- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-02-2026 03:03 AM - edited 07-02-2026 03:10 AM
Hello,
I have a personal Windows 11 Pro laptop with Cortex XDR Agent 9.2.0 installed.
The agent is no longer connected to any management server and the GUI shows:
Connection: No connection to server
However, Device Control is still active.
Every time I connect my Samsung T7 Shield external SSD, I receive the notification:
"Cortex XDR | Device Control - USB device is in read-only mode."
The SSD is healthy (verified with Samsung Magician) and Windows DiskPart shows:
I also confirmed that the notification comes directly from Cortex XDR.
Anti-Tampering is enabled.
cytool protect disable requires the Supervisor Password.
cytool protect query shows all protections enabled.
The agent has no connection to a management server and I do not know the Supervisor Password.
This is my personal laptop. It is not managed by any organization and I do not have access to any Cortex tenant.
Is there an official recovery procedure or cleanup utility for removing an orphaned Cortex XDR agent that still enforces Device Control?
The attached screenshot shows that the Cortex XDR agent has no connection to any management server, yet it continues to enforce Device Control policies and blocks USB storage devices by forcing them into read-only mode.
Thank you.
07-03-2026 12:45 AM
Hi @ghilinta.anca ,
Why is the Cortex XDR Agent on your device in the first place ?
Did you by chance purchase a refurbished corporate laptop, inheriting a company machine after a layoff, or buy a used device where the previous IT department forgot to wipe the endpoint agent ?
If the organization that originally deployed this agent left the out-of-the-box configurations unchanged, you can try testing the default password: Password1
You can try using this string when prompted during a standard uninstallation, or via the command line utility (cytool protect disable) to see if it releases the agent's lock on your USB ports.
If the default password does not work it means the company's IT department hardened the package with a custom password before deploying it. The tool required to force-clean an orphaned agent (XdrAgentCleaner) is automatically provided starting with Cortex XDR Agent 8.7 and above.
Locate the cleaner tool, boot into safe mode and run the tool as administrator and let it do its job. Once back in normal mode, run the cleaner tool one more time to ensure all residual registry entries and USB block policies are completely flushed.
If all this fails, you will unfortunately not be able to bypass the anti-tampering controls. In that scenario, the only definitive way to remove the enterprise policy and regain full control of your laptop's hardware is to completely back up your personal files and perform a clean re-installation.
Kind regards,
07-03-2026 12:45 AM
Hi @ghilinta.anca ,
Why is the Cortex XDR Agent on your device in the first place ?
Did you by chance purchase a refurbished corporate laptop, inheriting a company machine after a layoff, or buy a used device where the previous IT department forgot to wipe the endpoint agent ?
If the organization that originally deployed this agent left the out-of-the-box configurations unchanged, you can try testing the default password: Password1
You can try using this string when prompted during a standard uninstallation, or via the command line utility (cytool protect disable) to see if it releases the agent's lock on your USB ports.
If the default password does not work it means the company's IT department hardened the package with a custom password before deploying it. The tool required to force-clean an orphaned agent (XdrAgentCleaner) is automatically provided starting with Cortex XDR Agent 8.7 and above.
Locate the cleaner tool, boot into safe mode and run the tool as administrator and let it do its job. Once back in normal mode, run the cleaner tool one more time to ensure all residual registry entries and USB block policies are completely flushed.
If all this fails, you will unfortunately not be able to bypass the anti-tampering controls. In that scenario, the only definitive way to remove the enterprise policy and regain full control of your laptop's hardware is to completely back up your personal files and perform a clean re-installation.
Kind regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

