Pause Endpoint Protection

Disable the agent protection capabilities on an endpoint.
As of
Cortex XDR agent 7.7 and above
, you can pause the
agent protection capabilities on one or more endpoints while maintaining connectivity with the Cortex XDR console. By only pausing the protection and retaining connectivity, the
agent will run with all the profiles disabled, but continue to send data and take actions from the server. After you are ready, you can resume the endpoint protection.
Pausing your endpoint protection modules leaves your machines exposed to risks.
To pause one or more endpoint protections:
  1. Navigate to
    All Endpoints
  2. In the
    All Endpoints
    page, select the endpoints you want to pause protection on, right-click and select
    Endpoint Control
    Pause Endpoint Protection
  3. Verify the endpoints, add an optional comment that appears in the Management Audit log, and
    the protection.
    Endpoints that have been paused appear with a pause icon in the
    Endpoint Name
    field, and depending on the action progress, one of the following statuses in
    Manual Protection Pause
    • Protection Active
    • Pending Pause
    • Protection Paused
    • Pending Activation
  4. When you are ready to resume protection, select the endpoints, right-click and select
    Endpoint Control
    Resume Endpoint Protection
    protection on the listed endpoints.
    All Endpoint
    table fields are updated accordingly.
  5. (Optional) Track your pause and resume endpoint protection actions.
    Navigate to
    Incident Response
    Action Center
    and locate
    Action Type
    Pause Endpoint Protection
    Resume Endpoint Protection

Recommended For You