01-11-2024 01:14 AM
Hello Team,
Actually we have exceeded the license quota, i'm wondering how can revoke certificate from unused endpoints and return unused licenses to the pool of available licenses.
Thank you in advance.
Br,
Aymen
01-11-2024 05:52 AM
Hello @Aymen.Harouns
Thanks for reaching on LiveCommunity!
There are multiple ways/actions by which license is revoked from endpoints. First is when an endpoint become disconnected/offline. In this scenario, the endpoint will be put into connection lost state for a period of 30 days(default). After this period the agent license will be revoked automatically and agent data will be retained for 180 days(default) starting from the day it became disconnected.
Second is agent deletion. If you want to immediately revoke the license of a disconnected/offline endpoint then you can perform agent deletion from All Endpoints table on XDR console.
Deleting an endpoint triggers the following lifespan flow:
The endpoint status changes to Deleted, and the license returns immediately to the license pool. After a retention period of 90 days, the agent is deleted from the database and is displayed in Cortex XDR as Endpoint Name - N/A (Deleted).
Data associated with the deleted endpoint is displayed in the Action Center tables and in the Causality View for the standard 90 days retention period.
Alerts that already include the endpoint data at the time of alert creation are not affected.
Third method is Agent Uninstall, You can also revoke agent license immediately by uninstalling the agent from the endpoint. This action can be performed from All Endpoints table or from Action Center on XDR console.
Uninstalling an endpoint triggers the following lifespan flow:
Once you uninstall the agent from the endpoint, the action is immediate. All agent files and protections are removed from the endpoint, leaving the endpoint unprotected.
The endpoint status changes to Uninstalled, and the license returns immediately to the license pool. After a retention period of 7 days, the agent is deleted from the database and is displayed in Cortex XDR as Endpoint Name - N/A (Uninstalled).
Data associated with the deleted endpoint is displayed in the Action Center tables and in the Causality View for the standard 90 days retention period.
Alerts that already include the endpoint data at the time of the alert creation are not affected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
