topic Re: Uninstalling S1 agnet from XDR in Endpoint (Traps) Discussions

Uninstalling S1 agnet from XDR

Jai_Prakas — Fri, 13 Feb 2026 07:57:50 GMT

Can we uninstall the S1 agent from cortex xdr script or automation features.

Re: Uninstalling S1 agnet from XDR

susekar — Tue, 03 Mar 2026 22:01:49 GMT

Greetings for the day.

While Cortex XDR does not have a native "out-of-the-box" feature or pre-canned scripts to uninstall third-party agents like SentinelOne (S1).

Kindly note that configuration requests are outside of our TAC scope since we only deal with break/fix issues of our product.Reach Accounts team on this.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Uninstalling S1 agnet from XDR

stuart012broad — Thu, 09 Apr 2026 11:57:20 GMT

Hello, You can uninstall the SentinelOne (S1) agent using Cortex XDR by creating a script or automation that runs the agent’s uninstall command on your endpoints.

Re: Uninstalling S1 agnet from XDR

Jai_Prakas — Thu, 09 Apr 2026 12:30:14 GMT

Hi All,

Its achieved by the help of Endpoint script.

Re: Uninstalling S1 agnet from XDR

kiwi — Thu, 09 Apr 2026 12:31:52 GMT

Hi @Jai_Prakas ,

The short answer is: Yes, it is possible, but it is rarely as simple as a single command.

Because SentinelOne is a security product, it is designed to protect itself from being uninstalled. If you attempt to run a generic uninstall command via a Cortex XDR script, SentinelOne will likely flag it as a "tamper" attempt and block it with its anti-tamper protectio.

If you want to use Cortex XDR for this automation you must first obtain the Uninstall Passphrase from your SentinelOne console. Without this, the agent will block any removal attempt sent via Cortex.

Then create a Custom Script in Cortex XDR. You can use the Script Library to build a script that calls the SentinelOne agent’s control utility. Your script must include the specific uninstall flag and the passphrase. Because file paths and command-line arguments can vary between agent versions, you should verify the exact syntax in the SentinelOne documentation for the specific version you are running.

Before deploying this to a group, run the script on one test endpoint to ensure Cortex has the permissions to execute the removal and that the agent accepts the passphrase.

Re: Uninstalling S1 agnet from XDR

Jai_Prakas — Thu, 09 Apr 2026 12:38:17 GMT

Hi kiwi,

Already tested and you are right it needs anti tampering pass phrase. without it we cant do. Even we can uninstall any third party application by knowing its uninstall behavior like:- /qn , /s. But before doing we have to understand what type of process it use for uninstalling. Then only we can create script.