrading a Cortex XDR agent 7.0 or later running on macOS 10.15.4 or later, you must ensure that the System Extensions were approved on the endpoint. Otherwise, if the extensions were not approved, after the upgrade the extensions remain on the endpoint without any option to remove them which could cause the agent to display unexpected behavior. To check whether the extensions were approved, you can either verify that the endpoint is in Fully Protected state in Cortex XDR, or execute the following command line on the endpoint to list the extensions: systemextensionsctl list. If you need to approve the extensions, follow the workflow explained in the Cortex XDR agent administration guide for approving System Extensions.

Upgrades are supported using actions that you can initiate from the Action Center or from All Endpoints as described in this workflow.

  1. Create an Agent Installation Package for each operating system version for which you want to upgrade the Cortex XDR agent.

    Note the installation package names.

  2. Select EndpointsAll Endpoints.

    If needed, filter the list of endpoints. To reduce the number of results, use the endpoint name search and filters Filters at the top of the page.

  3. Select the endpoints you want to upgrade.

    You can also select endpoints running different operating systems to upgrade the agents at the same time.

  4. Right-click your selection and select Endpoint ControlUpgrade Agent Version.

    For each platform, select the name of the installation package you want to push to the selected endpoints.

    Starting in the Cortex XDR agent 7.1 release, you can install the Cortex XDR agent on Linux endpoints using a package manager. When you upgrade an agent on a Linux endpoint that is not using a package manager, Cortex XDR upgrades the installation process by default according to the endpoint Linux distribution. Alternatively, if you do not want to use the package manager, clear the option Upgrade to installation by package manager.


    The Cortex XDR agent keeps the name of the original installation package after every upgrade.

  5. Upgrade.

    Cortex XDR distributes the installation package to the selected endpoints at the next heartbeat communication with the agent. To monitor the status of the upgrades, go to ResponseAction Center. From the Action Center you can also view additional information about the upgrade (right-click the action and select Additional data) or cancel the upgrade (right-click the action and select Cancel Agent Upgrade).


    • Custom dashboards that include upgrade status widgets, and the All Endpoints page display upgrade status.

    • During the upgrade process, the endpoint operating system might request a reboot. However, you do not have to perform the reboot for the Cortex XDR agent upgrade process to complete it successfully.

    • After you upgrade to a Cortex XDR agent 7.2 or a later release on an endpoint with Cortex XDR Device Control rules, you need to reboot the endpoint for the rules to take effect.