Cortex XDR 7.9 CE not installing on Windows Server 2008 R2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR 7.9 CE not installing on Windows Server 2008 R2

L3 Networker

Hi,

 

There is Windows Server 2008 R2 server which had Cortex XDR 7.9 installed. As this version is end of support in next few weeks, I decided to install 7.9 CE, which according to compatibility matrix:

Windows • Cortex XDR Compatibility Matrix • Reader • Palo Alto Networks documentation portal

should work on the system. However when I try to install it, I'm getting error "Cortex XDR requires Azure Code Signing support" which I don't have on this system. 

Could you advise please?

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @Piotr_Kowalczyk ,

 

Thank you for writing to live community!

 

In your previous discussion query, one of the responses mentioned that Azure Code Signing is a must patch for all Windows Endpoints to be able to install Cortex XDR agents released after February, 2023.

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-convert-cortex-xdr-agent-to-criti...

 

Since 7.9 CE is an agent version which was released in March, 2023, qualifies to have Azure Code signing patch on the endpoint. Because this is related question for the same, I am also adding some context to visualise and make sure which endpoints in your environment have Azure Code signing patch installed, Palo Alto Networks has provided a script in the script library to allow testing on endpoints to see if Azure Code signing is installed and if endpoint supports ACS signatures. If the result gives the output of "False", it implies the endpoint does not have Azure Code Signing Patch and ay agent version released post February, 2023 cannot be installed on the endpoint.  The output comes in both report format and detailed format and you can check the list of endpoints out of the same to ensure they have ACS to allow installation for the mentioned CE version.

Screenshot 2023-08-17 at 10.32.15 AM.png

Screenshot 2023-08-17 at 10.36.46 AM.png

Screenshot 2023-08-17 at 10.37.35 AM.png

 

 

 

Also in your case as we have seen in previous discussions, if ACS installation is a challenge, though it is not recommended, however, as a last mile resort, you can revert to the option to install 7.5CE. True that you will lose functionalities and new capabilities included with 7.9 or 7.9CE(let alone 8.1.x which is the latest), you can get EoL till March, 2024 as a reference Window. However, you cannot downgrade to 7.5CE and you will have to reinstall the agents with the CE version till the time patching is not fixed.

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

 

 

View solution in original post

7 REPLIES 7

L4 Transporter

Hi @Piotr_Kowalczyk 

 

Thank you for writing to live community!

 

This was expected as shared in other LC Post https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-convert-cortex-xdr-agent-to-criti... for new Cortex XDR agent versions, released from March are required to have a specific Microsoft Windows patch, in order to install successfully.

 

And in this case seems your server didn't had ACS patch due to which installation failed, sharing again this MS doc which shares specific patch number required per operating system build. Therefore verify/install the relevant patch on your server to support ACS before upgrading/installing to 7.9CE Cortex XDR agent version. 

 

Additionally we also have script in XDR to check/validate if endpoint/server have patch for Azure Code Signing

Navigate to Incident Response -> Action Center -> New Action -> Run Endpoint Script -> test_acs

 

PiyushKohli_0-1692236807455.png

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

L5 Sessionator

Hi @Piotr_Kowalczyk ,

 

Thank you for writing to live community!

 

In your previous discussion query, one of the responses mentioned that Azure Code Signing is a must patch for all Windows Endpoints to be able to install Cortex XDR agents released after February, 2023.

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-convert-cortex-xdr-agent-to-criti...

 

Since 7.9 CE is an agent version which was released in March, 2023, qualifies to have Azure Code signing patch on the endpoint. Because this is related question for the same, I am also adding some context to visualise and make sure which endpoints in your environment have Azure Code signing patch installed, Palo Alto Networks has provided a script in the script library to allow testing on endpoints to see if Azure Code signing is installed and if endpoint supports ACS signatures. If the result gives the output of "False", it implies the endpoint does not have Azure Code Signing Patch and ay agent version released post February, 2023 cannot be installed on the endpoint.  The output comes in both report format and detailed format and you can check the list of endpoints out of the same to ensure they have ACS to allow installation for the mentioned CE version.

Screenshot 2023-08-17 at 10.32.15 AM.png

Screenshot 2023-08-17 at 10.36.46 AM.png

Screenshot 2023-08-17 at 10.37.35 AM.png

 

 

 

Also in your case as we have seen in previous discussions, if ACS installation is a challenge, though it is not recommended, however, as a last mile resort, you can revert to the option to install 7.5CE. True that you will lose functionalities and new capabilities included with 7.9 or 7.9CE(let alone 8.1.x which is the latest), you can get EoL till March, 2024 as a reference Window. However, you cannot downgrade to 7.5CE and you will have to reinstall the agents with the CE version till the time patching is not fixed.

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

 

 

This would explain the behaviour - thank you. Just one additional question, it looks I need to install KB5006728 to get support for Cortex XDR 7.9 CE - do you know if this is possible without having Extended Security Update (ESU)?

Hi @Piotr_Kowalczyk ,

 

This is unfortunately a mandate from Microsoft and ESU is a requirement from them to allow installation of ACS patch on Windows OS. There exists no known workaround from Palo Alto Networks perspective to bypass the ACS and install post March release of agents.

 

Regards,

Thank you for this clear reply. It is bad news for me but at least I'm clear now.

Hi @Piotr_Kowalczyk 

We had the same issue. What we found is that you should get/have ESU if your Windows Server 2008 R2 are in Azure: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/obtaining-extended-security-updates-for-e...

Thank you for advise!

  • 1 accepted solution
  • 4471 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!