diff --git a/Gemfile b/Gemfile
index 27d5b563..b5550bf5 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,6 +3,7 @@ source 'https://rubygems.org'
 chef_version = ENV.fetch('CHEF_VERSION', '14.10.9')
 
 gem 'rake'
+gem 'rspec-expectations', '< 3.12.4'
 gem 'chef', "= #{chef_version}"
 gem 'cucumber-core', '~> 3.2.1'
 gem 'yaml'
@@ -19,6 +20,10 @@ gem 'rbnacl', '~> 4.0.2'
 gem 'rbnacl-libsodium', '~> 1.0.16'
 gem 'bcrypt_pbkdf', '>= 1.0', '< 2.0'
 
+if RUBY_VERSION >= '3.0.0' && RUBY_VERSION < '3.1.0'
+  gem 'uri', '= 0.10.1'
+end
+
 if RUBY_VERSION < '2.4'
   gem 'json', '~> 2.4.1'
 end
diff --git a/kitchen.docker.yml b/kitchen.docker.yml
index 40b3da76..6d2b5e3f 100644
--- a/kitchen.docker.yml
+++ b/kitchen.docker.yml
@@ -48,6 +48,10 @@ platforms:
       require_chef_omnibus: 16.17.4
       image: 'datadog/docker-library:chef_kitchen_systemd_rocky_8'
       run_command: /root/start.sh
+      # workaround https://github.com/chef/chef/issues/14034 which has been
+      # fixed, but only for fresh Chef versions (>= 18)
+      provision_command:
+        - echo "CentOS Linux release 8" > /etc/redhat-release
 
 suites:
 <%
diff --git a/recipes/dd-agent.rb b/recipes/dd-agent.rb
index 3079d33e..73b5073c 100644
--- a/recipes/dd-agent.rb
+++ b/recipes/dd-agent.rb
@@ -159,6 +159,7 @@ def template_vars
 system_probe_managed = node['datadog']['system_probe']['manage_config']
 agent_version_greater_than_6_11 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 11) || agent_major_version > 6
 agent_version_greater_than_6_26 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 26)
+agent_version_greater_than_6_49 = agent_major_version > 5 && (agent_minor_version.nil? || agent_minor_version > 49)
 
 # System probe requires at least agent 6.12 on Linux or 6.27 on Windows, before that it was called the network-tracer or unsupported.
 system_probe_supported = (agent_version_greater_than_6_11 && !is_windows) || (agent_version_greater_than_6_26 && is_windows)
@@ -166,8 +167,12 @@ def template_vars
 # system-probe is a dependency of the agent on Linux or Windows
 include_recipe '::system-probe' if system_probe_managed && system_probe_supported
 
+# Security Agent requires at least agent 6.27 on Linux or 6.50 on Windows, before that it was unsupported.
+security_agent_managed = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled'])
+security_agent_supported = (agent_version_greater_than_6_26 && !is_windows) || (agent_version_greater_than_6_49 && is_windows)
+
 # security-agent is a dependency of the agent on Linux or Windows
-include_recipe '::security-agent'
+include_recipe '::security-agent' if security_agent_managed && security_agent_supported
 
 # Installation metadata to let know the agent about installation method and its version
 include_recipe '::install_info'
diff --git a/recipes/security-agent.rb b/recipes/security-agent.rb
index 983e731c..7f4564f6 100644
--- a/recipes/security-agent.rb
+++ b/recipes/security-agent.rb
@@ -20,8 +20,7 @@
 is_windows = platform_family?('windows')
 
 # Set the correct agent startup action
-security_agent_enabled = node['datadog']['security_agent']['cws']['enabled'] || (!is_windows && node['datadog']['security_agent']['cspm']['enabled'])
-security_agent_start = security_agent_enabled && node['datadog']['agent_start'] && node['datadog']['agent_enable'] ? :start : :stop
+security_agent_start = node['datadog']['agent_start'] && node['datadog']['agent_enable'] ? :start : :stop
 
 #
 # Configures security-agent agent
@@ -31,7 +30,6 @@
   else
     '/etc/datadog-agent/security-agent.yaml'
   end
-security_agent_config_file_exists = ::File.exist?(security_agent_config_file)
 
 template security_agent_config_file do
   runtime_security_extra_config = {}
@@ -64,10 +62,7 @@
     mode '640'
   end
 
-  notifies :restart, 'service[datadog-agent-security]', :delayed if security_agent_enabled
-
-  # Security agent is not enabled and the file doesn't exists, don't create it
-  not_if { !security_agent_enabled && !security_agent_config_file_exists }
+  notifies :restart, 'service[datadog-agent-security]', :delayed
 end
 
 # Common configuration
@@ -86,5 +81,5 @@
   else
     supports :restart => true, :status => true, :start => true, :stop => true
   end
-  subscribes :restart, "template[#{security_agent_config_file}]", :delayed if security_agent_enabled
+  subscribes :restart, "template[#{security_agent_config_file}]", :delayed
 end
\ No newline at end of file