What should I do if I receive an 'Invalid Token' error during uninstallation?

If you encounter an 'Invalid Token' error, verify that you are using the correct Maintenance Token from the CrowdStrike Falcon Console. Tokens can expire, so if your code is outdated, retrieve a new one by navigating to Hosts > Host Management, selecting the target device, and revealing the token again. Ensure that you are executing the uninstallation command correctly, and check for any leading or trailing spaces in the token. If issues persist, consider consulting your CrowdStrike administrator for permissions.

How can I confirm that the CrowdStrike Falcon Sensor has been successfully uninstalled?

To verify successful uninstallation of the Falcon Sensor, check the relevant application management section of your operating system. For Windows, look in Control Panel > Programs and Features, and for macOS, check if the Falcon app is still present. Use command-line tools: for Windows, run 'sc query csagent' and ensure it returns 'The specified service does not exist as an installed service.' For macOS, use 'sudo /Applications/Falcon.app/Contents/Resources/falconctl stats' to see 'command not found.' For Linux, 'sudo systemctl status falcon-sensor' should indicate that the service could not be found.

What are the best practices for uninstalling the Falcon Sensor securely?

When uninstalling the CrowdStrike Falcon Sensor, prioritize using a Maintenance Token to maintain security integrity. Always retrieve the latest token before attempting removal to avoid issues. Ensure you have administrator privileges during the process and consider performing the uninstallation in Safe Mode if facing access issues. After uninstallation, verify that the sensor is completely removed from the system using command-line checks, and restart the machine to confirm. Avoid disabling Sensor Tamper protection unless absolutely necessary, as it can weaken overall security policies.

Uninstall CrowdStrike Falcon Sensor With or Without Token

The **CrowdStrike Falcon Sensor** is designed to be lightweight and unobtrusive, but there may be situations where you need to uninstall it. Uninstallation might be necessary for troubleshooting, device decommissioning, or transitioning to a different security solution.

This guide covers how to remove the Falcon Sensor from **Windows**, **macOS**, and **Linux** endpoints using both **manual methods** and **command-line scripts**.

## **Requirements**

Administrator privileges on the target system.
CrowdStrike Falcon Console access (if using the “Prevent Sensor Uninstall” policy).
PowerShell or Terminal access for command-line removal.

Step 1: Retrieve the Maintenance Token (Uninstall passcode)

Before uninstalling the Falcon Sensor, you need the Maintenance Token from the **CrowdStrike Falcon Console**.

Find the Uninstall Token
Go to Hosts > Host Management.
Search for the target device where you want to uninstall the sensor.
Click on the three dot menu next to the host, select reveal maintenance token
Enter a note in the textbox
Click Reveal token

📌 **Note:** If you do not see the token, ensure that you have the correct permissions to view it.

---

Step 2: Uninstall the Falcon Sensor Using the Maintenance token

Windows

cmd

Run the Uninstall Command (Replace YOUR-CODE with the actual code retrieved from the Falcon Console)
```
WindowsSensor.exe /uninstall /quiet /norestart PASSWORD=YOUR-CODE
```
Verify Uninstallation
Check if Falcon Sensor is removed from Control Panel > Programs and Features.
Run the following command to confirm that the service no longer exists:
```
sc query csagent
```
If it returns "The specified service does not exist as an installed service", the sensor has been successfully removed.

---

macOS

Command + Space

YOUR-CODE

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --token YOUR-CODE

sudo /Applications/Falcon.app/Contents/Resources/falconctl stats

If the sensor was uninstalled successfully, you should see **"command not found"**.

---

Linux

YOUR-CODE

sudo falconctl uninstall --token YOUR-CODE

sudo systemctl status falcon-sensor

If the sensor has been successfully uninstalled, it should return **"Unit falcon-sensor.service could not be found."**

---

Troubleshooting Uninstallation Issues

1. “Invalid Token” Error

Ensure you are using the correct code from the Falcon Console.
If your code expired, retrieve a new one.

2. “Access Denied” Error

Make sure you are running the command as an administrator (Windows) or using sudo (Linux/macOS).
Some security tools may block the command—try running it in Safe Mode.

3. Falcon Sensor Still Appears After Uninstalling

Restart the machine and check again.

sc query csagent

If it is still running, manually stop and delete the service before rerunning the uninstall command.

Alternative Method: Disable Sensor Tamper Protection (Not Recommended)

If you don’t want to use a maintenance token, you can disable Sensor Tamper protection before uninstalling.

Check if **Sensor Uninstall Protection** is enabled in the **CrowdStrike Falcon Console**:

- **Log into the Falcon Console**: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/). - Navigate to **Hosts** > **Sensor Update Policies**. - Locate the policy assigned to the target device. - If “Prevent Sensor Uninstall” is **enabled**, disable it and save changes. You can now uninstall CrowdStrike like any other application on your device.

Best Practices

✅ **Use a maintenance code Instead of Disabling Protection** – Keeps security policies intact while allowing authorized removals.
✅ **Retrieve Maintenance code Before Uninstalling** – Ensure you have the latest uninstall token before attempting removal.
✅ **Verify Uninstallation** – Always check that the sensor has been fully removed from the system.

Uninstall CrowdStrike Falcon Sensor With or Without Token

Step 1: Retrieve the Maintenance Token (Uninstall passcode)

Step 2: Uninstall the Falcon Sensor Using the Maintenance token

Windows

macOS

Linux

Troubleshooting Uninstallation Issues

1. “Invalid Token” Error

2. “Access Denied” Error

3. Falcon Sensor Still Appears After Uninstalling

Alternative Method: Disable Sensor Tamper Protection (Not Recommended)

Best Practices

Frequently Asked Questions

Switching EDR Solutions?

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Uninstall CrowdStrike Falcon Sensor With or Without Token

**Step 1: Retrieve the **Maintenance Token (Uninstall passcode)

Step 2: Uninstall the Falcon Sensor Using the Maintenance token

Windows

macOS

Linux

Troubleshooting Uninstallation Issues

1. “Invalid Token” Error

2. “Access Denied” Error

3. Falcon Sensor Still Appears After Uninstalling

Alternative Method: Disable Sensor Tamper Protection (Not Recommended)

Best Practices

Frequently Asked Questions

Switching EDR Solutions?

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step 1: Retrieve the Maintenance Token (Uninstall passcode)