You can uninstall the Cortex XDR agent from one or more
Windows, Mac, or Linux endpoints at any time.
you want to uninstall the
agent from the endpoint, you can do so from the
management console at any time.
You can uninstall the
agent from an unlimited number of endpoints in a single
bulk action. Uninstalling an endpoint triggers the following lifespan
Once you uninstall the agent from the endpoint,
the action is immediate. All agent files and protections are removed from
the endpoint, leaving the endpoint unprotected.
The endpoint status changes to
and the license returns immediately to the license pool. After a
retention period of 7 days, the agent is deleted from the database
and is displayed in
Data associated with the deleted endpoint is displayed in
tables and in the Causality
View for the standard 90 days retention period.
Alerts that already include the endpoint data at the time
of the alert creation are not affected.
or later running on macOS 10.15.4 or later, you must ensure that
the System Extensions were approved on the endpoint. Otherwise,
if the extensions were not approved, after the upgrade the extensions
remain on the endpoint without any option to remove them which could
cause the agent to display unexpected behavior. To check whether
the extensions were approved, you can either verify that the endpoint
is in Fully Protected state in
, or execute the following command line on the endpoint
to list the extensions:
If you need to approve the extensions, follow the workflow explained