CrowdStrikeintermediate

How to Enable Uninstall Protection for CrowdStrike Falcon Sensor on Linux (Prevent Sensor Uninstall)

Learn how to enable the 'Prevent Sensor Uninstall' policy setting in CrowdStrike Falcon for Linux endpoints. Protect sensors from unauthorized removal with maintenance tokens and tamper prevention.

6 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Protecting your CrowdStrike Falcon sensors from unauthorized removal is critical for maintaining endpoint security. The 'Prevent Sensor Uninstall' feature in CrowdStrike Falcon requires a maintenance token before anyone can remove the sensor, preventing both accidental and malicious uninstallation attempts.

This guide covers how to enable uninstall protection and sensor tamper prevention for Falcon Sensor on Linux endpoints, including configuration through Sensor Update Policies and Prevention Policies.

Requirements

  • CrowdStrike Falcon sensor for Linux version 7.20 or later
  • Falcon Administrator access to the Falcon Console
  • Endpoints assigned to a Sensor Update Policy

Understanding Uninstall Protection vs. Tamper Prevention

CrowdStrike offers two complementary protection mechanisms:

FeatureWhat It Protects AgainstWhere to Configure
Uninstall and Maintenance ProtectionUnauthorized sensor uninstallation, unloading, repair, or manual upgradeSensor Update Policies
Sensor Tampering ProtectionDeleting, renaming, or modifying sensor files and componentsPrevention Policies (Linux)

Recommendation: Enable both features for comprehensive protection.

Step 1: Enable Uninstall Protection in Sensor Update Policies

The 'Prevent Sensor Uninstall' setting is configured in Sensor Update Policies:

  1. Log into the CrowdStrike Falcon Console

  2. Navigate to falcon.crowdstrike.com or falcon.us-2.crowdstrike.com

  3. Sign in with your administrator credentials

  4. Navigate to Sensor Update Policies

  5. Go to Host Setup and Management > Sensor Update Policies

  6. Select the policy assigned to your Linux endpoints (or create a new one)

  7. Enable Uninstall Protection

  8. Click Edit on the policy

  9. Locate the Uninstall and maintenance protection setting

  10. Toggle the setting to Enabled

  11. Click Save

Once enabled, any attempt to uninstall the Falcon sensor will require a maintenance token.

Step 2: Enable Sensor Tamper Prevention (Linux Prevention Policy)

For additional protection, enable sensor tamper prevention in your Linux prevention policy:

  1. Navigate to Prevention Policies

  2. Go to Configuration > Prevention Policies

  3. Select your Linux prevention policy

  4. Enable Sensor Tampering Protection

  5. Click Edit on the policy

  6. Under Protection Settings, locate Sensor tampering protection

  7. Toggle to Enabled

  8. Click Save

This prevents users or processes from performing actions that tamper with key sensor components, such as:

  • Deleting sensor files in /opt/CrowdStrike/
  • Renaming sensor executables
  • Stopping the falcon-sensor service without authorization
  • Modifying sensor configuration files

Step 3: Retrieving Maintenance Tokens for Authorized Uninstalls

When uninstall protection is enabled, authorized administrators need maintenance tokens to remove sensors:

Single Host Token

  1. Go to Host Setup and Management > Host Management
  2. Search for the specific host
  3. Click on the host to view details
  4. Select Reveal maintenance token
  5. Copy the token for use during uninstallation

Bulk Token Generation (API)

For large-scale operations, use the CrowdStrike API to generate maintenance tokens programmatically. This is useful for automation scripts and mass maintenance windows.

Uninstalling a Protected Sensor on Linux

When uninstall protection is enabled, use the maintenance token with the uninstall command:

Using falconctl

sudo /opt/CrowdStrike/falconctl -s --maintenance-token=YOUR_TOKEN
sudo /opt/CrowdStrike/falconctl -s --aid=0

Using Package Manager

Ubuntu/Debian

sudo MAINTENANCE_TOKEN=YOUR_TOKEN apt remove falcon-sensor

RHEL/CentOS/Amazon Linux

sudo MAINTENANCE_TOKEN=YOUR_TOKEN yum remove falcon-sensor

SUSE/SLES

sudo MAINTENANCE_TOKEN=YOUR_TOKEN zypper remove falcon-sensor

For detailed uninstallation instructions, see our complete guide on how to uninstall CrowdStrike Falcon Sensor.

Verifying Protection Status

To verify that uninstall protection is active on a Linux endpoint:

sudo /opt/CrowdStrike/falconctl -g --feature

Look for the uninstall protection feature in the output. If protection is enabled, attempts to uninstall without a token will fail with an error message.

Best Practices

  • Enable both protections: Use uninstall protection AND tamper prevention together
  • Document token retrieval process: Ensure IT staff know how to get tokens for authorized maintenance
  • Use API for automation: Generate tokens programmatically for scripted deployments
  • Audit uninstall attempts: Monitor Falcon Console for unauthorized removal attempts
  • Test in staging first: Verify your maintenance procedures work before rolling out to production

Troubleshooting

Error: "Maintenance token required"

This means uninstall protection is enabled. Retrieve the maintenance token from Falcon Console (Host Management > Select Host > Reveal maintenance token).

Error: "Invalid maintenance token"

Maintenance tokens are single-use and host-specific. Generate a new token for the specific host you're trying to uninstall from.

Protection not taking effect

Policy changes can take up to 15 minutes to propagate. Verify the host is assigned to the correct Sensor Update Policy and has connectivity to the CrowdStrike cloud.

Frequently Asked Questions

Find answers to common questions

The 'Prevent Sensor Uninstall' setting in CrowdStrike Falcon requires a maintenance token before anyone can uninstall, unload, repair, or manually upgrade the Falcon sensor. This security feature prevents unauthorized removal of endpoint protection, whether accidental or malicious. When enabled, users attempting to uninstall the sensor are prompted for a maintenance token that must be retrieved from the Falcon Console.

To find the maintenance token in CrowdStrike Falcon Console, navigate to Host Setup and Management > Host Management, search for the specific host, click on the host details, then select 'Reveal maintenance token'. The token is single-use and host-specific. You can also generate bulk tokens via API for large-scale operations. For detailed steps, see our guide on how to uninstall CrowdStrike Falcon Sensor.

Uninstall protection requires a maintenance token to remove the sensor entirely, while sensor tamper prevention stops users or processes from modifying key sensor components on the endpoint. Tamper prevention blocks actions like deleting or renaming sensor files, stopping sensor services, or modifying sensor registry keys. Both settings work together to provide comprehensive protection against sensor tampering and removal.

Yes, uninstall protection is available for CrowdStrike Falcon sensor for Linux version 7.20 and later. You enable it through Sensor Update Policies in the Falcon Console by enabling the 'Uninstall and maintenance protection' setting. Once enabled, any uninstall attempt on Linux endpoints requires a valid maintenance token.

To temporarily disable 'Prevent Sensor Uninstall' for maintenance, go to Host Setup and Management > Sensor Update Policies in the Falcon Console. Select the policy assigned to your hosts, edit it, and toggle off 'Uninstall and maintenance protection'. Save the policy and wait for it to propagate to endpoints (usually within 15 minutes). Remember to re-enable protection after completing maintenance to maintain security.

If you attempt to uninstall CrowdStrike Falcon Sensor without providing a valid maintenance token when protection is enabled, the uninstallation will fail with an 'Access Denied' or 'Maintenance token required' error. This applies to GUI uninstallation, command-line removal, and package manager commands. The sensor remains installed and continues protecting the endpoint.

To enable sensor tamper prevention on Linux, navigate to Configuration > Prevention Policies in the Falcon Console. Edit the Linux prevention policy assigned to your hosts and enable the 'Sensor tampering protection' setting under the Protection Settings section. This prevents processes from deleting, renaming, or modifying critical Falcon sensor files and directories.

Need Expert CrowdStrike Management?

Whether you're migrating EDR platforms or need managed detection, our team handles seamless transitions and 24/7 monitoring.

Learn About 24/7 Detection & ResponseExplore EDR Migration & Hardening

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate your endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

Incident Response Playbook

Generate customized IR playbooks for your organization

Try it free →
Back to CrowdStrike