Delete Cortex XDR Agents

If you have an endpoint that you no longer want to track through the Cortex XDR management console, for example if the endpoint disconnected from the Cortex XDR management console, or an endpoint where the Cortex XDR agent was uninstalled, you can delete the endpoint from the management console views. Deleting an endpoint triggers the following lifespan flow:
  • The endpoint status changes to
    , and the license returns immediately to the license pool. After a retention period of 90 days, the agent is deleted from the database and is displayed in Cortex XDR as
    Endpoint Name
    N/A (Deleted)
  • Data associated with the deleted endpoint is displayed in the
    Action Center
    tables and in the Causality View for the standard 90 days retention period.
  • Alerts that already include the endpoint data at the time of the alert creation are not affected.
Additionally, Cortex XDR automatically deletes agents after a long period of inactivity:
  • Standard agents are deleted after 180 days of inactivity.
  • VDI and TS agents are deleted after 6 hours of inactivity.
To reinstate an endpoint, you have to uninstall and reinstall the agent.
The following workflow describes how to delete the Cortex XDR agent from one or more Windows, Mac, or Linux endpoints.
  1. Select
    Endpoint Management
    Endpoint Administration
  2. Right-click the endpoint you want to remove.
    You can also select multiple endpoints if you want to perform a bulk delete.
  3. Select
    Endpoint Control
    Delete Endpoint

Recommended For You