- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-16-2023 01:05 PM
Hi,
There is Windows Server 2008 R2 server which had Cortex XDR 7.9 installed. As this version is end of support in next few weeks, I decided to install 7.9 CE, which according to compatibility matrix:
Windows • Cortex XDR Compatibility Matrix • Reader • Palo Alto Networks documentation portal
should work on the system. However when I try to install it, I'm getting error "Cortex XDR requires Azure Code Signing support" which I don't have on this system.
Could you advise please?
08-16-2023 07:42 PM
Hi @Piotr_Kowalczyk ,
Thank you for writing to live community!
In your previous discussion query, one of the responses mentioned that Azure Code Signing is a must patch for all Windows Endpoints to be able to install Cortex XDR agents released after February, 2023.
Since 7.9 CE is an agent version which was released in March, 2023, qualifies to have Azure Code signing patch on the endpoint. Because this is related question for the same, I am also adding some context to visualise and make sure which endpoints in your environment have Azure Code signing patch installed, Palo Alto Networks has provided a script in the script library to allow testing on endpoints to see if Azure Code signing is installed and if endpoint supports ACS signatures. If the result gives the output of "False", it implies the endpoint does not have Azure Code Signing Patch and ay agent version released post February, 2023 cannot be installed on the endpoint. The output comes in both report format and detailed format and you can check the list of endpoints out of the same to ensure they have ACS to allow installation for the mentioned CE version.
Also in your case as we have seen in previous discussions, if ACS installation is a challenge, though it is not recommended, however, as a last mile resort, you can revert to the option to install 7.5CE. True that you will lose functionalities and new capabilities included with 7.9 or 7.9CE(let alone 8.1.x which is the latest), you can get EoL till March, 2024 as a reference Window. However, you cannot downgrade to 7.5CE and you will have to reinstall the agents with the CE version till the time patching is not fixed.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
08-16-2023 06:49 PM
Thank you for writing to live community!
This was expected as shared in other LC Post https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-convert-cortex-xdr-agent-to-criti... for new Cortex XDR agent versions, released from March are required to have a specific Microsoft Windows patch, in order to install successfully.
And in this case seems your server didn't had ACS patch due to which installation failed, sharing again this MS doc which shares specific patch number required per operating system build. Therefore verify/install the relevant patch on your server to support ACS before upgrading/installing to 7.9CE Cortex XDR agent version.
Additionally we also have script in XDR to check/validate if endpoint/server have patch for Azure Code Signing.
Navigate to Incident Response -> Action Center -> New Action -> Run Endpoint Script -> test_acs
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
08-16-2023 07:42 PM
Hi @Piotr_Kowalczyk ,
Thank you for writing to live community!
In your previous discussion query, one of the responses mentioned that Azure Code Signing is a must patch for all Windows Endpoints to be able to install Cortex XDR agents released after February, 2023.
Since 7.9 CE is an agent version which was released in March, 2023, qualifies to have Azure Code signing patch on the endpoint. Because this is related question for the same, I am also adding some context to visualise and make sure which endpoints in your environment have Azure Code signing patch installed, Palo Alto Networks has provided a script in the script library to allow testing on endpoints to see if Azure Code signing is installed and if endpoint supports ACS signatures. If the result gives the output of "False", it implies the endpoint does not have Azure Code Signing Patch and ay agent version released post February, 2023 cannot be installed on the endpoint. The output comes in both report format and detailed format and you can check the list of endpoints out of the same to ensure they have ACS to allow installation for the mentioned CE version.
Also in your case as we have seen in previous discussions, if ACS installation is a challenge, though it is not recommended, however, as a last mile resort, you can revert to the option to install 7.5CE. True that you will lose functionalities and new capabilities included with 7.9 or 7.9CE(let alone 8.1.x which is the latest), you can get EoL till March, 2024 as a reference Window. However, you cannot downgrade to 7.5CE and you will have to reinstall the agents with the CE version till the time patching is not fixed.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
08-17-2023 01:38 AM
This would explain the behaviour - thank you. Just one additional question, it looks I need to install KB5006728 to get support for Cortex XDR 7.9 CE - do you know if this is possible without having Extended Security Update (ESU)?
08-17-2023 01:59 AM
Hi @Piotr_Kowalczyk ,
This is unfortunately a mandate from Microsoft and ESU is a requirement from them to allow installation of ACS patch on Windows OS. There exists no known workaround from Palo Alto Networks perspective to bypass the ACS and install post March release of agents.
Regards,
08-17-2023 04:14 AM
Thank you for this clear reply. It is bad news for me but at least I'm clear now.
08-17-2023 05:17 AM
We had the same issue. What we found is that you should get/have ESU if your Windows Server 2008 R2 are in Azure: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-e...
08-17-2023 05:56 AM
Thank you for advise!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!