How to Use CrowdStrike Falcon Bulk Maintenance Mode for Multiple Hosts

Bulk maintenance mode in CrowdStrike Falcon allows you to use a single maintenance token to uninstall or upgrade sensors across all hosts in a sensor update policy. This streamlines large-scale maintenance operations when using external deployment tools.

Understanding Bulk Maintenance Mode

By default, each CrowdStrike sensor requires a unique, host-specific maintenance token for uninstallation when protection is enabled. Bulk maintenance mode provides a single token that works for all hosts in a policy.

When to Use Bulk Maintenance Mode

• Large-scale uninstallation: Removing sensors from many hosts
• Mass upgrades: Upgrading sensors via SCCM, JAMF, or similar tools
• Self-service updating: Managing sensors outside of Falcon cloud updates
• Automated maintenance: Scripted maintenance operations

Requirements

Enabling Bulk Maintenance Mode

- **Navigate to Sensor Update Policies**

• Go to Host Setup and Management > Deploy > Sensor Update Policies

• Select or Create a Maintenance Policy

• Click the policy you want to use for bulk maintenance

• Or create a dedicated maintenance policy

• Configure Required Settings

• In the Sensor version dropdown, select Sensor version updates off

• Ensure Uninstall and maintenance protection is selected (enabled)

• Enable Bulk Maintenance Mode

• Select Bulk maintenance mode

• Click Save

• Reveal the Bulk Token

• Click Reveal token

• In the dialog, click Reveal token again

• Copy and securely store the token

Using the Bulk Maintenance Token

Once you have the bulk token, use it the same way you would use individual maintenance tokens:

Linux Uninstallation

sudo MAINTENANCE_TOKEN=YOUR_BULK_TOKEN apt remove falcon-sensor

Or:

sudo MAINTENANCE_TOKEN=YOUR_BULK_TOKEN yum remove falcon-sensor

Windows Uninstallation

msiexec /x falcon-sensor.msi MAINTENANCE_TOKEN=YOUR_BULK_TOKEN /quiet

Mac Uninstallation

sudo /Applications/Falcon.app/Contents/Resources/falconctl uninstall --maintenance-token YOUR_BULK_TOKEN

Recommended Maintenance Workflow

CrowdStrike recommends creating a dedicated maintenance policy:

- **Create a Maintenance Policy**

• Name it clearly (e.g., "Maintenance - Uninstall Allowed")

• Set Sensor version updates off

• Enable Uninstall and maintenance protection

• Enable Bulk maintenance mode

• Move Hosts Temporarily

• Move host groups to the maintenance policy

• Perform your maintenance operations

• Return Hosts to Normal Policy

• Move host groups back to their original policies

• Protection is automatically re-enabled

Bulk vs Individual Tokens

Offline Host Considerations

Hosts must connect to the CrowdStrike cloud after bulk maintenance mode is enabled to receive the bulk token. Until then:

• Offline hosts cannot use the bulk token
• Use the individual AID-specific token from Host Management
• Once the host connects, it will accept the bulk token

Security Considerations

The bulk maintenance token is a sensitive credential:

• Doesn't change: The token remains valid until you contact support
• Treat as secret: Store securely, limit access
• Audit usage: Track who has access to the token
• Compromised token: Open a support ticket through CrowdStrike Customer Center

Disabling Bulk Maintenance Mode

To return to individual host tokens:

- Open the sensor update policy - Deselect **Bulk maintenance mode** - Click **Save**

Individual host tokens from Host Management will work again for hosts in that policy.

Best Practices

• Dedicated maintenance policy: Create one policy specifically for maintenance operations
• Temporary moves: Only move hosts to maintenance policy when needed
• Secure the token: Treat the bulk token as a privileged credential
• Document operations: Track maintenance activities for audit purposes
• Return hosts promptly: Move hosts back to protected policies after maintenance

Related Articles

• How to Configure Sensor Update Policies
• How to Enable Uninstall Protection
• How to Uninstall CrowdStrike Falcon Sensor