<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop in Cortex XDR Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/orphaned-cortex-xdr-agent-enforcing-usb-read-only-on-personal/m-p/1257934#M9411</link>
    <description>&lt;P class="PDq2pG_selectionAnchorContainer" data-end="548" data-start="542"&gt;Hello,&lt;/P&gt;
&lt;P data-end="631" data-start="553"&gt;I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed.&lt;/P&gt;
&lt;P data-end="712" data-start="636"&gt;The agent is no longer connected to any management server and the GUI shows:&lt;/P&gt;
&lt;P data-end="756" data-start="717"&gt;&lt;STRONG data-end="756" data-start="717"&gt;Connection: No connection to server&lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-end="801" data-start="761"&gt;However, Device Control is still active.&lt;/P&gt;
&lt;P data-end="889" data-start="806"&gt;Every time I connect my Samsung T7 Shield external SSD, I receive the notification:&lt;/P&gt;
&lt;P data-end="962" data-start="894"&gt;&lt;STRONG data-end="962" data-start="894"&gt;"Cortex XDR | Device Control - USB device is in read-only mode."&lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-end="1046" data-start="967"&gt;The SSD is healthy (verified with Samsung Magician) and Windows DiskPart shows:&lt;/P&gt;
&lt;UL data-end="1101" data-start="1051"&gt;
&lt;LI data-end="1081" data-start="1051" data-section-id="1mulv48"&gt;Current Read-only State: Yes&lt;/LI&gt;
&lt;LI data-end="1099" data-start="1084" data-section-id="188cqag"&gt;Read-only: No&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-end="1174" data-start="1104"&gt;I also confirmed that the notification comes directly from Cortex XDR.&lt;/P&gt;
&lt;P data-end="1205" data-start="1179"&gt;Anti-Tampering is enabled.&lt;/P&gt;
&lt;P data-end="1268" data-start="1210"&gt;&lt;CODE data-end="1234" data-start="1210"&gt;cytool protect disable&lt;/CODE&gt; requires the Supervisor Password.&lt;/P&gt;
&lt;P data-end="1326" data-start="1273"&gt;&lt;CODE data-end="1295" data-start="1273"&gt;cytool protect query&lt;/CODE&gt; shows all protections enabled.&lt;/P&gt;
&lt;P data-end="1424" data-start="1331"&gt;The agent has no connection to a management server and I do not know the Supervisor Password.&lt;/P&gt;
&lt;P data-end="1541" data-start="1429"&gt;This is my personal laptop. It is not managed by any organization and I do not have access to any Cortex tenant.&lt;/P&gt;
&lt;P data-end="1682" data-start="1546"&gt;Is there an official recovery procedure or cleanup utility for removing an orphaned Cortex XDR agent that still enforces Device Control?&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;The attached screenshot shows that the Cortex XDR agent has no connection to any management server, yet it continues to enforce Device Control policies and blocks USB storage devices by forcing them into read-only mode.&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;Thank you.&lt;/P&gt;</description>
    <pubDate>Thu, 02 Jul 2026 10:10:22 GMT</pubDate>
    <dc:creator>ghilinta.anca</dc:creator>
    <dc:date>2026-07-02T10:10:22Z</dc:date>
    <item>
      <title>Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/orphaned-cortex-xdr-agent-enforcing-usb-read-only-on-personal/m-p/1257934#M9411</link>
      <description>&lt;P class="PDq2pG_selectionAnchorContainer" data-end="548" data-start="542"&gt;Hello,&lt;/P&gt;
&lt;P data-end="631" data-start="553"&gt;I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed.&lt;/P&gt;
&lt;P data-end="712" data-start="636"&gt;The agent is no longer connected to any management server and the GUI shows:&lt;/P&gt;
&lt;P data-end="756" data-start="717"&gt;&lt;STRONG data-end="756" data-start="717"&gt;Connection: No connection to server&lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-end="801" data-start="761"&gt;However, Device Control is still active.&lt;/P&gt;
&lt;P data-end="889" data-start="806"&gt;Every time I connect my Samsung T7 Shield external SSD, I receive the notification:&lt;/P&gt;
&lt;P data-end="962" data-start="894"&gt;&lt;STRONG data-end="962" data-start="894"&gt;"Cortex XDR | Device Control - USB device is in read-only mode."&lt;/STRONG&gt;&lt;/P&gt;
&lt;P data-end="1046" data-start="967"&gt;The SSD is healthy (verified with Samsung Magician) and Windows DiskPart shows:&lt;/P&gt;
&lt;UL data-end="1101" data-start="1051"&gt;
&lt;LI data-end="1081" data-start="1051" data-section-id="1mulv48"&gt;Current Read-only State: Yes&lt;/LI&gt;
&lt;LI data-end="1099" data-start="1084" data-section-id="188cqag"&gt;Read-only: No&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-end="1174" data-start="1104"&gt;I also confirmed that the notification comes directly from Cortex XDR.&lt;/P&gt;
&lt;P data-end="1205" data-start="1179"&gt;Anti-Tampering is enabled.&lt;/P&gt;
&lt;P data-end="1268" data-start="1210"&gt;&lt;CODE data-end="1234" data-start="1210"&gt;cytool protect disable&lt;/CODE&gt; requires the Supervisor Password.&lt;/P&gt;
&lt;P data-end="1326" data-start="1273"&gt;&lt;CODE data-end="1295" data-start="1273"&gt;cytool protect query&lt;/CODE&gt; shows all protections enabled.&lt;/P&gt;
&lt;P data-end="1424" data-start="1331"&gt;The agent has no connection to a management server and I do not know the Supervisor Password.&lt;/P&gt;
&lt;P data-end="1541" data-start="1429"&gt;This is my personal laptop. It is not managed by any organization and I do not have access to any Cortex tenant.&lt;/P&gt;
&lt;P data-end="1682" data-start="1546"&gt;Is there an official recovery procedure or cleanup utility for removing an orphaned Cortex XDR agent that still enforces Device Control?&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;The attached screenshot shows that the Cortex XDR agent has no connection to any management server, yet it continues to enforce Device Control policies and blocks USB storage devices by forcing them into read-only mode.&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-end="1697" data-start="1687"&gt;Thank you.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2026 10:10:22 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/orphaned-cortex-xdr-agent-enforcing-usb-read-only-on-personal/m-p/1257934#M9411</guid>
      <dc:creator>ghilinta.anca</dc:creator>
      <dc:date>2026-07-02T10:10:22Z</dc:date>
    </item>
  </channel>
</rss>

