How to uninstall CrowdStrike Falcon Sensor

1 February 11, 2025

The CrowdStrike Falcon Sensor is designed to be lightweight and unobtrusive, but there may be situations where you need to uninstall it. Uninstallation might be necessary for troubleshooting, device decommissioning, or transitioning to a different security solution.

This guide covers how to remove the Falcon Sensor from Windows, macOS, and Linux endpoints using both manual methods and command-line scripts.

Requirements

  • Administrator privileges on the target system.
  • CrowdStrike Falcon Console access (if using the “Prevent Sensor Uninstall” policy).
  • PowerShell or Terminal access for command-line removal.

Step 1: Retrieve the Maintenance Token (Uninstall passcode)

Before uninstalling the Falcon Sensor, you need the Maintenance Token from the CrowdStrike Falcon Console.

  1. Log into the Falcon Console
  2. Find the Uninstall Token
    • Go to Hosts > Host Management.
    • Search for the target device where you want to uninstall the sensor.
    • Click on the three dot menu next to the host, select reveal maintenance token
    • Enter a note in the textbox
    • Click Reveal token

📌 Note: If you do not see the token, ensure that you have the correct permissions to view it.

Step 2: Uninstall the Falcon Sensor Using the Maintenance token

Windows

  1. Open Command Prompt as Administrator
    • Press Win + R, type cmd, and press Ctrl + Shift + Enter to run as administrator.
  2. Run the Uninstall Command (Replace YOUR-CODE with the actual code retrieved from the Falcon Console)
WindowsSensor.exe /uninstall /quiet /norestart PASSWORD=YOUR-CODE
  1. Verify Uninstallation
  • Check if Falcon Sensor is removed from Control Panel > Programs and Features.
  • Run the following command to confirm that the service no longer exists:
sc query csagent
  • If it returns “The specified service does not exist as an installed service”, the sensor has been successfully removed.

macOS

  1. Open Terminal (Command + Space, type “Terminal”).
  2. Run the Uninstall Command (Replace YOUR-CODE with the actual code retrieved from the Falcon Console)
sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --token YOUR-CODE
  1. Verify Uninstallation
sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If the sensor was uninstalled successfully, you should see “command not found”.

Linux

  1. Open Terminal.
  2. Run the Uninstall Command (Replace YOUR-CODE with the actual code retrieved from the Falcon Console)
sudo falconctl uninstall --token YOUR-CODE
  1. Verify Uninstallation
sudo systemctl status falcon-sensor

If the sensor has been successfully uninstalled, it should return “Unit falcon-sensor.service could not be found.”

Troubleshooting Uninstallation Issues

1. “Invalid Token” Error

  • Ensure you are using the correct code from the Falcon Console.
  • If your code expired, retrieve a new one.

2. “Access Denied” Error

  • Make sure you are running the command as an administrator (Windows) or using sudo (Linux/macOS).
  • Some security tools may block the command—try running it in Safe Mode.

3. Falcon Sensor Still Appears After Uninstalling

  • Restart the machine and check again.
sc query csagent
  • If it is still running, manually stop and delete the service before rerunning the uninstall command.

Alternative Method: Disable Sensor Tamper Protection (Not Recommended)

If you don’t want to use a maintenance token, you can disable Sensor Tamper protection before uninstalling.

Check if Sensor Uninstall Protection is enabled in the CrowdStrike Falcon Console:

  1. Log into the Falcon Console: https://falcon.crowdstrike.com.
  2. Navigate to Hosts > Sensor Update Policies.
  3. Locate the policy assigned to the target device.
  4. If “Prevent Sensor Uninstall” is enabled, disable it and save changes.

You can now uninstall CrowdStrike like any other application on your device.

Best Practices

✅ Use a maintenance code Instead of Disabling Protection – Keeps security policies intact while allowing authorized removals.
✅ Retrieve Maintenance code Before Uninstalling – Ensure you have the latest uninstall token before attempting removal.
✅ Verify Uninstallation – Always check that the sensor has been fully removed from the system.