You can uninstall the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints at any time.
you want to uninstall the Cortex XDR agent from the endpoint, you
can do so from the Cortex XDR management console at any time. You
can uninstall the Cortex XDR agent from an unlimited number of endpoints
in a single bulk action. Uninstalling an endpoint triggers the following
Once you uninstall the agent from the
endpoint, the action is immediate. All agent files and protections
are removed from the endpoint, leaving the endpoint unprotected.
The endpoint status changes to
and the license returns immediately to the license pool. After a
retention period of 7 days, the agent is deleted from the database
and is displayed in Cortex XDR as
Data associated with the deleted endpoint is displayed in
tables and in the Causality
View for the standard 90 days retention period.
Alerts that already include the endpoint data at the time
of the alert creation are not affected.
workflow describes how to uninstall the Cortex XDR agent from one
or more Windows, Mac, or Linux endpoints. To uninstall the Cortex
XDR app for Android, you must do so from the Android endpoint.
Log in to Cortex
+ New Action
Select the target endpoints (up to 100) for which you
want to uninstall the Cortex XDR agent.
list of endpoints by attribute or group name.
Review the action summary and click
To track the status of the uninstallation, return to