diff --git a/Dockerfile b/Dockerfile
index 77bf85475..7669d7283 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,8 @@
 
 FROM public.ecr.aws/docker/library/python:3.12-slim-bullseye AS base
 
-ENV GO_VERSION=1.23.5
-ENV GO_SHA=cbcad4a6482107c7c7926df1608106c189417163428200ce357695cc7e01d091
+ENV GO_VERSION=1.23.6
+ENV GO_SHA=9379441ea310de000f33a4dc767bd966e72ab2826270e038e78b2c53c2e7802d
 ENV HELM_VERSION=3.12.3
 ENV HELM_SHA=1b2313cd198d45eab00cc37c38f6b1ca0a948ba279c29e322bdf426d406129b5
 ARG CI_UPLOADER_SHA=873976f0f8de1073235cf558ea12c7b922b28e1be22dc1553bf56162beebf09d
@@ -12,7 +12,7 @@ ARG CI_UPLOADER_VERSION=2.30.1
 # Skip Pulumi update warning https://www.pulumi.com/docs/cli/environment-variables/
 ENV PULUMI_SKIP_UPDATE_CHECK=true
 # Always prevent installing dependencies dynamically
-ENV DEVA_NO_DYNAMIC_DEPS=1
+ENV DDA_NO_DYNAMIC_DEPS=1
 
 # Install deps all in one step
 RUN apt-get update -y && \
@@ -125,9 +125,9 @@ RUN --mount=type=secret,id=github_token \
 
 # Install Agent requirements, required to run invoke tests task
 # Remove AWS-related deps as we already install AWS CLI v2
-RUN DEVA_VERSION="$(curl -s https://raw.githubusercontent.com/DataDog/datadog-agent-buildimages/main/deva.env | awk -F= '/^DEVA_VERSION=/ {print $2}')" && \
-  pip3 install "git+https://github.com/DataDog/datadog-agent-dev.git@${DEVA_VERSION}" && \
-  deva -v self dep sync -f legacy-build -f legacy-e2e -f legacy-test-infra-definitions && \
+RUN DDA_VERSION="$(curl -s https://raw.githubusercontent.com/DataDog/datadog-agent-buildimages/main/dda.env | awk -F= '/^DDA_VERSION=/ {print $2}')" && \
+  pip3 install "git+https://github.com/DataDog/datadog-agent-dev.git@${DDA_VERSION}" && \
+  dda -v self dep sync -f legacy-build -f legacy-e2e -f legacy-test-infra-definitions && \
   go install gotest.tools/gotestsum@latest
 
 # Install Orchestrion for native Go Test Visibility support
diff --git a/components/datadog/agent/docker_image.go b/components/datadog/agent/docker_image.go
index d8a233f6f..3293fcb60 100644
--- a/components/datadog/agent/docker_image.go
+++ b/components/datadog/agent/docker_image.go
@@ -14,7 +14,7 @@ const (
 	defaultClusterAgentImageRepo = "gcr.io/datadoghq/cluster-agent"
 	defaultAgentImageTag         = "latest"
 	defaultAgent6ImageTag        = "6"
-	defaultDevAgentImageRepo     = "datadog/agent-dev" // Used as default repository for images that are not stable and released yet
+	defaultDevAgentImageRepo     = "datadog/agent-dev" // Used as default repository for images that are not stable and released yet, should not be used in the CI
 	defaultOTAgentImageTag       = "nightly-ot-beta-main"
 	jmxSuffix                    = "-jmx"
 	otelSuffix                   = "-7-ot-beta"
@@ -100,16 +100,22 @@ func dockerAgentFullImagePath(e config.Env, repositoryPath, imageTag string, ote
 	return utils.BuildDockerImagePath(repositoryPath, imageTag)
 }
 
-func dockerClusterAgentFullImagePath(e config.Env, repositoryPath string) string {
+func dockerClusterAgentFullImagePath(e config.Env, repositoryPath string, fips bool) string {
 	// return cluster agent image path if defined
 	if e.ClusterAgentFullImagePath() != "" {
 		return e.ClusterAgentFullImagePath()
 	}
 
+	useFips := fips || e.AgentFIPS()
+
 	// if agent pipeline id and commit sha are defined, use the image from the pipeline pushed on agent QA registry
 	if e.PipelineID() != "" && e.CommitSHA() != "" {
 		tag := fmt.Sprintf("%s-%s", e.PipelineID(), e.CommitSHA())
 
+		if e.AgentFIPS() {
+			tag += fipsSuffix
+		}
+
 		exists, err := e.InternalRegistryImageTagExists(fmt.Sprintf("%s/cluster-agent", e.InternalRegistry()), tag)
 		if err != nil || !exists {
 			panic(fmt.Sprintf("image %s/cluster-agent:%s not found in the internal registry", e.InternalRegistry(), tag))
@@ -117,6 +123,15 @@ func dockerClusterAgentFullImagePath(e config.Env, repositoryPath string) string
 		return utils.BuildDockerImagePath(fmt.Sprintf("%s/cluster-agent", e.InternalRegistry()), tag)
 	}
 
+	if useFips {
+		if repositoryPath == "" {
+			repositoryPath = defaultDevAgentImageRepo
+		}
+		imageTag := "main" + fipsSuffix
+		e.Ctx().Log.Info("The following image will be used for dca in your test: "+fmt.Sprintf("%s:%s", repositoryPath, imageTag), nil)
+		return utils.BuildDockerImagePath(repositoryPath, imageTag)
+	}
+
 	if repositoryPath == "" {
 		repositoryPath = defaultClusterAgentImageRepo
 	}
diff --git a/components/datadog/agent/host_windowsos.go b/components/datadog/agent/host_windowsos.go
index 48af1ee7c..d97440668 100644
--- a/components/datadog/agent/host_windowsos.go
+++ b/components/datadog/agent/host_windowsos.go
@@ -52,8 +52,14 @@ func (am *agentWindowsManager) getInstallCommand(version agentparams.PackageVers
 		logFilePath = paramParts[1]
 	}
 
+	cmd := ""
+	if version.Flavor == agentparams.FIPSFlavor {
+		cmd = fmt.Sprintf(`
+Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' -Name 'Enabled' -Value 1 -Type DWORD`)
+	}
+
 	localFilename := `C:\datadog-agent.msi`
-	cmd := fmt.Sprintf(`
+	cmd += fmt.Sprintf(`
 $ProgressPreference = 'SilentlyContinue';
 $ErrorActionPreference = 'Stop';
 for ($i=0; $i -lt 3; $i++) {
diff --git a/components/datadog/agent/kubernetes_helm.go b/components/datadog/agent/kubernetes_helm.go
index 6b5a3f39b..8c60d2abd 100644
--- a/components/datadog/agent/kubernetes_helm.go
+++ b/components/datadog/agent/kubernetes_helm.go
@@ -134,7 +134,7 @@ func NewHelmInstallation(e config.Env, args HelmInstallationArgs, opts ...pulumi
 	}
 	agentImagePath, agentImageTag := utils.ParseImageReference(agentImagePath)
 
-	clusterAgentImagePath := dockerClusterAgentFullImagePath(e, "")
+	clusterAgentImagePath := dockerClusterAgentFullImagePath(e, "", args.FIPS)
 	if args.ClusterAgentFullImagePath != "" {
 		clusterAgentImagePath = args.ClusterAgentFullImagePath
 	}
@@ -447,8 +447,10 @@ func buildLinuxHelmValues(baseName, agentImagePath, agentImageTag, clusterAgentI
 					"instances": []map[string]interface{}{
 						{
 							"collectors": []string{
+								"apiservices",
 								"secrets",
 								"configmaps",
+								"customresourcedefinitions",
 								"nodes",
 								"pods",
 								"services",
diff --git a/components/os/linux_descriptors.go b/components/os/linux_descriptors.go
index 466849e04..d2fe58ad9 100644
--- a/components/os/linux_descriptors.go
+++ b/components/os/linux_descriptors.go
@@ -2,8 +2,8 @@ package os
 
 // Implements commonly used descriptors for easier usage
 var (
+	UbuntuDefault = Ubuntu2204
 	Ubuntu2404    = NewDescriptor(Ubuntu, "24.04")
-	UbuntuDefault = Ubuntu2404
 	Ubuntu2204    = NewDescriptor(Ubuntu, "22.04")
 
 	DebianDefault = Debian12
diff --git a/components/os/scripts/apt-disable-unattended-upgrades.sh b/components/os/scripts/apt-disable-unattended-upgrades.sh
index d89f30384..ed07cad44 100644
--- a/components/os/scripts/apt-disable-unattended-upgrades.sh
+++ b/components/os/scripts/apt-disable-unattended-upgrades.sh
@@ -1,2 +1,16 @@
 #!/bin/bash
-apt-get -y remove unattended-upgrades
\ No newline at end of file
+apt-get -y remove unattended-upgrades
+
+# Try to disable unattended upgrades and apt automatic updates, should not fail if it is not installed
+sudo systemctl disable unattented-upgrades.service || true
+sudo systemctl stop unattented-upgrades.service || true
+
+sudo systemctl disable apt-daily.service || true
+sudo systemctl disable apt-daily.time || true
+sudo systemctl stop apt-daily.service || true
+sudo systemctl stop apt-daily.timer || true
+
+sudo systemctl disable apt-daily-upgrade.service || true
+sudo systemctl disable apt-daily-upgrade.timer || true
+sudo systemctl stop apt-daily-upgrade.service || true
+sudo systemctl stop apt-daily-upgrade.timer || true