This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Reconnect after endpoint cleanup

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reconnect after endpoint cleanup

RemiLiquete
L1 Bithead

‎02-17-2026 06:38 AM

Hello,

 

I'm thinking about using the Endpoint Administration Cleanup tool.

However, I wanted to be sure if an endpoint is mistakenly deleted would shows up again in our tenant (if connected in the next 90 days).

Did anyone has experienced it yet?

 

Is this supposed to be the same if an endpoint is in "Connection Lost" then is connected?
If so, it doesn't work, that's why I'm wondering.

 

Regards,

Rémi.

0 Likes Likes
2 REPLIES 2

kiwi
Community Team Member

‎02-18-2026 03:35 AM

Hi @RemiLiquete ,

 

It's important to distinguish between "Connection Lost" and an actual "Deleted" state, as the system treats them very differently.

1. Licensing and Deletion In Cortex XDR, licensing is tied directly to the active management of the node.

  • License Revocation: Cortex XDR issues a license for every node where the agent is running and will revoke that license the moment the agent is removed or the node is manually deleted from the console.

  • Immediate Recovery: This is why many admins use the Cleanup tool—to immediately return licenses to the pool for use elsewhere.

2. Will it "Show Up Again"? This is where it gets tricky.

  • Manual/Cleanup Deletion: If you manually delete an endpoint or use the Cleanup tool, the license is revoked immediately. While the agent might attempt to check in, it generally will not automatically "re-protect" itself and reappear as a managed node. To restore it, you usually need to perform a fresh reinstall or use the cytool reconnect force command locally on the machine.

  • Connection Lost: This is a "soft" state. The license is still reserved for that machine. If a machine in "Connection Lost" status regains internet access, it will automatically check in and return to a "Connected" status without any manual intervention.

 

I hope this clarifies,

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

RemiLiquete
L1 Bithead

‎02-18-2026 08:47 AM

Hi @kiwi,

 

First of all, thank you for this detailled answer!

 

If I understand correctly what you are saying, when an agent tries to check-in after its deletion, we have no information about this?

Or maybe there's logs somewhere in the console we can exploit to determine if an agent is trying to check-in?

 

My concerns are about unknown agent being mistakenly deleted so we can't fix it until we are checking it locally on the server.

0 Likes Likes
  • 78 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks