Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Orphaned Cortex XDR Agent enforcing USB read-only on personal laptop

L1 Bithead

Hello,

I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed.

The agent is no longer connected to any management server and the GUI shows:

Connection: No connection to server

However, Device Control is still active.

Every time I connect my Samsung T7 Shield external SSD, I receive the notification:

"Cortex XDR | Device Control - USB device is in read-only mode."

The SSD is healthy (verified with Samsung Magician) and Windows DiskPart shows:

  • Current Read-only State: Yes
  • Read-only: No

I also confirmed that the notification comes directly from Cortex XDR.

Anti-Tampering is enabled.

cytool protect disable requires the Supervisor Password.

cytool protect query shows all protections enabled.

The agent has no connection to a management server and I do not know the Supervisor Password.

This is my personal laptop. It is not managed by any organization and I do not have access to any Cortex tenant.

Is there an official recovery procedure or cleanup utility for removing an orphaned Cortex XDR agent that still enforces Device Control?

The attached screenshot shows that the Cortex XDR agent has no connection to any management server, yet it continues to enforce Device Control policies and blocks USB storage devices by forcing them into read-only mode.

 

Thank you.

2 accepted solutions

Accepted Solutions

Community Team Member

Hi @ghilinta.anca ,

 

Why is the Cortex XDR Agent on your device in the first place ? 

Did you by chance purchase a refurbished corporate laptop, inheriting a company machine after a layoff, or buy a used device where the previous IT department forgot to wipe the endpoint agent ?

 

 

If the organization that originally deployed this agent left the out-of-the-box configurations unchanged, you can try testing the default password: Password1

 

You can try using this string when prompted during a standard uninstallation, or via the command line utility (cytool protect disable) to see if it releases the agent's lock on your USB ports.

 

If the default password does not work it means the company's IT department hardened the package with a custom password before deploying it. The tool required to force-clean an orphaned agent (XdrAgentCleaner) is automatically provided starting with Cortex XDR Agent 8.7 and above.

 

Locate the cleaner tool, boot into safe mode and run the tool as administrator and let it do its job.  Once back in normal mode, run the cleaner tool one more time to ensure all residual registry entries and USB block policies are completely flushed.

 

If all this fails, you will unfortunately not be able to bypass the anti-tampering controls. In that scenario, the only definitive way to remove the enterprise policy and regain full control of your laptop's hardware is to completely back up your personal files and perform a clean re-installation.

 

Kind regards,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Community Team Member

Hi @ghilinta.anca ,

 

Cortex XDR is a strictly enterprise-grade security platform; it cannot be purchased or licensed by individual consumers.

 

Because it was installed recently, I'm guessing it was bundled with a software package, VPN (like GlobalProtect/Prisma Access Agent), via a medical portal provided by your hospital, clinic, or healthcare network to allow you to securely access patient data while working from home.

 

Even though it is your personal laptop, the moment that software was installed, it applied the healthcare network's strict data-protection policies—which routinely block or restrict USB storage devices to protect patient privacy.

 

Regarding your questions:

Since you are running version 9.2.0, the XdrAgentCleaner.exe tool should be pre-loaded on your machine. If you can't see it, it is likely because the folder is protected by the agent's anti-tampering system or hidden by Windows.

 

Location: C:\Program Files\Palo Alto Networks\Cortex XDR Health Helper\XdrAgentCleaner
File name: XdrAgentCleaner.exe

 

Try booting into safe mode first and locate the file then.

 

Source:
XDR agent cleaner tool for version 8.8 and below

 

Hope this helps,

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

3 REPLIES 3

Community Team Member

Hi @ghilinta.anca ,

 

Why is the Cortex XDR Agent on your device in the first place ? 

Did you by chance purchase a refurbished corporate laptop, inheriting a company machine after a layoff, or buy a used device where the previous IT department forgot to wipe the endpoint agent ?

 

 

If the organization that originally deployed this agent left the out-of-the-box configurations unchanged, you can try testing the default password: Password1

 

You can try using this string when prompted during a standard uninstallation, or via the command line utility (cytool protect disable) to see if it releases the agent's lock on your USB ports.

 

If the default password does not work it means the company's IT department hardened the package with a custom password before deploying it. The tool required to force-clean an orphaned agent (XdrAgentCleaner) is automatically provided starting with Cortex XDR Agent 8.7 and above.

 

Locate the cleaner tool, boot into safe mode and run the tool as administrator and let it do its job.  Once back in normal mode, run the cleaner tool one more time to ensure all residual registry entries and USB block policies are completely flushed.

 

If all this fails, you will unfortunately not be able to bypass the anti-tampering controls. In that scenario, the only definitive way to remove the enterprise policy and regain full control of your laptop's hardware is to completely back up your personal files and perform a clean re-installation.

 

Kind regards,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Kiwi,

 

Thank you very much for your reply.

 

No, this is not a refurbished or second-hand laptop. I purchased it brand new almost two years ago and have been the only owner.

 

I use it exclusively as my personal laptop, including for my work as a physician, but it has never been managed by any organization’s IT department.

 

Cortex XDR was installed only recently (June 23, 2026). Before that, my Samsung T7 Shield external SSD had been working normally on this laptop for almost two years. The USB read-only issue started immediately after the Cortex XDR installation.

 

I will try the default supervisor password (Password1).

 

Regarding XdrAgentCleaner, is this utility publicly available? I could not find it anywhere in the Cortex XDR installation directory. Could you please tell me where I can obtain it or point me to the official documentation?

 

Thank you again for your help.

Community Team Member

Hi @ghilinta.anca ,

 

Cortex XDR is a strictly enterprise-grade security platform; it cannot be purchased or licensed by individual consumers.

 

Because it was installed recently, I'm guessing it was bundled with a software package, VPN (like GlobalProtect/Prisma Access Agent), via a medical portal provided by your hospital, clinic, or healthcare network to allow you to securely access patient data while working from home.

 

Even though it is your personal laptop, the moment that software was installed, it applied the healthcare network's strict data-protection policies—which routinely block or restrict USB storage devices to protect patient privacy.

 

Regarding your questions:

Since you are running version 9.2.0, the XdrAgentCleaner.exe tool should be pre-loaded on your machine. If you can't see it, it is likely because the folder is protected by the agent's anti-tampering system or hidden by Windows.

 

Location: C:\Program Files\Palo Alto Networks\Cortex XDR Health Helper\XdrAgentCleaner
File name: XdrAgentCleaner.exe

 

Try booting into safe mode first and locate the file then.

 

Source:
XDR agent cleaner tool for version 8.8 and below

 

Hope this helps,

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 2 accepted solutions
  • 176 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!