Uninstall the Cortex XDR Agent

You can uninstall the Cortex XDR agent from one or more Windows, Mac, or Linux endpoints at any time.
If you want to uninstall the Cortex XDR agent from the endpoint, you can do so from the Cortex XDR management console at any time. You can uninstall the Cortex XDR agent from an unlimited number of endpoints in a single bulk action. Uninstalling an endpoint triggers the following lifespan flow:
  • Once you uninstall the agent from the endpoint, the action is immediate. All agent files and protections are removed from the endpoint, leaving the endpoint unprotected.
  • The endpoint status changes to
    Uninstalled
    , and the license returns immediately to the license pool. After a retention period of 7 days, the agent is deleted from the database and is displayed in Cortex XDR as
    Endpoint Name
    -
    N/A (Uninstalled)
    .
  • Data associated with the deleted endpoint is displayed in the
    Action Center
    tables and in the Causality View for the standard 90 days retention period.
  • Alerts that already include the endpoint data at the time of the alert creation are not affected.
The following workflow describes how to uninstall the Cortex XDR agent from one or more Windows, Mac, or Linux endpoints. To uninstall the Cortex XDR app for Android, you must do so from the Android endpoint.
  1. Log in to Cortex XDR.
    Go to
    Response
    Action Center
    + New Action
    .
  2. Select
    Agent Uninstall
    .
  3. Click
    Next
    .
  4. Select the target endpoints (up to 100) for which you want to uninstall the Cortex XDR agent.
    If needed,
    Filter
    the list of endpoints by attribute or group name.
  5. Click
    Next
    .
  6. Review the action summary and click
    Done
    when finished.
  7. To track the status of the uninstallation, return to the
    Action Center
    .

Recommended For You