Cortex XDR - method of installation

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR - method of installation

L2 Linker

Hi All, I'm having a discussion with one of the PaloAlto support team members about an agent that is installed but disabled on one of our Windows endpoints. There are a number of endpoints with disabled agents out there but I opened a ticket for this one specifically because we want to get Palo's explanation of why it's disabled before we turn on the auto-upgrade feature. 


During this conversation the support member asked me how we install agents in our environment. I told him that we create a golden image with the agent installed in that image. An .iso is created from that image once it's tested thoroughly. From that .iso our Desktop Support team creates bootable USB drives and then images the hardware with them. The support member is saying that this is not the best method of installation insinuating that this is not Palo's preferred method. I asked him for documentation from Palo stating that. He is "looking" for that now. 


We have approximately 11,000 Windows endpoints in our enterprise environment.


How do you deploy the agent in your environment? 


Thank you for listening. 🙂



L4 Transporter

Hi Joe_Carissimo,


This is a perfectly acceptable method of doing agent deployment.  As with anything else, it matters that you do it properly to avoid issues.  After you install the agent in your golden image, you will want to either stop the agent and then remove the and files (paths below), or once you actually do a deployment of the golden image to a new device, run cytool reconnect force.  The issue you want to avoid is agents having the same ID when checking in to the console, this will cause you significant issues.


The and files are located in 

  • %programdata%\Cyvera\LocalSystem\OsPersistence\
  • %programdata%\Cyvera\LocalSystem\OsPersistence\

If you remove those files, do not restart the agent or reboot the golden image again before converting it to the iso, or the agent will reconnect and assign new IDs, thus you will have to repeat the process.  If you instead want to run cytool reconnect force, do this as soon as you boot a new device from the golden image, you will have to ensure this is done every time without fail, else you will run into issues with agent ID duplication.

  • 1 replies
  • 78 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!