This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Deployment of Cortex Agent through SCCM for 70–100 Endpoints

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deployment of Cortex Agent through SCCM for 70–100 Endpoints

Prashanta
L2 Linker

‎03-07-2026 08:51 PM

Hi Team,

I would like to deploy the Cortex Agent through SCCM using Active Directory. The total number of endpoints for this deployment is approximately 70–100 devices.

Could you please advise on the proper procedure or best practice to carry out this deployment through SCCM?

Thank you.
Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎03-09-2026 07:11 AM

Hello @Prashanta,

 

Greetings for the day.


o deploy the Cortex XDR agent through SCCM (System Center Configuration Manager) for 70–100 devices, the recommended approach is to use the Cortex XDR Installer and Content Update Package. This method bundles the latest security content with the MSI installer, ensuring immediate protection and reducing initial network bandwidth consumption after installation.

 

1. Planning and Preparation

Before a full rollout, follow these best practices for a smooth deployment:

  • Pilot Group: First, install the agent on a small pilot group (3–10 endpoints) to confirm there is no change in user experience or application conflicts.

  • Firewall Prerequisites: Ensure your network allows access to Cortex XDR communication servers and storage buckets.

  • Reboot Requirements: A system reboot is strongly recommended after the uninstallation of a competitive EDR product or after the Cortex XDR Agent installation cycle to ensure kernel-level drivers are properly managed.

 

2. Create the Installation Package

  1. In the Cortex XDR console, navigate to:
    Endpoints → Endpoint Management → Agent Installations

  2. Select + Create to generate a new installation package.

  3. Right-click the newly created distribution package and select:
    64 bit installer → Download 64 bit installer + latest content update (zip)

  4. Extract the downloaded ZIP file. You will obtain two primary files:

    • The .msi installer

    • A content .zip file (for example: content-XXX-XXXXX.zip)

 

3. SCCM Application Configuration

Follow these steps to configure the deployment in SCCM:

Network Share

Copy both the MSI and the content ZIP files to a network share accessible by SCCM, for example:

 

\\SCCM\Share\CortexDeployment\

Create Application

  1. Open Create Application Wizard in SCCM.

  2. Select Windows Installer (*.msi file) as the application type.

  3. Point it to the MSI file in the network share.

Installation Program:

Under the application settings, define the installation command using the quiet installation flag and the CONTENT parameter.

msiexec /i "installer_x64.msi" CONTENT=\\SCCM\Share\CortexDeployment\content-XXX-XXXXX.zip /qn

Install Behavior

Ensure Install for system (per-machine) is selected. The Cortex XDR agent will fail to install if configured as per-user.

Working Directory

In Deployment Types → Programs, set Installation starts in to:

 

\\SCCM\Share\CortexDeployment\
 
Distribution & Deployment

  • In the Distribute Content Wizard, select Detect associated content dependencies and add them to this distribution.

  • In the Deploy Software Wizard:

    • Action: Install

    • Purpose: Required

 

4. Post-Deployment Validation

After SCCM triggers the installation, validate the deployment using the following methods:

Console Status

Verify the endpoint appears in the All Endpoints dashboard with a Connected status.

Manual Check-in

To force an immediate heartbeat to the console, run:

"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" checkin
 

Registry Check

Confirm the protection status is 3 (Protected/Operational) at:

HKEY_LOCAL_MACHINE\Software\Palo Alto Networks\Traps\ProtectionStatus

Service Verification:

Ensure the Cyserver.exe service is running and configured with Automatic startup.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes
  • 793 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks